|
System Security Assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University. A System Security Assessment helps determine if technology will comply with federal and state laws or regulations and University policy for protecting University data. The goal is to reduce the overall of exposure of the University to cybersecurity risks. The service is provided by the Office of Information Technology’s Governance, Risk, and Compliance Team (IT GRC). Security Engineering Consultations are routed to Secops.
|
Features
| Action |
Description |
Timeline |
| Check the GRC List |
Determine if your technology has already been assessed by IT on the GRC Risk Assessments Sharepoint or the GRC Risk Assessments Microsoft Teams. |
Immediately |
| |
Don’t see your technology on the list or need the technology for a different data classification? Submit a new request. |
|
| Submit a Request |
Fill out a new request form in the IT Service Catalog.
|
Immediately |
| IT GRC Review |
IT GRC will review the request form and determine if the technology is on-premises or off-premises.
If on-premises, IT GRC will automatically test security controls, where capable, and will contact you for additional help validating the secure configuration.
If off-premises, IT GRC will invite the Third-Party Provider to participate in the OU IT Third-Party Assessment process using SecurityScorecard.
|
On-Premises
2-3 business days
Third-Party
Depends on Vendor Availability
|
| IT GRC Security Profile Summary |
Upon completion of the IT GRC Review, a System Security Profile report will be generated and presented to the System Administrator and Data Steward.
Any identified gaps will be discussed to develop mitigation strategies along with timelines and responsible parties.
Gaps that cannot be mitigated, will be presented to the:
- Low risks will request the approval of the CISO;
- Moderate risks will request the approval of the CISO and Data Owner;
- High risks will request the approval of the CISO, Data Owner, and CIO.
|
Varies depending on stakeholder availability |
- Security Assessment for storing University data and meeting compliance for external standards (NIST, HIPAA, PCI, GDPR, CUI, and FERPA)
- Security Assessment when evaluating applications or new solutions, IT Security can advise so you can select a low-risk option.
| An Assessment IS Recommended |
Assessment IS NOT Recommended |
-
Essential and Mission-Critical IT Services
-
Contracting with a third-party service for software or technology service
-
Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII, CUI)
-
Software not covered by OU Site or Volume licenses
-
Purchase of cloud, networked or removable storage
-
Medical/Research Devices
|
-
Computer Standardization desktops, laptops, and tablets
-
Computer accessories, peripherals, and supplies
-
Printer Standardization Multi-function or Network Printers
-
Desktop Software Applications
-
Desktop (non-networked) printers and toner cartridges
-
Backup tapes
-
Camcorders, digital cameras, DVD players, DVDs, CDs and videotapes
-
Non-networked Smart TVs
-
Smart Phones
-
Headsets
-
Keyboards
-
Microphones
-
Wired or Wireless Mouse
-
Power Cords/Adapters
-
Presenter pointer/clicker
-
Projector accessories
-
UPS Power Supply, battery backup
-
Webcams
|
|