Data Security

The Security Assessment Review (SAR) process, administered by Cybersecurity Governance, Risk, and Compliance (GRC), is required whenever institution information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). When Â̾ÞÈËÊÓƵ information is captured or stored in non-Â̾ÞÈËÊÓƵ information technology resources, stored in non-Â̾ÞÈËÊÓƵ facilities, or handled by non-Â̾ÞÈËÊÓƵ persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.

A SAR should be completed and approved by ET&S prior to requesting a contract through procurement if any of the above conditions apply.