In addition to the standard contract review, the University must ensure that contracts for IT software, applications and service purchases include the proper language to address the necessary IT security risk and compliance controls. Application service providers, software vendors, and other IT consulting or other outsourced service providers can present a significant data security risk to the University. To mitigate this risk, the campus IT security office is tasked with reviewing the security protocols of supplier organizations for any applications, programs, or services procured to provide guidance on security controls required for the arrangement. Review for security controls is required on the purchase or renewal of any product that allows access to or that requires transmission, processing, or storage of the following types of information:
- Protected health information
- Student records
- Personal identification information
- Payment card information
- Export-controlled
- Accessibility
It is strongly recommended that the IT Security Risk and Compliance Review process is initiated as soon as an IT procurement need is identified to allow time for the security review and any resulting negotiations between the PSC and the supplier. The final assessment that is produced by the appropriate campus security office from the completed review must be provided with the purchase requisition when entering the purchase requisition in CU Marketplace. When procuring goods and/or services on an existing enterprise, campus or other existing agreement, this process will generally have already been completed, and there is no need to attach related documentation.
More information about promoting security controls in contracts and service arrangements can be found at the Office of Information Security’s webpage dedicated to IT Purchasing Standards.
To ensure compliance with the review process established for your campus, refer to the following guidance:
- Boulder Information and Communication Technology Integrity Office
- Denver | Anschutz Technology Risk Assessment
- Colorado Springs Email Information Security Office (ISO) at ITComply@uccs.edu
- System Email Keith Lehigh at Keith.Lehigh@cu.edu
Resources
Related Articles
- How-to-Buy Artificial Intelligence (AI) Software
- How-to-Buy Business Intelligence & Data Analysis Software
- How-to-Buy Cloud Computing Software & Services
- How-to-Buy Computer Game / Entertainment Software
- How-to-Buy Customer Relationship Management (CRM) Software
- How-to-Buy Educational Software
- How-to-Buy Enterprise Resource Planning (ERP) Software
- How-to-Buy IT Software Maintenance & Support
- How-to-Buy Medical Software
- How-to-Buy Network Management Software
- How-to-Buy Office / Business Operations Software
- How-to-Buy Point of Sale Software
- How-to-Buy IT Software - Other