UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Information Security and Privacy Evaluation
The UF IT Risk Assessment process begins with this document. This Security Evaluation will help to
determine the security fitness of a planned implementation of a new product to be purchased or
developed, a major upgrade, enhancement, or the migration of an existing system to be used for
purposes other than healthcare or with healthcare related data.
Please complete as much as you can. We understand there may be some questions so feel free to
contact the Security Analyst assigned to this project. Please understand that risk assessments can take
from 2-12 weeks to complete. The risk team is only one part of the process. When appropriate, we also
involve Purchasing, Privacy, Legal, and Contracts and Grants. The more documentation and details you
provide will help expedite the process. If you would like to learn more about the risk management
workflow please visit: UF IT Risk Assessment.
For instructions on how to complete this form please visit: Intake Form Instructions
Project/System Name: xxxx
Sponsoring UF Unit: xxxx
The UF Information Security Office has completed a point-in-time assessment of the Project/System
Name risk posture. If any changes occur in this system, it is essential that the risk posture be reevaluated. New vulnerabilities and exploits are found almost every day. Some of the most common
targets of these attacks are authentication mechanisms, session management, access controls, data
stores (injection), faulty application logic, and bypassing client side controls.
Even when appropriate security measures are being taken to protect information systems from internal
and external attacks, there is no 100% way to ensure complete security. All Internet connected
applications and websites can be potentially attacked. This Risk Assessment consists of an objective
evaluation of risk based on the NIST (National Institute of Standards and Technology) Security
Standards, in which assumptions and uncertainties are clearly considered and presented in the
recommendations and known residual risk.
Private data use approved by:
Chief Privacy Officer
Residual risk accepted by:
Sponsoring Dean, Director, or Department Chair
Signature: _________________________
Signature: ____________________________
Name: __Susan Blair_________________
Name: _______________________________
Date: _____________________________
Date: ________________________________
Page 1
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Part I – Identification (to be filled out by the sponsoring UF Unit)
Identify all that is known about planned ownership and responsibility of the new system or service.
Completeness and accuracy of identification information is very important for expediency of the
evaluation process.
Ownership and Responsibility
Project Name
Department
Purchasing/UF Sponsoring Unit
UF Project Customer
IRB Approval #
Lead Administrator
Information Security Manager (ISM)
Find your ISM/ISA
Information Security Administrator (ISA)
Information Security Analyst
Acceptable Downtime:
0
24
72
hour hours hours
☐
☐
☐
2
weeks
☐
As resources
become available
☐
Acceptable Data Loss:
0
1
24
hour hours hours
☐
☐
☐
1
week
☐
Data Loss Not
Important
☐
FISMA Accreditation Required?
Yes
No
☐
☐
Acceptable Downtime (Recovery Time Objective-RTO) is a measure of importance of the system to the
sponsoring Unit. The Unit should think about and declare how long it will be willing to operate without the
system in the event of a natural or environmental disaster, or a major hardware failure.
Acceptable Data Loss (Recovery Point Objective-RPO) is the point in time to which you must recover
data as defined by your organization. This is generally a definition of what an organization determines is
an "acceptable loss" in a distressed situation. These parameters are business decisions and are best
determined up front so that appropriate design and funding can be planned in advance.
FISMA Accreditation (Federal Information Security Management Act) is required by most federal
government contracts and many grants, and entails significant effort to achieve compliance.
Page 2
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Product(s) Being Evaluated
Software:
Hardware:
Services:
Vendor/Developer Contact
System Administration Contact
Technology
Yes
No
N/A
Comments
Is this system or application similar to
any other UF Enterprise System?
☐
☐
☐
Please provide any comments.
Will this data be stored at UF?
☐
☐
☐
[If yes, please provide additional details on location.]
If this projects involves the use of
PHI has a BAA been reviewed by
legal and privacy? BAA Info
☐
☐
☐
Please attach or provide link to location of
document.
