Information Security Reviews

What is an Information Security Review?:

Information Security Reviews are necessary to identify and document unmitigated risk that may exist on new or existing university information systems or information technology (IT) solutions and provide recommendations to mitigate the identified risk. Information Security Reviews must be performed whenever new IT services or equipment are acquired or when significant changes are made to existing systems, infrastructure or services. An Information Security Review, along with the recommended security controls, work to improve the university’s security posture. For additional information please refer to the Information Security Review Policy.

  

Download the Information Security Review Form.  

When to perform Information Security Reviews?:

Information Security Reviews must be performed in the following scenarios:

• Implementation of new information services and systems; or significant changes to existing university information services or systems, that may store or transmit Export Controlled or Restricted data (see the Data Classification and Data Types for additional information)

• Implementation of new critical infrastructure or significant changes to existing critical infrastructure.

• Implementation of a new enterprise system or significant changes to existing enterprise systems.

• Implementation of new systems or significant changes to existing systems, which permit third party access to university systems or data.

• Implementation of cloud services for the storing or processing of Export Controlled, Restricted or Controlled data

 

How to submit an Information Security Review?:

The Information Security Review Form must be completed and submitted via email to the IT@UC Office of Information Security (OIS) at infosec@uc.edu for preliminary review and processing. Once the form is received, OIS will evaluate and provide required remediation steps and controls. The remediation steps and controls must be completed by the project owners. Project owners are required to supply status updates during the projects.

Failure to contact OIS or failure to comply with the security requirements may result in termination of the project or service. After the Security Review has been completed, projects must follow the university Change Management process.

          

Please contact the IT@UC Office of Information Security for any questions.

To view PDF files, you will need Adobe Acrobat Reader, a free download.