Third party vendor applications and cloud services can present significant risk to the University. To mitigate the risk, the Risk and Compliance (RAC) team reviews the security of vendor organizations for server applications facing the internet, or services provided by a vendor that will have access to university confidential, or highly confidential data (including HIPAA, FERPA, and PCI data). This process is essential in minimizing legal issues during the negotiation of the IT Security language during the contract process.
Timeline: 4-8 weeks. Timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement.
Risk and Compliance Process:
Before starting, please check the Approved Application and Cloud Services to see if there is a comparable approved product available to suit your business needs. If not, continue with the steps below.
- Go to the Requestor Questionnaire. Select OIT Web Forms, then go to Security Services, select Application Assessment Request, and complete the request for an application assessment. When this form is submitted it creates a Help Desk ticket for the RAC team to review. If you are unable to submit the form, call 4-HELP. *Additional steps may be needed. See other team information below.
- Vendor Interaction- RAC team sends out vendor questionnaire and reviews to determine next steps.
- RAC team provides assessment results to the requestor.
- If approved, RAC sends approval email to the requestor and all interested parties. (PSC, ORC, and Data Integration contact).
- Contract Negotiations and Language- The RAC team works with the PSC to negotiate the IT Security language for the contract.
- Exceptions to this process:
a. Application is found on the Approved Application and Cloud Services Page
b. Security Risk Acceptance signed by Data Owner
Other Teams you may need to engage during this process:
- Procurement Service Center (PSC)- The team that will assist you with your purchase.
- Data Integration Requests -If your request will include the integration of your software with CU System to retrieve university data, enter a data integration request as soon as possible.
- Office of Regulatory Compliance (ORC)- If your request involves HIPAA data, the Office of Regulatory Compliance will be asked by the PSC to prepare a BAA for both parties to sign.
University Data Classification and Impact
IT Security Program APS-6005
University HIPAA Policy