Skip to Main Content

Standard 10 - Risk Management



  1. The UNF Chief Information Security Officer (CISO) must maintain an accurate inventory of information resources and associated owners.
  2. Information resource owners.  For information resources under the owners’ authority, owners must, in consultation with the CISO:
    1. Define, approve, and document acceptable risk levels and risk mitigation strategies; and
    2. At least annually, conduct and document risk assessments to determine risk and the inherent impact that could result from their unauthorized access, use, disclosure, disruption, modification, or destruction.
  3. Information resources custodians. Custodians of mission critical information resources must implement approved risk mitigation strategies and adhere to information security policies and procedures to manage risk levels for information resources under their care.
  4. The CISO must ensure that annual information security risk assessments are performed and documented by each owner of information resources.
  5. Research and Sponsored Programs. In collaboration with the Office of Research and Sponsored Programs (ORSP) and the CISO, investigators must perform security assessments of the implementation of required security controls (i.e. control objectives, controls, policies, processes, and procedures for information security) for research and/or sponsored programs under their authority. Security assessments must be performed annually based on risk.
  6. Risk Assessment of Third-party Service Providers. A risk assessment of a third-party service provider is required in the following situations:
    1. When purchasing services, systems or software, whether it is to be hosted on premises or at a vendor facility, if University data will be stored within or processed by the system or software.
    2. For existing services, systems or software, a significant change in either the environment or risk rating has occurred.
  7. Information security risk assessments shall use a risk management framework and process defined by the CISO.
  8. Risk Acceptance. Decisions relating to acceptance of risk must be documented and are to be made by:
    1. The information resource owner, in consultation with the CISO or designee, for resources having a residual risk of low or moderate.
    2. The CIO, or designee, considering recommendations of the owner and the CISO for resources having a residual risk of high.

Return to the ITS Policies and Procedures List