When to perform Information Security Review?
Information Security Review must be performed in the following scenarios:
• Implementation of new information services and systems; or significant changes to existing university information services or systems, that may store or transmit Controlled Unclassified Information (CUI) or Restricted data (see Data Classification Examples and Data Classification and Data Types for additional information)
• Implementation of new critical infrastructure or significant changes to existing critical infrastructure.
• Implementation of a new enterprise system or significant changes to existing enterprise systems.
• Implementation of new systems or significant changes to existing systems, which permit third party access to university systems or data.
• Implementation of cloud services for the storing or processing of CUI, Restricted or Controlled data
How to submit an Information Security Review?
The Security Review request process consists of the following steps:
Select the Security Review button on this page to complete a series of questions related to how the project/service will be used and define the data elements involved. Please note: You must be on the campus network or connected via the VPN to access the link. Also, this should be completed by someone who is knowledgeable on the details of data and systems involved. It is very important that these questions are answered as accurately as possible. If you have questions, please reach out to OIS for assistance at email@example.com or 513-558-4732.
Once you have completed the questionnaire, OIS will review your responses and respond back with feedback as soon as possible. This may require you to provide further documentation related to your project. Note: The review request should be submitted to OIS prior to procuring of products/services or contract finalization.
Additional Information Related to Purchasing IT Equipment, Software, Services:
When making a purchase related to information technology such as computers, hardware, software, application add-ons, and/or hiring an outside entity to provide technology services (i.e. a consulting firm), an important part of following the university’s Central Purchasing department’s processes and procedures is engaging the Office of Information Security (OIS) at the onset of a purchasing decision.
There are different avenues for purchasing items for information technology purposes and the process for each item can be found at the Central Purchasing website.
The Office of Information Security requires that a Security Review be completed at the beginning of technology acquisitions so that any risks associated to the university can be addressed, prevented and/or mitigated. Time for this process should be built into the project plan. Please enter the Security Review request prior to entering quotes and agreements into the contract management system (PACE) so that proper time is allowed for OIS to review and assess risks associated with the purchase.
Any agreement containing a quote that contains Terms & Conditions verbiage, must be processed through the contract management system (PACE), even if there is no signature line.
Please Note! A Data Security Rider is required when third parties (vendors, service providers) are given access to CUI or Restricted data at the university. This should be initiated as soon as possible with the UC Office of General Counsel (OGC) prior to entering the agreement in the PACE tool to allow for adequate time for contract changes.