OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

Information Security Risk and Information Security Knowledge (R.I.S.K.)

Risk Assessment Process

Information Security R.I.S.K. Program
The Information Security Risk Assessment Process is intended to assist Business Units with understanding the technology risks associated with technology-related products and services. Requesting an Information Security Risk Assessment early in the process will help avoid delays later.

Information Security Risk Assessment Policy
All information system resources receiving, storing and/or transmitting University data must have a Product Review completed by OUHSC IT to identify risks and necessary regulatory controls.  InformationSecurity Risk Assessment Policy

This policy applies to:

  • Implementation of a new or upgraded multi-user Information System
  • Solutions requiring an interface to an existing Information System
  • Contracting with a third party service for software or technology service
  • Implementing a solution interacting with regulated data (ePHI, PCI, FERPA, PII)
  • Software not covered by OUHSC Site or Volume licenses
  • Multi-function or Network Printers
  • Purchase of servers and network equipment
  • Purchase of digital signage and classroom audio/visual equipment not maintained by Academic Technology
  • Purchase of cloud, networked or removable storage
  • Medical/Research Devices
  • Software not covered by OUHSC Site or Volume licenses

This policy does not apply to:

  • Desktops and laptops
  • Computer accessories, peripherals, and supplies
  • DVDs, CDs and videotapes
  • Software covered by OUHSC Site or Volume licneses
  • Desktop (non-networked) printers and toner cartridges
  • Backup tapes
  • Camcorders, digital cameras, DVD players
  • Non-networked Smart TVs
  • Smart Phones
  • Headsets
  • Keyboards
  • Microphones
  • Wired or Wireless Mouse
  • Power Cords/Adapters
  • Presenter pointer/clicker
  • Projector accessories
  • UPS Power Supply, battery backup
  • Webcams

Review Criteria

All OUHSC Information Security Risk Assessments (Product Reviews), must supply pertinent information regarding the security capabilities of the requested product. This information is captured in the OUHSC Information Security Risk Assessment questionnaire.

ROWS 1-24 will automatically determine the classification of the request and determine what security questions must be answered. Please pay careful attention and respond accurately to these questions.

The OUHSC Information Security Risk Assessment Questionnaires can be located by clicking the links below:

***NOTE***The Information Security Risk Assessment process does not constitute an approval or authorization to purchase a reviewed product. State of Oklahoma and University purchasing rules still apply.

New instructions for the Information Security Risk Assessment process:

The review begins in and is controlled by the automated system used by HSC Information Technology to manage requests.

The first step in the process is to login to Service Now by visiting the http://ServiceNowLoginPage. You will be re-directed to the HSC Information Technology self-service system where you can sign in using your normal OUHSC UserID and Password

After logging in, go to http://it.ouhsc.edu/servicecatalog.

When prompted to select a campus, select Oklahoma City.

Select Information Services Risk Assessment in the Professional Services section.


Read the information in the top portion if you are unfamiliar with the process. Some of the data will already be filled in for you, such as your UserID, Department, and Campus phone number. Complete the Risk Assessment request form with as much detail as possible. Providing as much information as possible when the item is first sumbitted for review will expidite the request.

When the form is complete click on the ORDER NOW button in the top-right portion of the webpage to submit the item for review.

After you have chosen the Order Now button you may log out of the IT self-service system.

You will receive an email from ouhsc@service-now.com for each item you have requested for review. Please use the request numbers provided in this email if you have to ask for further assistance from IT.

When the Review process is complete, you will also recieve another email informing you of the completion of the review and providing you with a link to the complete review, including both the information you submitted and any Inforamation Technology feedback or recommendations. It is this information that may be requested by Purchasing prior to any order being placed.

After submitting your request, IT Security will contact you via email with further questions regarding the nature of your request. Upon completion of our analysis, IT Security will schedule a conference call to provide any Information Security recommendations identified as part of the assessment.

Revised on 10/28/2014 to update the ServiceNow URL and provide updated screenshots of the request process.

Revised on 12/11/2014 to remove the link to the MS Word request form since the form has moved to ServiceNow.

Revised on 05/16/2017 to add links to OUHSC Risk Assessment Questionnaires.

Reviews on 07/17/2017 to update Review Criteria.