Security Assessment Requirement Changes

Study-provided Electronic Data Capture (EDC) systems no longer require an IT Security Assessment.  The items listed below, may still require a Security Assessment, prior to purchase or renewal:

1. IT Services and Systems interacting with regulated data (ePHI, PCI, FERPA, GLBA, PII, or CUI).
2. All Third Party technology providers.
3. IT Services and Systems that are Mission-Critical to a College, University, Department, or Research Project.
4. Cloud, network, or removable storage devices.
5. Medical devices.    

If you have open assessment requests for EDC systems, OU IT GRC will reach out to you and confirm the assessment is no longer needed. The IRB will continue to review study protocols and let you know if a security assessment is needed for technology usage. To learn more about the OU IT Security Assessment requirement, visit https://itsupport.ou.edu/TDClient/34/OKC/Requests/ServiceDet?ID=64&SIDs=1307.