Product_Review

Product Review:

Supporting documents: Full policy - Process - Form

All information system resources receiving, storing and/or transmitting sensitive data must have a product review completed.

The product review will contain at a minimum: a complete description of the product, its functions and capabilities, interfaces with other systems and data, the method of interface, and all its inputs and outputs.

If any of the above change at any time during the product review process and/or the product implementation, the product review must be updated to reflect these changes and be resubmitted for review.

The product review will then be performed by each of the affected OUHSC IT departments to determine if the resource is compliant with existing Information Technology governance and if it brings any new or additional impact(s) to the OUHSC IT environment.

Each affected OUHSC IT department will document any identified impact(s) created by the resource specific to the affected area(s) and any recommendations. These recommendations will then be summarized into an overall analysis of the product and will include at a minimum the following:

Any known products in place at OUHSC performing the same role/task/function.
The products overall sensitivity rating and why.
Is/Is not compliance with current applicable Information Technology governance.
Any recommendations/conditions to consider for deployment. This may include submission of a project request to OUHSC IT Project Services.

A product review does not imply consent or approval to purchase, develop, or deploy the product and the requesting department retains responsibility for ensuring this product is compliant with all applicable policies and regulations.