How to request a Security Consultation

OVERVIEW

System Security Assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University.  A System Security Assessment helps determine if technology will comply with federal and state laws or regulations and University policy for protecting University data.  The goal is to reduce the overall of exposure of the University to cybersecurity risks.  The service is provided by the Office of Information Technology’s Governance, Risk, and Compliance Team (IT GRC). 

How to request a consultation

  1. Determine if your technology has already been assessed by IT on the GRC Program Page.
  2. Fill out the Security Consultation Request.  Guidance for filling out this form is provided below.
Field Name Examples Description
Information System Name OpenAI ChatGPT Use simple language and provide the name of the vendor and the specific product.  
Information System Description and Purpose ChatGPT is conversational AI by OpenAI, generates human-like text interactions Give a broad, simple summary of the vendor and how the product will be used at OU.  Provide any details that makes the product unique.  Include versions/license types.
Business Unit Department Name Provide the department name if you are submitting this form on behalf of another person.
Information System Owner Dean, Department Chair, Vice President

This individual is responsible for department budget approval.  Provide the individuals' name, email address and phone number.
Information System Steward Day to day manger of the system or data

This individual is responsible for working with IT personnel for implementation and setup.  The Owner and Steward must be separate individuals.  Provide the individuals' name, email address and phone number.
Information System Administrator IT person or group responsible for the system

The individual or group responsible for the management and operation of the system.  Provide the individuals' name, email address and phone number.
Vendor or Supplier OpenAI Provide the vendor contact's name, email address, and phone number.  If not personal contact, add the vendor's URL.
Information Classification Use Article - 8.2.2.1 Information (Data) Classification Standard to answer the 7 questions on data category.
How critical?

Essential, Mission-Critical, Unit-Critical, Non-Critical

Select from the list the most appropriate answer.  This field is subject to review and change by IT GRC.

  • Article - 8.2.1.7 IT Disaster Recovery Policy (ou.edu)
  • Essential IT services are used at all campuses.  OU IT works with IS Administrators to ensure backup and recovery procedures are documented and included in the OU IT DR Plan.
  • Mission-Critical IT services are used for specific missions at all campuses.  IS Stewards and Administrators must ensure backup and recovery procedures are documented and included in the Department IT DR Plan.
  • Unit-Critical IT services are are used by a specific department.  IS Stewards and Administrators must ensure backup and recovery procedures are documented and included in the Department IT DR Plan.
  • Non-Critical IT services are not critical.  IS Stewards and Administrators must ensure backup and recovery procedures are documented and included in the Department IT DR Plan.
Mission Research, Education, Service
Location OU IT Data Center, Third Party Data Center, Campus Building, Lab, Other Select the locations where systems or data will be stored.  Select Third Party Data Center if the vendor provides an online service.
SOC2, HECVAT, or HITRUST Yes, No SOC2, HITRUST, ISO are 3rd party security audit reports and provide OU with assurance of security controls implemented by the vendor.  A Higher Education Cloud Vendor Assessment Tool (HECVAT) is a fillable attestation form commonly used by Higher Education institutions to analyze the risk of a particular vendor/product.
Vendor Store, Transmit, Process, or View PHI Yes, No

This question only appears if Category A was selected in the data category questions.  When marked Yes, a Business Associate Agreement may be required.
Vendor Requires Remote Access Yes, No

This question only appears if Category A was selected in the data category questions.  When marked Yes, a Business Associate Agreement may be required.
Internet Accessible Yes, No
Multi-factor Authentication Yes, No

Select Yes if multi-factor authentication is or will be enabled.  Otherwise, select No.  

**NOTE** Category A, B, C, D1, and E systems storing identifiable data must use multi-factor authentication.
Remote Access RDP, SSH, SSL/TLS, VPN, VDI, Web, Other

Select from the list the types of remote access used to access this system or data.  
SSO, Federated, or Active Directory Authentication Yes, No

Select Yes if the system/vendor will use OU's SSO, Federated, or Active Directory services for authentication.  Need help with authentication?
Encryption at Rest Yes, No

Select Yes if OU data will be encrypted at rest.  Otherwise, select No.
Encryption in Motion Yes, No

Select Yes if OU data will be encrypted in motion.  Otherwise, select No.
Current Users Report Yes, No, Not Sure

Select Yes if the system/vendor has the ability to provide a list of current and active users for access monitoring and reviews.  
Create and Retain Logs Yes, No, Not Sure

Select Yes if the system/vendor has the ability to create and retain system, application, and/or user logs for monitoring and reviews.  

 

Print Article

Details

Article ID: 3249
Created
Tue 6/25/24 9:57 AM
Modified
Wed 6/26/24 12:44 PM

Related Articles (1)

How to read an IT Security Assessment Report
Starting July 1, 2024, the OU IT Security Profile Summary, shared when a security assessment has been completed, is changing it’s look and feel.

Related Services / Offerings (1)

Security Consultation