| 
 System Security Assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University.  A System Security Assessment helps determine if technology will comply with federal and state laws or regulations and University policy for protecting University data.  The goal is to reduce the overall of exposure of the University to cybersecurity risks.  The service is provided by the Office of Information Technology’s Governance, Risk, and Compliance Team (IT GRC).  Security Engineering Consultations are routed to Secops.  | 
		
			| Features
			
				
					
						| Action | Description | Timeline |  
						| Check the GRC List | Determine if your technology has already been assessed by IT on the GRC Risk Assessments Sharepoint or the GRC Risk Assessments Microsoft Teams. | Immediately |  
						|  | Don’t see your technology on the list or need the technology for a different data classification?  Submit a new request. |  |  
						| Submit a Request | Fill out a new request form in the IT Service Catalog. | Immediately |  
						| IT GRC Review | IT GRC will review the request form and determine if the technology is on-premises or off-premises. If on-premises, IT GRC will automatically test security controls, where capable, and will contact you for additional help validating the secure configuration. If off-premises, IT GRC will invite the Third-Party Provider to participate in the OU IT Third-Party Assessment process using SecurityScorecard. | On-Premises2-3 business days
 Third-PartyDepends on Vendor Availability
   |  
						| IT GRC Security Profile Summary | Upon completion of the IT GRC Review, a System Security Profile report will be generated and presented to the System Administrator and Data Steward.   Any identified gaps will be discussed to develop mitigation strategies along with timelines and responsible parties.   Gaps that cannot be mitigated, will be presented to the: 
							Low risks will request the approval of the CISO;Moderate risks will request the approval of the CISO and Data Owner;  High risks will request the approval of the CISO, Data Owner, and CIO. | Varies depending on stakeholder availability |  - Security Assessment for storing University data and meeting compliance for external standards (NIST, HIPAA, PCI, GDPR, CUI, and FERPA) - Security Assessment when evaluating applications or new solutions, IT Security can advise so you can select a low-risk option. 
			
				
					
						| An Assessment IS Recommended | Assessment IS NOT Recommended |  
						| 
							
							Essential and Mission-Critical IT Services
							Contracting with a third-party service for software or technology service
							Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII, CUI)
							Software not covered by OU Site or Volume licenses
							Purchase of cloud, networked or removable storage
							Medical/Research Devices   | 
							
							Computer Standardization desktops, laptops, and tablets
							Computer accessories, peripherals, and supplies
							Printer Standardization Multi-function or Network Printers
							Desktop Software Applications
							Desktop (non-networked) printers and toner cartridges
							Backup tapes
							Camcorders, digital cameras, DVD players, DVDs, CDs and videotapes
							Non-networked Smart TVs
							Smart Phones
							Headsets
							Keyboards
							Microphones
							Wired or Wireless Mouse
							Power Cords/Adapters
							Presenter pointer/clicker
							Projector accessories
							UPS Power Supply, battery backup
							Webcams |  |