Security and Compliance

Security and Compliance Icon

Approved Software/Applications

Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI., the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Review approved applications. 


Credit Card Merchant Accounts

A payment card is any type of credit, debit or prepaid card used in a financial transaction. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all University departments that accept payment cards for financial transactions. Any third-party vendor engaged by University Merchants to process payment card transactions on their behalf, or who is engaged in payment card financial services on our campus, must also comply with the PCI DSS. 

For assistance, contact the OIT Help Desk at (303) 724-4357 (4-HELP)


Compromised Email Accounts

If you believe your account has been compromised, the OIT Security and Compliance team is available to assist. There will be an investigation into the compromised account and a process for mitigating future risk.

Report an Issue:

  1. Stop all actions. Do not turn off the computer.
  2. Contact the OIT Help Desk 303-724-4357 or 4-HELP and report the incident.

Data Usage

Security of data usage (public, confidential, highly confidential data (including ePHI) is important to keeping the university protected. Keep your school or department compliant by reviewing how you use, store and transmit data. 


Firewall Exceptions

​​​By default, servers on the campus network are only accessible from the campus network (including VPN). In order to make your server accessible from the Internet, or from any of the affiliate networks, you will need to fill out a Firewall Penetration Request and remediate any vulnerabilities or configuration changes that are identified during the penetration request process.


Hard Drive Disposal

If you have old or unused hard drives from redundant obsolete computers, retired servers, unused flash drives and photocopiers, you need to get in touch with Asset Management to submit a disposal request. Hard drives are then picked up by facilities and ultimately sent to Techno Rescue. Techno Rescue is under contract for the destruction and disposal of all equipment.


Phishing Emails

Phishing is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. Phishing originally described email attacks that would steal your online username and password. However, the term has evolved and now refers to almost any message-based attack. These attacks begin with a cyber criminal sending a message pretending to be from someone of something you know, such as a friend, your bank, your company or a well-known store.


Security Review or Check

The OIT Risk and Compliance team reviews applications, cloud services and business processes to reduce risk and meet compliance standards.


Single Sign On

OIT provides authentication services to university units for departmental or campus-wide applications that require the authentication of users based on their affiliation with the University. Applications may be internal or third-party.


Timely Termination

There is a standard process that is in place for typical terminations from the university. Timely terminations are specific to an involuntary termination or any circumstance where the unit believes there is a risk to university data. OIT will evaluate the request and then obtain approval from Legal and HR before disabling access.  Please note that employees who also hold an active role as a student have specific rights to maintain access to their student account.


User Data Access Request

All non-emergency requests to access to another user’s data must be approved by HR and Legal before access is granted. OIT has created a process to manage these requests which can be initiated by the supervisor of the person in question, or by the department administratorIf the approval is granted by HR and Legal, the IT Security and Compliance Team will coordinate the data transfer with the appropriate team(s) in OIT and the requesting department.