...
Depending upon the scope of the project, an "Inherent Risk survey" may need to be done by the Information Security Office (ISO). A risk assessment and mitigation plan must be approved by ISPO Information Security Office A satisfactory scan report must be completed.
If there is any information sharing with third parties, an information sharing assessment form (ISAF) needs to be initiated with the UofU privacy office to determine if a Business Associates Agreement needs to be on file. Please send CHPC your BAA if you have one already, otherwise The ISAF must be completely filled out (Typed) by the requesting department and returned for evaluation to determine the need for a Business Associate Agreement or other agreement to protect the information being shared. ISAF form can be found at Business Associates.
Please refer to the UofU Information Security and Privacy Office for details and help (and keep CHPC informed) .
...