When are Security Reviews required?
- For all technology purchases over $5,000, whether by a central unit or college.
- When Restricted data is involved, such as CUI, HIPAA, PCI and others.
- For cloud products and services that store or process Restricted or Controlled data.
- For research projects with security clauses – contact Laura Elkin (email@example.com).
- For integrations into existing university technology that permit third party access to university systems or data.
What types of security reviews do we perform?
- Contract reviews – agreements with third parties are reviewed for contractual language around proper data management and security controls. These are common for cloud services and consulting engagements.
- Technology purchase reviews – performed when a department is planning to purchase a new technology system or service.
- Research project review – performed in collaboration with the Office of Research for projects that require compliance with NIST, CMMC or FEDRAMP.
- Implementation review – When new systems or services are being implemented may store or transmit Restricted data or fall under specific regulatory requirements.
What happens during a security review?
- The process starts with a requestor completing the security review form on the OIS website (See red Security Review button at the top of this page)
- A risk rating is assigned to the review based on submitted information, which identifies how detailed the review needs to be:
- Low – Data involved is intended for public disclosure (Public data); loss of confidentiality, integrity or availability of the data or system would have no adverse impact on university.
- Medium – Data involved not generally available to public (Controlled data); loss of confidentiality, integrity, or availability of the data or system could have a moderate impact on university.
- High – Data involved is required to be protected by law or regulations (CUI or Restricted data). The loss of confidentiality, integrity or availability of the data or system could have a significant impact on university. (For further explanations on university data classifications, please refer to the Data Governance and Classification Policy.)
- The OIS team will review submitted information and ask supplemental questions.
- The security team performs research, identifies potential risks to the university, and documents recommendations.
- Recommendations are shared with the requesting department.
- Department IT works with the vendor to address security recommendations.
- Evidence of remediation is submitted to OIS, and remaining risks are evaluated.
- Any unremeditated risks are brought to the attention of the business to accept or decline.
- A final disposition on the security review is documented.
- OIS is responsible for supporting technology implementations for the entire university. A typical security review process takes 2-4 weeks. A longer timeframe, up to 12 weeks, may be necessary for complex projects or those involving university Restricted data.
Please Note: The Office of General Counsel may delay a contract signature to add a “Data Security Rider”. This document outlines university expectations for data security from a third party: Data Security Rider
How Can I Help the Security Review Process?
- Designate a business and technical point of contact. A local IT representative is a great resource for this!
- Collect as much documentation as you can before you submit your request. Some helpful information to include:
- Contracts, service level agreements (SLAs), user license agreements (ULAs), memorandums of understanding (MOUs), privacy notices, HECVAT.
- Business purpose of the request. Understanding the goals of the project will help us ask the right questions.
- Data types involved and data flow diagrams.
- What other university systems are involved?
- Engage with us in a timely manner to avoid delays.
- If your project involves Restricted university data, an approval is required from the Data Trustee(s). For example, for student data (FERPA) the Data Trustee is the Office of Registrar.