Breadcrumb
Security Review Frequently Asked Questions
- How do I request a security review?
Login to the IT Enterprise Service Center
Request something | Security | Supply Chain Risk Management | Security Review Request
In the comments, provide detailed information about what needs to be reviewed. - When is a security review needed?
A security review is needed for any software, hardware, cloud- or web-based service if one or more of the following is true:- If an existing review is not in place
- If an existing review is more than two years old
- If an existing review is for a substantially different usage from what your use will be (example, existing review is for use with public data, your use will be with restricted data)
Who should initiate the review?
As of June 2026, the University of Iowa has moved to the OneTrust TPRM (third party risk management) platform. With this move, only org IT directors and a limited number of designees are authorized to enter security reviews. If you need a review submitted on your behalf, please contact the IT director for your org, or use the instructions provided in #1 above.
For those authorized to enter reviews, the new URL is https://uiowa.my.onetrust.com/auth/loginWhat if I have questions about how to complete the form.
Contact it-security@uiowa.edu for assistance. Please do not guess at the answers. The person completing the form is responsible for providing correct information, and they should not submit the form unless confident that the information is correct.
Does the review process have to be completed before technology can be purchased and/or used?
In general, yes. In very rare circumstances, an org IT leader may grant temporary permission to proceed while a review completes if there is a compelling need. By doing so, the IT leader accepts responsibility for any risks incurred, including but not limited to the need to halt usage of the technology if ultimately not approved.
- What about plug-ins for Teams or other Office 365 programs?
Teams and other Office 365 programs may contain critical data regulated by HIPAA, FERPA, etc. Because the Office 365 environment does not allow granular access for plug-ins, these types of technology are generally not approved, even when the requested usage is for less sensitive data. - Are there any technologies that are already reviewed and not approved?
Yes, please see the Prohibited Technology page for more information.
Last updated 7/9/2026