• Account & Access Management
• Application Services
• Data Center Hosting
• Desktop Management
• Enterprise Connectivity
• Information Security
• Messaging & Collaboration
• Professional Services
• Technology Sales
• Training, Education & Awareness
• Voice Services

OU Norman IT
OU Tulsa IT

Home  |  Online Help  |  Policies  |  Tier Ones

 :: HOME / Policies / for data owners

Information Security Risk Assessment

Supporting documents: Full policy

Risk Assessment Process

Information Security R.I.S.K. Program
The Information Security Risk Assessment Process is intended to assist Business Units with understanding the technology risks associated with technology-related products and services. Requesting an Information Security Risk Assessment early in the process will help avoid delays later.

Information Security Risk Assessment Policy
All information system resources receiving, storing and/or transmitting University data must have a Product Review completed by OUHSC IT to identify risks and necessary regulatory controls.  InformationSecurity Risk Assessment Policy

This policy applies to:

• Implementation of a new or upgraded multi-user Information System
• Solutions requiring an interface to an existing Information System
• Contracting with a third party service for software or technology service
• Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII)
• Software not covered by OUHSC Site or Volume licenses
• Multi-function or Network Printers
• Purchase of servers and network equipment
• Purchase of digital signage and classroom audio/visual equipment not maintained by Academic Technology
• Purchase of cloud, networked or removable storage
• Medical/Research Devices
• Software not covered by OUHSC Site or Volume licenses

This policy does not apply to:

• Desktops and laptops
• Computer accessories, peripherals, and supplies
• DVDs, CDs and videotapes
• Software covered by OUHSC Site or Volume licneses
• Desktop (non-networked) printers and toner cartridges
• Backup tapes
• Camcorders, digital cameras, DVD players
• Non-networked Smart TVs
• Smart Phones
• Headsets
• Keyboards
• Microphones
• Wired or Wireless Mouse
• Power Cords/Adapters
• Presenter pointer/clicker
• Projector accessories
• UPS Power Supply, battery backup
• Webcams

Review Criteria

All OUHSC Information Security Risk Assessments (Product Reviews), must supply pertinent information regarding the security capabilities of the requested product. This information is captured in the OUHSC Information Security Risk Assessment questionnaire.

ROWS 1-24 will automatically determine the classification of the request and determine what security questions must be answered. Please pay careful attention and respond accurately to these questions.

The OUHSC Information Security Risk Assessment Questionnaires can be located by clicking the links below:

• OUHSC Information Security Risk Assessment

***NOTE***The Information Security Risk Assessment process does not constitute an approval or authorization to purchase a reviewed product. State of Oklahoma and University purchasing rules still apply.