Software, Support and Services

Tools and Services

Browse all OIT tools and services or search for a specific tool or service using the search box or filters.

These tools, software, and programs have all been vetted by our security and compliance team and are supported by our service desk.

Technology Risk Assessment

Category: IT Security OIT - Categories Audience: Faculty Staff
Risk and Compliance team reviews the security and practices of third party applications, cloud services and business processes in order to protect university confidential and highly confidential data, including PHI, to reduce risk and meet compliance standards.
Request Technology Risk Assessment

Technology Risk Assessment 

Third party vendor applications and cloud services can present significant risk to the University. To mitigate the risk, the Risk and Compliance (RAC) team reviews the security of vendor organizations for server applications facing the internet, or services provided by a vendor that will have access to university confidential, or highly confidential data (including HIPAA, FERPA, and PCI data). This process is essential in minimizing legal issues during the negotiation of the IT Security language during the contract process.

Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.

Third party vendors must:

  • Prevent the loss, theft, unauthorized access and/or disclosure of university data
  • Destroy data when no longer needed per university data owner instructions
  • Have incident response procedures and reporting requirements in case of a breach

Timeline: Please note, we complete requests in the order we receive them and timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement.

Risk and Compliance Process

  1. Gather and Compile Product and Vendor Information
  2. Fill out the Technology Risk Assessment Form
  3. Have Availability on your Outlook Calendar
  4. Ensure your Department IT Representative is Aware of the Request
  5. Attend the Meeting RAC Schedules
  6. Inform the Vendor Our Team Will Be Reaching Out
  7. Collaborate with RAC to get the Vendor to Answer the Security Questionnaire
  8. Have Someone In Your Department Ready to Sign an NDA if Requested by the Vendor
  9. Respond to Any Follow-Up Questions RAC Has
  10. Ensure the Vendor Answers any Follow-Up Questions
  11. Read the Best Practices Outlined By RAC
  12. Attach the Close Out Email to your Requisition in Marketplace
  13. Inform the Vendor the Assessment is Completed
  14. Fill out the Technology Risk Assessment Form Again, 90 Days Before the Contract Expires
  15. Submit the Renewal Requisition in Marketplace

Other University Teams to Contact for Process

  • Procurement Service Center (PSC) - The team that will assist you with your purchase.
  • Data Integration Requests - If your request will include the integration of your software with CU System to retrieve university data, enter a data integration request as soon as possible.
  • Office of Regulatory Compliance (ORC) - If your request involves HIPAA data, the Office of Regulatory Compliance will be asked by the PSC to prepare a BAA for both parties to sign.

Resources

CMS Login