Information Security Review

What is an Information Security Review

To help protect university data and systems, and in compliance with university policy, technology purchases and implementations require a security review to be performed.

  

Click here to complete an Information Security Review Request. You must be on the UC network or VPN to access this link.

When are Security Reviews required?

  • For all technology purchases over $5,000, whether by a central unit or college. 
  • When Restricted data is involved, such as CUI, HIPAA, PCI and others. 
  • For cloud products and services that store or process Restricted or Controlled data. 
  • For research projects with security clauses – contact Laura Elkin (elkinle@ucmail.uc.edu). 
  • For integrations into existing university technology that permit third party access to university systems or data.

What types of security reviews do we perform?

  • Contract reviews – agreements with third parties are reviewed for contractual language around proper data management and security controls. These are common for cloud services and consulting engagements.
  • Technology purchase reviews – performed when a department is planning to purchase a new technology system or service.
  • Research project review – performed in collaboration with the Office of Research for projects that require compliance with NIST, CMMC or FEDRAMP.
  • Implementation review – When new systems or services are being implemented may store or transmit Restricted data or fall under specific regulatory requirements.

What happens during a security review?

  1. The process starts with a requestor completing the security review form on the OIS website (See red Security Review button at the top of this page) 
  2. A risk rating is assigned to the review based on submitted information, which identifies how detailed the review needs to be: 
    • Low – Data involved is intended for public disclosure (Public data); loss of confidentiality, integrity or availability of the data or system would have no adverse impact on university. 
    • Medium – Data involved not generally available to public (Controlled data); loss of confidentiality, integrity, or availability of the data or system could have a moderate impact on university.
    • High – Data involved is required to be protected by law or regulations (CUI or Restricted data). The loss of confidentiality, integrity or availability of the data or system could have a significant impact on university. (For further explanations on university data classifications, please refer to the Data Governance and Classification Policy.)
  3. The OIS team will review submitted information and ask supplemental questions. 
  4. The security team performs research, identifies potential risks to the university, and documents recommendations.
  5. Recommendations are shared with the requesting department.
  6. Department IT works with the vendor to address security recommendations.
  7. Evidence of remediation is submitted to OIS, and remaining risks are evaluated. 
  8. Any unremeditated risks are brought to the attention of the business to accept or decline. 
  9. A final disposition on the security review is documented.
  10. OIS is responsible for supporting technology implementations for the entire university. A typical security review process takes 2-4 weeks.  A longer timeframe, up to 12 weeks, may be necessary for complex projects or those involving university Restricted data. 

Please Note: The Office of General Counsel may delay a contract signature to add a “Data Security Rider”. This document outlines university expectations for data security from a third party: Data Security Rider

How Can I Help the Security Review Process?

  • Designate a business and technical point of contact.  A local IT representative is a great resource for this!
  • Collect as much documentation as you can before you submit your request.  Some helpful information to include:
    • Contracts, service level agreements (SLAs), user license agreements (ULAs), memorandums of understanding (MOUs), privacy notices, HECVAT.
    • Business purpose of the request. Understanding the goals of the project will help us ask the right questions.
    • Data types involved and data flow diagrams.
    • What other university systems are involved?
  • Engage with us in a timely manner to avoid delays.
  • If your project involves Restricted university data, an approval is required from the Data Trustee(s). For example, for student data (FERPA) the Data Trustee is the Office of Registrar.

Additional Information