Security and compliance services monitor, protect and secure the university's IT infrastructure, data and operations, safeguarding the privacy of the university community while maintaining compliance with applicable policies, laws and regulations.
Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Review approved applications.
A payment card is any type of credit, debit or prepaid card used in a financial transaction. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all university departments that accept payment cards for financial transactions. Any third-party vendor engaged by University Merchants to process payment card transactions on their behalf, or who is engaged in payment card financial services on our campus, must also comply with the PCI DSS.
For assistance, contact the OIT Service Desk at (303) 724-4357 (4-HELP from an on-campus phone).
If you believe your account has been compromised, the OIT Security and Compliance team is available to assist. There will be an investigation into the compromised account and a process for mitigating future risk.
Report an Issue:
Security of data usage (public, confidential, highly confidential data (including ePHI) is important to keeping the university protected. Keep your school or department compliant by reviewing how you use, store and transmit data.
For information on how to keep your school or department compliant when using, storing and transmitting data in OneDrive for Business, see Securing Data in OneDrive for Business.
By default, servers on the campus network are only accessible from the campus network (including VPN). In order to make your server accessible from the Internet, or from any of the affiliate networks, you will need to complete a Firewall Penetration Request and remediate any vulnerabilities or configuration changes that are identified during the penetration request process.
Please click the call to action button on the right to be directed to the OIT Service Center to create a ticket for this request. Click Log In, select Make a Request, scroll down to Security Services, and click on Firewall/IPS where you will see the Firewall Penetration Request form.
Moving forward, public facing hosts will need to be in the DMZ Firewall. More information about the DMZ Firewall process and permissions will be coming soon.
Requests to dispose of old or unused hard drives from redundant obsolete computers, retired servers, unused flash drives and photocopiers should be submitted through the Asset Management form on the Facilities Management webpage. Hard drives are then picked up by facilities and ultimately sent to Techno Rescue. Techno Rescue is under contract for the destruction and disposal of all equipment.
Phishing is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. Phishing originally described email attacks that would steal your online username and password. However, the term has evolved and now refers to almost any message-based attack. These attacks begin with a cyber criminal sending a message pretending to be from someone of something you know, such as a friend, your bank, your company or a well-known store.
The OIT Risk and Compliance team reviews applications, cloud services and business processes to reduce risk and meet compliance standards.
OIT provides authentication services to university units for departmental or campuswide applications that require the authentication of users based on their affiliation with the university. Applications may be internal or third-party.
You must be signed on to the university network to access the request form. Links for connecting to campus resources are available on the VPN and Remote Access webpage.
There is a standard process that is in place for typical terminations from the university. Timely terminations are specific to an involuntary termination or any circumstance where the unit believes there is a risk to university data. OIT will evaluate the request and then obtain approval from Legal and HR before disabling access. Please note that employees who also hold an active role as a student have specific rights to maintain access to their student account.
To submit a Timely Termination, please click the call to action button on the right to be directed to the OIT Service Center to create a ticket for this request:
All non-emergency requests to access another user’s data must be approved by HR and Legal before access is granted. OIT has created a process to manage these requests which can be initiated by the supervisor of the person in question, or by the department administrator. If the approval is granted by HR and Legal, the IT Security and Compliance Team will coordinate the data transfer with the appropriate team(s) in OIT and the requesting department.
To submit a Data Access Request, please click the call to action button on the right to be directed to the OIT Service Center to create a ticket for this request: