Visit
Apply
Give

INFORMATION TECHNOLOGY

Security Assessments

The IT Security Office performs security assessments for hardware, software, and services as part of the procurement process.  Procurement of technology that does not meet IT’s defined security standards will be blocked from moving forward.

Security assessments are built into the IT Project Request process, and it works in parallel to the procurement processes.  To initiate the assessment review, a project request must be submitted to IT’s PMO office at utoledo.edu/it/pmo.  The project request will be reviewed for completeness.  With a successful review, the requestor will receive an email with a link to a web-based triage form that solicits additional information about the technology or service being purchased and the vendor’s name and contact information.

Once the triage form has been submitted, the PMO will assign an IT lead engineer to perform a review/design of the hardware, software, or service.  The vendor will receive a request to complete a specific HECVAT document: HECVAT LiteFull, or On-Prem and provide other technical documentation about the product/service being purchased. Once all supporting documentation is received and the IT review/design is completed, the security office will review the proposed purchase and assess its risk to UToledo.  The outcome of the assessment will be shared with the requesting department and purchasing.


Frequently Asked Questions

When does a Security Assessment (and by definition, a project request) need to be completed?

  • A security assessment is required prior to purchasing for the following items:
    • Any computing hardware, software, or third-party services
    • Any device which requires network connectivity (wired or wireless)
    • Anything that involves Data Privacy and Data Compliance in regards to UToledo data (HIPAA, FERPA, PCI, PHI, PII, CDI or CUI, Financial data, Research data, etc.)
    • Any cloud-hosted or third party hosted systems
    • Major system upgrades to existing software

What is the HECVAT?

The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit

Why HECVAT?

The HECVAT is specifically designed to meet the needs of the higher education community. Utilizing the HECVAT benefits vendors by providing a common form that can be used across more than 100 participating institutions.

How long does a security assessment take?

Assessment time varies based on factors including the completeness of information provided by the business unit, the complexity of the item/project, and vendor/third-party cooperation with the process. This process often takes between 4 - 12 weeks to complete.

Last Updated: 7/15/24