New Rule 4-050B requires security and accessibility reviews for new software that handles restricted data
On April 4, 2022, the University of Utah Academic Senate approved University Software Rule 4-050B. The new rule applies to all University of Utah entities, including all main campus, Health Sciences, and University of Utah Health organizations.
The rule is in effect as of April 4, 2022. U organizations must ensure that software purchased, leased, or developed by the university is reviewed for compliance with IT security requirements and accessibility requirements for persons with disabilities.
Covered by the policy/rule
- Units in University of Utah Health Hospitals and Clinics
- Units in the University of Utah
- Software of any cost that is requested for purchase, lease, development or other form of acquisition, including free and open source software
- And that accesses, manipulates, creates, or stores restricted data
- Note: Adherence to Rule 4-050B is recommended, but not required, for software that accesses, manipulates, creates or stores sensitive data as outlined in Rule 4-004C.
Not covered by the policy/rule:
- Software that resides in a protected environment (PE)
- E.g., the Center for High Performance Computing’s (CHPC) PE, which provides HIPAA-compliant space for researchers at the University of Utah. CHPC provides hardware, software, tools, and support.
- Software approved by the Chief Information Security Officer (CISO) as an exception
- Software that does not contain restricted data
- Software on a device that is not connected to the university network
Updated software acquisition process
Prior to purchase, lease, development or other form of software acquisition, university organizations must work with vendors to:
- Complete the Educause Higher Education Vendor Assessment Tool (HECVAT)
- Complete the appropriate questionnaire:
UIT will assist organizations and vendors as needed. For additional details on the software acquisition process, please visit this IT Knowledge Base article.
A list of software that has been previously reviewed will be distributed at a later date. Please note that software that has been reviewed and approved must still be assessed for each organization's use cases.
Goals of the policy and rule
- Establish a framework for identifying the scope and purpose associated with university software
- Provide the university the opportunity to review the security and accessibility of all software purchased, leased or developed by the university to ensure it meets current information security and accessibility standards
- Promote appropriate collaboration among university administrative, academic and
U of U Health units on: - The purchase, lease, development or other form of acquisition of university software
- Data and services associated with such software
- Costs for the proposed software
The rule has been reviewed and approved by the Institutional Policy Committee and Academic Senate.
If you have any questions, please contact UIT Deputy Chief Information Officer Ken Pink at ken.pink@utah.edu or 801-581-3875.
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.