Policy Number: 12-017

Information Technology Rationalization Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer


  1. Purpose To rationalize information technology services to enable innovation, increase efficiency, reduce complexity, lower costs, and improve security of the computing environment.

  2. Applicability This policy applies to the University of Florida, including the distributed service organizations (DSOs), and auxiliaries.

  3. Definitions

    IT Rationalization: The process of making decisions about how an organization buys and uses its computers, software and resources so they are as effective as possible.

    UF Senior Leadership: The Senior leader of a college or university administrative unit such as a Dean, Vice President, or Director of a unit reporting directly to the Provost.
  4. Policy Statement To promote the rational use of information technology resources and ensure UF data is secured consistent with UF-wide IT and information security policies and standards, units must:
    • Use university enterprise IT services and infrastructure whenever available. 
    • Utilize external IT services (including ‘cloud’) that have been approved, contracted, and managed by the university.
    • Refrain from using IT services, software, technology, and infrastructure that have been prohibited, unless a specific exception has been approved by the Vice President and Chief Information Officer.
    • Obtain documented approval from the UF Senior Leadership and the Vice President and Chief Information Officer before implementing information systems that store, process, or transmit sensitive or restricted data.

Additional Resources


IT Rationalization Standard

Purpose:

This standard sets the process and criteria used to align the use of unit resources with UF supported IT services and infrastructure.

Standard:

  1. Units will implement procedures to direct faculty, staff, and students to make use of UF supported or contracted IT services and infrastructure whenever available. UF supported IT services are documented in the UFIT Service Catalog and Integrated Risk Management (IRM) Fast Path list.
  2. Units will implement procedures to prohibit the use of Fast Path Solutions listed as ‘Not Permitted’ on UF owned devices or for university business. Any item listed as ‘Not Permitted’ on the Fast Path Solutions website should be immediately removed or discontinued, unless an exception has been approved by submitting a request using the UF Integrated Risk Management system.
  3. Units will submit requests to coordinate the provisioning of proposed information systems and IT infrastructure using the UF Integrated Risk Management system. UFIT will evaluate requests for alignment with UF supported services and make recommendations for UF supported services or infrastructure when applicable.
  4. When UF supported services or infrastructure are not available to fulfill a unit need, such as a requirement for specialized systems to conduct research, the UF Integrated Risk Management process will serve as documentation and approval of the exception.
  5. The UF Integrated Risk Management system will be used to document the approval of the UF Senior Leadership and the Vice President and Chief Information Officer (CIO), for information systems and/or services that store, process, or transmit sensitive or restricted data.
  6. Information systems and services in use as of the original approval date of the IT Rationalization Policy are granted an automatic exception until one of the following occurs:
    1. The system is replaced, substantially upgraded, expanded, or modified. This does not include routine maintenance and/or patching.
    2. previously assessed information system becomes due for reassessment.
    3. The hardware or software reaches end of life, when support and/or fixes for defects, flaws, and security issues are no longer available from the developer, vendor, or manufacturer.

3.0075 Security of Data and Related Information Technology Resources


History

Revision Date Description
3/31/2023 Policy originally adopted
Policy updated