Security Consultation

System Security Assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University.  A System Security Assessment helps determine if technology will comply with federal and state laws or regulations and University policy for protecting University data.  The goal is to reduce the overall of exposure of the University to cybersecurity risks.  The service is provided by the Office of Information Technology’s Governance, Risk, and Compliance Team (IT GRC).  Security Engineering Consultations are routed to Secops. 


There are no associated costs for a Security Assessment.


This service is offered to all OU users at all OU campus locations.


Action Description Timeline
Check the GRC List Determine if your technology has already been assessed by IT on the GRC Program Page. Immediately
  Don’t see your technology on the list or need the technology for a different data classification?  Submit a new request.  
Submit a Request

Fill out a new request form in the IT Service Catalog.

IT GRC Review

IT GRC will review the request form and determine if the technology is on-premises or off-premises.

If on-premises, IT GRC will automatically test security controls, where capable, and will contact you for additional help validating the secure configuration.

If off-premises, IT GRC will invite the Third-Party Provider to participate in the OU IT Third-Party Assessment process using SecurityScorecard.

2-3 business days

Depends on Vendor Availability


IT GRC Security Profile Summary

Upon completion of the IT GRC Review, a System Security Profile report will be generated and presented to the System Administrator and Data Steward.  

Any identified gaps will be discussed to develop mitigation strategies along with timelines and responsible parties.  

Gaps that cannot be mitigated, will be presented to the:

  • Low risks will request the approval of the CISO;
  • Moderate risks will request the approval of the CISO and Data Owner;  
  • High risks will request the approval of the CISO, Data Owner, and CIO.
Varies depending on stakeholder availability

- Security Assessment for storing University data and meeting compliance for external standards (NIST, HIPAA, PCI, GDPR, CUI, and FERPA)

- Security Assessment when evaluating applications or new solutions, IT Security can advise so you can select a low-risk option.

An Assessment IS Recommended Assessment IS NOT Recommended
  • Essential and Mission-Critical IT Services

  • Contracting with a third-party service for software or technology service

  • Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII, CUI)

  • Software not covered by OU Site or Volume licenses

  • Purchase of cloud, networked or removable storage

  • Medical/Research Devices


  • Computer Standardization desktops, laptops, and tablets

  • Computer accessories, peripherals, and supplies

  • Printer Standardization Multi-function or Network Printers

  • Desktop Software Applications

  • Desktop (non-networked) printers and toner cartridges

  • Backup tapes

  • Camcorders, digital cameras, DVD players, DVDs, CDs and videotapes

  • Non-networked Smart TVs

  • Smart Phones

  • Headsets

  • Keyboards

  • Microphones

  • Wired or Wireless Mouse

  • Power Cords/Adapters

  • Presenter pointer/clicker

  • Projector accessories

  • UPS Power Supply, battery backup

  • Webcams

Service Alerts

Check Alerts Subscribe

Can't find what you're looking for?

Contact Us

Request Service

Related Articles (4)

The Identity and Access Management Policy defines the information security requirements for the identity and access management processes relevant to university data or systems.
This article provides insights into CUI @OU, what you need to do to protect CUI, and what OU IT is doing to protect CUI @OU.


Service ID: 64
Wed 5/20/20 8:50 AM
Wed 5/15/24 9:47 AM