Application and cloud services assessment process
Don’t wait to the last minute
OIT Risk and Compliance Team Mar 22, 2019
Don’t wait to the last minute to get your application or cloud services assessed. The fiscal year-end is fast approaching and when reviewing your operating needs and other budgeted expenses that may include software and/or cloud services, keep in mind that these can take up to 8 weeks to complete.
Third party vendor applications and cloud services can present significant risk to the University. To mitigate the risk, the Risk and Compliance (RAC) team reviews the security of vendor organizations for server applications facing the internet, or services provided by a vendor that will have access to university confidential, or highly confidential data (including HIPAA, FERPA, and PCI data). This process is essential in minimizing legal issues during the negotiation of the IT Security language during the contract process.
- Go to the Requestor Questionnaire. Select OIT Web Forms, then go to Security Services, select Application Assessment Request, and complete the request for an application assessment. When this form is submitted it creates a Help Desk ticket for the RAC team to review. If you are unable to submit the form, call 4-HELP for assistance.
- Vendor Interaction – RAC team sends out vendor questionnaire and reviews to determine next steps.
- RAC team provides assessment results to the requestor.
- If approved, RAC sends approval email to the requestor and all interested parties. (PSC, ORC, and Data Integration contact).
- Contract Negotiations and Language - the RAC team works with the PSC to negotiate the IT Security language for the contract.
Timeline: 4-8 weeks. Timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement. Learn more at: https://www.cuanschutz.edu/offices/office-of-information-technology/tools-services/approved-software-applications.
If you have additional questions, feel free to contact the Service Desk at 4-HELP and ask them to assign the ticket to the Risk and Compliance team.