If other restricted data is going to be
used and a third party has access, is
there a confidentiality agreement?
☐
☐
☐
Please attach or provide link to location of
document. Also provide the name of the Attorney
you are working with.
Does this involve an external
hosting?
☐
☐
☐
Please indicate if this is SaaS, PaaS, IaaS.
SaaS: Software as a Service (turnkey software
service; UF does not manage underlying
infrastructure)
PaaS: Platform as a Service (UF manages the
software, but everything else is provided by the
cloud vendor)
IaaS: Infrastructure as a Service (UF manages
software and server OS, but everything else is
provided by the cloud vendor)
☐
☐
☐
Yes
No
N/A
Has risk been assessed previously?
☐
☐
☐
[Replace this text with the location of the Risk
Assessment document.]
If hosting, has the vendor had an
independent assessment performed?
☐
☐
☐
[Replace this text with the location of the Risk
Assessment document.]
Is remote access required? If yes,
how is it provided: VPN, RDP, etc.?
Risk
Please describe remote access method.
Comments
Time Estimates
Comments
Assessment Time Frame
Start Date of Assessment
Estimated End Date
Project Start Date
Approximately 2-12 weeks
Page 3
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Part II - Information to be collected and purpose (to be answered by sponsoring unit)
To understand more about data classification, see: Data Classification Policy
Information Classification Guide
Restricted: Data subject to specific protections under federal or state law or under applicable
contracts.
 Protected Health Information – Individually identifiable health information; health information
combined with name, or med record #, or address, or key dates, or family members, or any
other information that would link a person to their health condition. (http://privacy.ufl.edu/)
 Student Records - Individually identifiable student information; name or UF ID or SSN or photo,
in combination with grades, demographics, admissions, schedules, class rosters, financial, or
any information needed and used by our faculty and staff about our students, with the exception
of a limited amount of directory information. (Confidentiality and Privacy Information - FERPA)
 Personal Identification Information - Names combined with SSNs, or driver’s license numbers or
Florida Ids, or any Financial account numbers and access codes, or any other information that
could be used to commit fraud using someone else’s identity. (http://privacy.ufl.edu/) Credit
Card Numbers with or without any other type of identifier.
 Credit cards – Any of Primary Account Number (PAN), Cardholder name, expiration date,
security code or PIN. (see University of Florida Merchant Credit Card Policy)
 Export controlled – Data covered by the International Traffic in Arms Regulations (ITAR) or
Export Administration Regulations (EAR). (see Export Control Regulations)
Sensitive: Important for UF to protect, but not protected by laws.
 Research work in progress
 Animal research protocols
 Financial information
 Employee performance reviews, disciplinary documentation, compensation
 Risk assessment and security vulnerability information
 Privacy/Security incidents and investigations
 User identifiable audit records
 Proprietary courseware, software code or other UF trade secrets
Open: Intended for public use.
 Advertisements
 Job opening announcements
 University catalogs
 Regulations and policies
 Faculty publication titles
 Press releases
Data Types to be Collected
Protected Health Information
☐
Credit or debit card
☐
Financial account
☐
SSN
☐
Financial account
☐
Passport number
☐
Driver’s License or FL ID
☐
Full name
☐
Student grades or records
☐
Date of birth
☐
☐
☐
Other restricted data protected
by law, regulations or contracts
Other (specify below)
☐
Sensitive data
Export controlled (ITAR,
EAR)
Open Data
Page 4
☐
Version 4.1
☐
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Other Risk Factors
Estimated number of person’s data to be collected
Number of users: The approximate number of individuals that directly interact
with this system
Financial impact: An estimate of the university's costs if this system were to be
lost.
Could a substantial or specific danger to the health and safety of a person due
to the malfunction or lack of availability of this information system?
