The security review form is located at 
  1. When is a security review needed?  
    A security review is needed for any software, hardware, cloud- or web-based service if one or more of the following is true:
    • If an existing review is not in place
    • If an existing review is more than two years old
    • If an existing review is for a substantially different usage from what your use will be (example, existing review is for use with public data, your use will be with restricted data)
  2. Who should initiate the review?
    • An IT staff member (person in an IT HR classification) who is familiar with
      • the technology being requested,
      • how the technology will be used, and 
      • the security review process. 
    • The review form requires knowledge of technical terminology and concepts; non-IT staff members are usually unfamiliar with this terminology which creates an opportunity for error.
    • For units outside of healthcare, this is typically the IT director for the org, or someone specifically designated by that director.  If in doubt, consult with your IT director before submitting.
    • Students should not initiate security reviews.
  3. What if I have questions about how to complete the form.
    • Contact for assistance.  Please do not guess at the answers.  The person completing the form is responsible for providing correct information, and they should not submit the form unless confident that the information is correct.
  4. Does the review process have to be completed before technology can be purchased and/or used?
    • No, HOWEVER, the person implementing the technology bears responsibility for any risk incurred if the technology is unsafe or used in an unsafe manner.  For any technology involved with restricted or critical data types, it is highly advisable to delay purchase and/or usage until the review has completed due to the higher risks associated with these data types.
  5. What about plug-ins for Teams or other Office 365 programs?
    Teams and other Office 365 programs may contain critical data regulated by HIPAA, FERPA, etc.  Because the Office 365 environment does not allow granular access for plug-ins, these types of technology are generally not approved, even when the requested usage is for less sensitive data.
  6. Are there any technologies that are already reviewed and not approved?
    Yes, please see the Prohibited Technology page for more information.


Last updated 6/21/2023