Browse commonly used Information Security and IT Compliance (ISIC) tools and services below. The ISIC team provides several services to keep your information and the university's data safe. Services provided include monitoring, protecting and securing our information technology infrastructure, data and operations to safeguard the privacy of the university community while maintaining compliance with applicable policies, laws and regulations.
For information technology services, visit our Information Strategy and Services partner at the Office of Information Technology (OIT) website or contact the Service Desk for additional questions.
Third party vendor applications and cloud services can present significant risk to the university. To mitigate the risk, the Risk and Compliance (RAC) team reviews the security of vendor organizations for server applications facing the internet, or services provided by a vendor that will have access to university confidential, or highly confidential data (including HIPAA, FERPA, and PCI data). This process is essential in minimizing legal issues during the negotiation of the IT Security language during the contract process.
Third party vendors are now subject to the same Security Rule requirements as Covered Entities, and are also subject to relevant sections of the Privacy Rule and the HITECH Breach Notification Rule. In order to protect university confidential and highly confidential data, including PHI, the risk and compliance team assesses the security and practices of all third party vendor server applications and cloud services. Third party vendor applications include those that process, transmit or store PCI (Payment Card Industry) data.
Third party vendors must:
Timeline: Please note, we complete requests in the order we receive them and timelines are dependent on the responsiveness of the requestor, vendor, and the complexity of the agreement. More information is available on the Technology Risk Assessment Process webpage.
In addition, the process also includes working with our vendor to ensure that technology procured by the university are inclusive and accessible. The RAC process will now collect a Voluntary Product Accessibility Template (VPAT) and accessibility questionnaire from the vendor to produce a digital accessibility risk assessment. This digital accessibility risk assessment will provide insight on the technology's digital accessibility level of compliance and will be sent back to the original requestor. For recommended steps following the risk assessment, please reference steps 2 and 3 in our CU Anschutz Procuring Accessible IT guide.