The university has a policy that requires any piece of software or hardware be evaluated for risks to the institution. It is the responsibility of every employee at the university to follow the policy, the full policy can be found online at https://it.ufl.edu/it-policies/information-security/risk-management-policy/
Some of the reasons this policy is in place include:
- Protecting UF data from accidental release (data breaches). This is especially important in cases where breaches of certain data types (patient data, student records, etc) may result in fines to the institution.
- Protecting UF intellectual property. Some software and hardware licenses have a clause that transfers ownership of data from the institution to the vendor.
- Alignment with UF services. For example, because the institution provides high performance computing services through HiPerGator, there is probably no real need for a researcher to purchase and build out their own computing cluster.
The risk assessment process begins by submitting a request (“intake”) through the UF Integrated Risk Management System. In some cases, the tool may have already been approved for use at UF through the Fast Path Solutions, in these cases the Risk Assessment request is simply to register the use of the tool.
It is the responsibility of each person to submit the risk assessment intake for the tools they will need. While CLAS IT information security managers will be able to help answer your questions, we do not have staff that can submit intakes for every researcher in the college.
If a researcher is working with “open” data, meaning data which is public and would not result in financial or legal punitive measures if it were released, they may begin working with the software/hardware once the risk assessment request has been submitted even if the risk assessment is not completed.
However, in situations where researchers are working with restricted data types that are protected by contract, policy or law, such as export controlled (ITAR) data, the risk assessment should be completed before acquisition and use of the software/hardware. Because the risk assessment process may take some time between submission and completion, if you are working with restricted data you should plan ahead and submit your risk assessments early.
This fall, CLAS IT will be developing documentation and tutorials to assist researchers in the college with the risk assessment process with an eye towards distribution over the winter.
More information on the Risk Assessment Program may be found at the Integrated Risk Management web-site.