Software IT Security Risk Assessment

The University of California (UC) Electronic Information Security policy (BFB IS-3), requires that all systems that create, store, process or transmit data internally at UCSF or externally through a supplier or other third party must be assessed for risk. This applies to all UCSF data, including, but not limited to:

  • Protected Health Information (PHI)
  • Personally identifiable information (PII)
  • Payment Card Industry (PCI)
  • Research Health Information (RHI)
  • Family Educational Rights and Privacy Act (FERPA) 
  • Other restricted or sensitive data

UCSF prioritizes the highest-risk systems for a full security risk assessment.

Version Date: August 2023