Security Consultation

System Security Assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University.  A System Security Assessment helps determine if technology will comply with federal and state laws or regulations and University policy for protecting University data.  The goal is to reduce the overall of exposure of the University to cybersecurity risks.  The service is provided by the Office of Information Technology’s Governance, Risk, and Compliance Team (IT GRC).  Security Engineering Consultations are routed to Secops. 

Cost

There are no associated costs for a Security Assessment.

Availability

This service is offered to all OU users at all OU campus locations.

Features

Action Description Timeline
Check the GRC List Determine if your technology has already been assessed by IT on the GRC Risk Assessments Sharepoint or the GRC Risk Assessments Microsoft Teams. Immediately
  Don’t see your technology on the list or need the technology for a different data classification?  Submit a new request.  
Submit a Request

Fill out a new request form in the IT Service Catalog.

 Immediately 
IT GRC Review

IT GRC will review the request form and determine if the technology is on-premises or off-premises.

If on-premises, IT GRC will automatically test security controls, where capable, and will contact you for additional help validating the secure configuration.

If off-premises, IT GRC will invite the Third-Party Provider to participate in the OU IT Third-Party Assessment process using SecurityScorecard.

On-Premises
2-3 business days

Third-Party
Depends on Vendor Availability

 
IT GRC Security Profile Summary

Upon completion of the IT GRC Review, a System Security Profile report will be generated and presented to the System Administrator and Data Steward.  

Any identified gaps will be discussed to develop mitigation strategies along with timelines and responsible parties.  

Gaps that cannot be mitigated, will be presented to the:

  • Low risks will request the approval of the CISO;
  • Moderate risks will request the approval of the CISO and Data Owner;  
  • High risks will request the approval of the CISO, Data Owner, and CIO.
 Varies depending on stakeholder availability

- Security Assessment for storing University data and meeting compliance for external standards (NIST, HIPAA, PCI, GDPR, CUI, and FERPA)

- Security Assessment when evaluating applications or new solutions, IT Security can advise so you can select a low-risk option.

An Assessment IS Recommended Assessment IS NOT Recommended

  • Essential and Mission-Critical IT Services

  • Contracting with a third-party service for software or technology service

  • Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII, CUI)

  • Software not covered by OU Site or Volume licenses

  • Purchase of cloud, networked or removable storage

  • Medical/Research Devices

     

  • Computer Standardization desktops, laptops, and tablets

  • Computer accessories, peripherals, and supplies

  • Printer Standardization Multi-function or Network Printers

  • Desktop Software Applications

  • Desktop (non-networked) printers and toner cartridges

  • Backup tapes

  • Camcorders, digital cameras, DVD players, DVDs, CDs and videotapes

  • Non-networked Smart TVs

  • Smart Phones

  • Headsets

  • Keyboards

  • Microphones

  • Wired or Wireless Mouse

  • Power Cords/Adapters

  • Presenter pointer/clicker

  • Projector accessories

  • UPS Power Supply, battery backup

  • Webcams

Service Alerts

Check Alerts Subscribe

Can't find what you're looking for?

Contact Us
 
 
Request Service

Related Articles (2)

How to read an IT Security Assessment Report
Starting July 1, 2024, the OU IT Security Profile Summary, shared when a security assessment has been completed, is changing it’s look and feel.
Managing Cybersecurity Risks
OU IT offers a variety of services that can be used by researchers. Use this article to help you select the appropriate level of security needed for your project, based on the sensitivity of the data, and then use this document to help you select IT services that will enable your research project.