InfoSec Allies: Office of Resource Management

Many hands touching a speech bubble.

The Office of Resource Management (ORM) plays an essential part in our day-to-day lives and operations at WashU. The office, home to more than 20 staff members, encompasses the departments of Purchasing Services, Furniture and Design, and Supplier Diversity and Mail Services. People from every department and role in the university community interact with the office in some capacity. The ORM team is committed to helping our community members get what they need to advance our shared mission of teaching, research, and patient care and doing it in a way that also provides a benefit to the broader community. From swiftly procuring high volumes of PPE and vaccines during the pandemic to designing office spaces, reviewing contracts, and seeking out minority vendors, women’s business enterprises, and sustainable solutions, the ORM contributes so much to everything it means to be WashU. Among their many roles at WashU, they’re also an important ally in our effort to secure university information resources.

Lisa Owens, a Project Administrator for Resource Management, recently sat down with colleagues from the Information Security Governance, Risk, and Compliance (GRC) team to discuss the work of her office at WashU and the relationship between Resource Management and the Office of Information Security (OIS). The new IT Procurement Vendor Intake Form, available in June 2022, illustrates the cooperative relationship between these offices.

The ORM is often involved in reviewing contracts during security risk assessments. According to Owens, the ORM’s “expertise in contract negotiation and review pairs well with IT-based contracts, where we assist to review the contract to determine if. . . it is low, medium, or high risk.” The ORM is attuned to identifying contracts that involve certain risks, such as sensitive data exposure, and they work with the OIS to assess those security risks. Further, if the vendor contract involves possible exposure of protected health information (PHI), the ORM works to execute a Business Associate Agreement (BAA) in addition to the contract. Owens says, “it’s essential for our office to work with the OIS so that we can ensure we are effectively mitigating risks.”

The ORM and the OIS have recently teamed up to create a new, streamlined process for security assessment in the vendor intake process. The new IT Procurement Vendor Intake Form makes the review process for new IT-related software and services “seamless and easy for departments to use.” The new form will “keep the process in one place, avoid requesting redundant information, and give the submitter more visibility on the progress of the review.” Owens says, “our goal is for the form to be user-friendly and provide sufficient background to both teams at the same time.”

With this form, as with any request sent to ORM or the OIS, departments can help make the review process even easier by providing as much information as possible. Once the form is submitted, the ORM works with the OIS to assess risk factors before circling back to the department and vendor to review, negotiate, and approve new contracts.

The Office of Information Security extends our sincere gratitude to the Office of Resource Management for all they do for the WashU community, and especially for their support in protecting the security of our information resources. Thank you, ORM; we wouldn’t be WashU without you!

Does your office play an important role in protecting our shared information security? We’d love to feature our many InfoSec Allies in our monthly newsletter. Please reach out to us at to get the conversation started.