Purpose of Data Collection
Student education
Non-credit activity
University administration (including HR)
Sales of goods or services (non-academic)
☐
☐
☐
☐
☐
☐
☐
☐
Law enforcement
Medical care
Sponsored research
Other (Specify below):
1. Describe why the data elements to be collected are required for the purpose(s) indicated
above, and why the desired purpose cannot be accomplished without the indicated data
elements:
Please answer:
Page 5
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Part III – Detailed Description and Demo
Please answer the below questions. If a live demonstration is possible, please work with the security
analyst to schedule a live demonstration of the system to show system functionality and confirm any
information security assertions made by the vendor.
Please include:
1. A detailed description of the purpose of the system, including how the information will be used.
Please answer:
2. For Restricted Data, please include data retention plans. Data retention plans must include:
a. The amount of unique personally identifiable information records the system will store at
the time the system will be put in production,
b. The amount of records the system will grow during a specific period of time (month,
quarter, and year).
c. The plans to properly destroy the data.
d. If records are downloaded and stored separately, what is the medium and how long are
records retained?
Please answer:
Page 6
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
3. A diagram that includes the dataflow and storage locations of Restricted information (SSNs, credit
card numbers, PHI, student records, etc.) that will take place or be permitted in the operation,
support, and use of this information system. (How to create an Information System/Data Flow
Diagram)
a. Indicate firewalls, VLANs, servers, databases, applications, and other infrastructure
components.
b. Indicate who manages each information system component (Ex: UFIT, UF Health, Unit,
vendor, etc.)
c. Indicate on the diagram the service, port, and protocols of each component of the
system.
d. Indicate the authorization boundary. (The Authorization Boundary describes the limits of
the Information System – which pieces are currently being assessed. Information
Systems often depend on other Information Systems, but those other Information
Systems will be assessed independently, and their risk factored into the current
Information System.)
e. Indicate on the diagram methods of user access to the system and the directional flow of
information using arrows.
f. Indicate any connections in which this system may exchange restricted information with
another system.
g. Indicate clearly where any data is transferred to or accessed by any third party, including
vendors, technical support, or outsourced service providers.
Insert Diagram (addressing the above):
Below is a sample Dataflow Diagram (Visio and PPT templates available):
Page 7
Version 4.1
UF Risk Management
EV0004
IT Products & Services
Security Risk Assessment
Uses and Disclosures (To be answered by the
Sponsoring UF Unit)
YES NO N/A Comments
1. If the system and human subject or patient information are
to be used for research, has it been reviewed and approved by
the UF IRB and have appropriate waivers or subject
authorizations been obtained?
☐
☐
☐
2. If the system and personal information are to be used for
marketing, have (or will) personal authorizations been
completed and reviewed and approved by the UF Privacy
Office?
☐
☐
☐
3. If the system and personal information is to be used for
fund raising, have (or will) personal authorizations been
completed and reviewed and approved by the UF Privacy
Office?
☐
☐
☐
4. If personal information or access to the system will be
provided to a 3rd party (anyone who is not a UF workforce
member), will a Business Associate Agreement or
Confidentiality Agreement be signed with the 3rd party?
☐
☐
☐
5. If a support vendor will have a logon id into the system or
will be removing hardware from the site for repair or
replacement, will a Business Associate Agreement or
Confidentiality Agreement be signed with the support vendor?
☐
☐
☐
6. If the system will be used to store or transmit full or partial
social security numbers, has an exemption request been
approved by the Privacy Office?
☐
☐
☐
7. If the system will be used to store or process credit card or
other financial account information, have Red Flags policy and
standards for identity protection been written and approved by
the Privacy Office?
☐
☐
☐
8. Will all data remain within and under the jurisdiction of the
State of Florida? If no, indicate states of jurisdiction in part IV –
Description
☐
☐
☐
9. Will all data remain within and under the jurisdiction of the
United States? If no, indicate countries of jurisdiction in part IV
- Description
☐
☐
☐
Part IV – Supporting Documentation
Please attach any DUA, BAA, Confidentiality Agreements, or any other supporting documentation here.
Page 8
Version 4.1