The IT Compliance Review process at Missouri S&T is essential for ensuring that any hardware, software, or instrumentation purchased for research, teaching or otherwise is compatible with our systems and does not expose the university to security or legal risks. This process is not about restricting access to the tools you need but about safeguarding our community and resources.

Why the Review Process is Important

Security

Reviewing all hardware and software is crucial because it helps us identify and mitigate potential security risks before they can affect our systems. Here are some specific reasons why this review is necessary:

• Preventing Data Breaches: By evaluating the security features of new tools, we can help prevent unauthorized access to sensitive research data, protecting intellectual property and maintaining our reputation.
• Avoiding Espionage: Ensuring that hardware and software are secure helps protect against attempts by foreign entities to steal research findings, especially those related to national security or cutting-edge technology. 
• Mitigating Ransomware Threats: By assessing the security of new tools, we can reduce the risk of cybercriminals encrypting our data and demanding a ransom, which could disrupt research activities and cause financial strain
• Blocking Phishing Attacks: Reviewing software helps us identify and block potential phishing vectors that could trick researchers into revealing their credentials, leading to unauthorized access to our systems.

Security Reviews in IT Compliance

Legal

From a legal perspective, the IT Compliance Review process is crucial for several reasons:

• Protecting Individuals: By ensuring that all hardware and software comply with legal standards, we protect individual researchers and faculty members from potential legal liabilities. This means you can focus on your work without worrying about inadvertently violating regulations.
• Avoiding Unfavorable Terms: The process ensures that the university does not commit to unfavorable terms in contracts or agreements with vendors. This includes avoiding clauses that could lead to unexpected costs, data ownership issues, or other legal complications.

Federal Requirements and Compliance

To safeguard our research and comply with federal regulations, we adhere to standards such as NIST 800-171. This framework outlines security requirements for protecting controlled unclassified information (CUI) in non-federal systems. Key aspects include:

• Access Control: Ensuring only authorized individuals can access sensitive data.
• Incident Response: Having a plan to detect, respond to, and recover from security incidents.
• Risk Assessment: Regularly evaluating our systems to identify and mitigate vulnerabilities.

The Role of BPM 12004

BPM 12004 is the University of Missouri System policy that lays out the basic reasoning and responsibilities for the IT Compliance Review process. It provides a framework to ensure that all tools and technologies classified as an IT purchase used within the university are secure and compliant with federal and institutional regulations. This policy helps us maintain a secure environment for our research and educational activities.

Relating to Researchers

We understand that the IT Compliance Review process might seem like an additional hurdle, but it’s designed with your best interests in mind. By ensuring compatibility and security, we can prevent disruptions to your research and protect the integrity of your work. Think of it as a way to safeguard your valuable contributions and the university’s reputation.

If you have any concerns or need assistance with the process, our IT department is here to help. We’re committed to making this as smooth as possible so you can focus on what you do best—innovative research and teaching.