Technology Security Assessment

We Help You Choose Compliant, Compatible Technology

ITCS evaluates new and existing software for verification of compliance regarding HIPAA,FERPA, SSN/PII, PCI, and other sensitive data types.

  • When is a Technology Security Assessment Necessary?
    Department purchases a new technology

    • Requisition – Materials Management submits the assessment request.
    • ProCard – The department submits the assessment request.
  • Department already owns a technology, and…
    • …the technology has never been assessed. The department submits the assessment request.
    • …the technology’s use case has altered, and a re-assessment is necessary. Cloud-based solutions utilizing sensitive data are reviewed ANNUALLY or during renewal cycle. The department submits the assessment request.
    • Additional guidance for ONLINE INSTRUCTIONAL TOOLS is found:
  • Department is contemplating a software purchase (department submits the assessment request)

What Information Do You Need?

Required information for a cloud-based solution:

  • Vendor’s geographic location or third-party data center
  • Vendor’s (or third party’s) security policy
  • Authentication process and user login URL
  • The software’s auditing capabilities
  • Username and password configuration including encryption methods
  • Data encryption details in both transit and storage
  • Your Business Continuity Plan if the software/application is unavailable
  • Hosting entity’s Disaster Recovery Plan
  • Hosting entity’s report or letter certifying a successful SSAE16 or SOC report issued by a credentialed auditing firm within the last year

Required information for a hosted, onsite solution:

  • Authentication process
  • Software’s auditing capabilities
  • Data storage location
  • Username and password configuration plus encryption methods
  • Your Business Continuity Plan if the product is unavailable

Assessment Workflow

For information on the software assessment workflow, visit the project office website.