IT Security
Security and Compliance
We provide several services to keep your information and the university's data safe. Services provided include monitoring, protecting and securing our information technology infrastructure, data and operations to safeguard the privacy of the university community while maintaining compliance with applicable policies, laws and regulations.
News
The Information Security and IT Compliance bi-monthly newsletter is distributed via email mid-month. View recent issues you may have missed here:
Information Security and IT Compliance Webinar
October is Cybersecurity Awareness Month. Our security team collaborated with Information Security Officers across the university on a roundtable webinar to answer your most pressing security related questions. You can find the recording below in case you missed it or would like to re-watch it. All the information discussed in the webinar is safe for public knowledge and compliant with IT security best practices.
Cybersecurity Roundtable: Phishing, Traveling, and Protecting Your Data Everywhere In Between
Report a Lost or Stolen Device
If a university owned and issued electronic device has been lost or stolen, click here to learn how to report the missing item to OIT and Campus Police.
Security Guides and Policies
Unit HIPAA Compliance Program
The Unit HIPAA Compliance Program provides guidance to units/departments, schools, offices and other campus units on the Anschutz Medical Campus, and to a lesser extent CU Denver campus, in their responsibilities to meet compliance to the HIPAA Security Rule. Visit the site for resources to ensure all data users are HIPAA compliant.
Security Tools and Services
Search all tools and services using the search bar.
Security Review
Category: IT Security OIT - Categories Audience: Faculty Staff
Risk and Compliance team reviews the security and practices of third party applications, cloud services and business processes in order to protect university confidential and highly confidential data, including PHI, to reduce risk and meet compliance standards.
Request Security Review
Application and Cloud Services Assessment Process
Third party vendor applications and cloud services can present significant risk to the University. To mitigate the risk, the Risk and Compliance (RAC) team reviews the security of vendor organizations for server applications facing the internet, or services provided by a vendor that will have access to university confidential, or highly confidential data (including HIPAA, FERPA, and PCI data). This process is essential in minimizing legal issues during the negotiation of the IT Security language during the contract process.
Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.
Third party vendors must:
- Prevent the loss, theft, unauthorized access and/or disclosure of university data
- Destroy data when no longer needed per university data owner instructions
- Have incident response procedures and reporting requirements in case of a breach
Timeline: Please note, we complete requests in the order we receive them and timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement.
Risk and Compliance Process
- Go to the Requestor Questionnaire. (Form works best in Chrome and Firefox) *Additional steps may be needed. See other team information below.
- Vendor Interaction - RAC team sends out vendor questionnaire and reviews to determine next steps.
- RAC team provides assessment results to the requestor.
- If approved, RAC sends approval email to the requestor and all interested parties. (PSC, ORC, and Data Integration contact).
- Contract Negotiations and Language - The RAC team works with the PSC to negotiate the IT Security language for the contract.
- Exceptions to this process is the Security Risk Acceptance signed by Data Owner.
Other University Teams to Contact for Process
- Procurement Service Center (PSC) - The team that will assist you with your purchase.
- Data Integration Requests - If your request will include the integration of your software with CU System to retrieve university data, enter a data integration request as soon as possible.
- Office of Regulatory Compliance (ORC) - If your request involves HIPAA data, the Office of Regulatory Compliance will be asked by the PSC to prepare a BAA for both parties to sign.