Ö÷²¥ÓÕ»ó

Technology Risk Assessment

Category: IT Security OIT - Categories Audience: Faculty Staff
Third-party vendor apps and cloud services can pose risks to the university. To reduce these risks, the Risk and Compliance (RAC) team reviews vendors handling confidential or highly confidential data, including HIPAA, FERPA, and PCI.

Overview: Risk and Compliance (RAC) Process

 

A wheel with the different steps listed showing the order of the RAC process.

 

The Risk and Compliance process consists of the following steps:

  1. Assessment request is submitted
  2. An initial review and department Q&A
  3. The vendor will be engaged by the RAC team
  4. Analysis of the vendor-provided information, and vendor Q&A with RAC team
  5. Close out (approved, approved with conditions, denied)
  6. Requesting department will purchase the approved software/application with university procurement (PSC)
  7. Department will resubmit an assessment request when it is time to renew the software or application license (this could be annually or custom duration depending on the contract agreement)

 

Compliance Requirements

To protect university confidential and highly confidential data, including PHI, the RAC team assesses the security and practices of all third-party vendor server applications and cloud services. 

Third party vendors must:

  • Prevent the loss, theft, unauthorized access and/or disclosure of university data
  • Destroy data when no longer needed per university data owner instructions
  • Have incident response procedures and reporting requirements in case of a breach

 

Timeline 

Requests are processed in order received. Timelines depend on responsiveness and complexity, typically taking 10–15 business days. More details are on the (SSO required).
To get started, Complete the .

 

Digital Accessibility

The RAC process includes working with vendors to ensure that technology procured by the university is inclusive and accessible. The RAC process collects a Voluntary Product Accessibility Template (VPAT) and accessibility questionnaire from the vendor to produce a digital accessibility risk assessment.  For reference, visit our
This assessment provides insight into the technology's digital accessibility level of compliance and is sent back to the original requestor.

 

Other University Teams to Contact for Process

  •  (PSC) - The team that will assist you with your purchase.
    • Procurement Service Center -
  •  - If your request will include the integration of your software with CU System to retrieve university data, enter a data integration request as soon as possible.
  •  (ORC) - If your request involves HIPAA data, the Office of Regulatory Compliance will be asked by the PSC to prepare a BAA for both parties to sign.

 

Resources

  •  
  •  
  •  
  • .

Office of Information Technology

Ö÷²¥ÓÕ»ó

Lawrence Street Center

1380 Lawrence Street

13th Floor

Denver, CO 80204

303-724-4357

About OIT
Remote and Hybrid Working
IT Accessibility
Partner Websites
CMS Login