Standards
The Information Security Office is in the process of authoring standards to provide guidance to the University in effective information handling and to support University policy. Any standards marked as "draft" are in the process of being finalized, but still provide industry best practices for various facets of information handling. These documents may undergo some minor changes between their draft and final form.
| Standard | Abstract | Impact | Related Links/FAQs |
|---|---|---|---|
| Acceptable Encryption Standard | This standard provides guidelines for acceptable encryption to ensure the confidentiality and integrity of sensitive data. This applies to data in transit or stored on mobile devices or removable media. | All university employees and other individuals with access to university data (retired or emeritus staff/faculty, contractors and volunteers; and any student handling university data). | |
| Account Management Standard | This standard exists to ensure that access to systems is appropriately requested, approved, granted, terminated, and reviewed on a regular basis. The management of user accounts is critical in protecting university data and minimizing risks to the institution. | All university employees and students, and other individuals with access to university data (retired or emeritus staff/faculty, contractors and volunteers). | |
| Data Breach Response Standard | The University will provide timely and appropriate notice to affected individuals when there has been a breach of security involving their private data. | University employees and students, or other individuals who need to report a suspected security incident. | Administrative Procedure: Notification of a Data Security Breach |
| Information Security Awareness & Training Standard | This standard outlines the responsibilities of departments in ensuring that their staff are appropriately trained to maintain compliance with regulations that protect sensitive data. | All Ohio University faculty, staff, student employees, and any third-party affiliates who require access to sensitive university data. | Online IT Security Training |
| Information Security Risk Assessment Standard | This standard establishes the process for assessing risks associated with university data and information systems (“Ohio Systems”) and documenting and communicating the associated risks to university leadership. | All existing OHIO Systems and Third Party Vendors prior to the acquisition of information systems. | Administrative Procedure: Information Security Risk Management Strategy |
| Media Sanitization Standard | This standard establishes the concept of media sanitization and the responsibility of individuals to determine and apply the appropriate sanitization method for the corresponding classification of the media they work with. | All university employees and students, and other individuals with access to university data (retired or emeritus staff/faculty, contractors and volunteers). | |
| Microsoft O365 - Remote Data Wipe Standard | This standard describes the Microsoft capability to remotely remove all data from a device that is synced to your OHIO email account in case the device is lost or stolen. | All university employees and students, and other individuals with access to university data (retired or emeritus staff/faculty, contractors and volunteers). | |
| Mobile Device Standard | To establish information security requirements for the use of mobile devices ("device"). | Users that access, store, or process university data via a device. | Smartphone Security |
| Patch Management Standard | This standard ensures that the university takes a proactive approach to managing vulnerabilities, to reduce or eliminate the potential for exploitation of such vulnerabilities and prevent the excessive time, effort, and potential costs that often result when responding to an exploitation after it has occurred. | OHIO Systems; including all university owned servers, endpoints, and software. | |
| Physical Security Standard | The purpose of this standard is to define controls to maintain the confidentiality, integrity, and availability of OHIO resources through the prevention of loss, damage, theft, or compromise of university data and assets. | All OHIO faculty, staff, students and third-party associates, any systems or paper records containing OHIO data. | Physical Security Tips |
| Safeguarding Sensitive University Data Standard | The purpose of this standard is to establish the guidelines for the process of safeguarding sensitive university data from improper disclosure. | All faculty, staff, students, and third parties that access sensitive university data. | Sensitive Data: Defining and Classifying |
| Secure Computer Management Standard | This standard ensures that all university owned devices as well as devices that store, process, or transmit university data are proactively managed and configured in a way that protects university data. | All computers which process, store, or transmit University data. | Secure Computing at OHIO |
| Securing University Work Standard | This standard sets forth the criteria for working on the four primary models of devices used by OHIO employees and agents: managed OHIO devices, virtual desktop instance, self-managed OHIO devices, and personally owned devices. | All Ohio University employees, agents, and the computing devices (“devices”) used to perform University work. | |
| Secure Travel Standard | This standard ensures that OHIO employees secure workstations when accessing, processing, or transmitting university data while traveling both domestically and internationally. | All OHIO employees who are working while also traveling | |
| Secure Use of Artificial Intelligence (AI) Tools | This standard establishes acceptable and prohibited use of Artificial Intelligence Tools for University work. | All OHIO account users who process, store, or transmit university data | |
| Security Incident Response Standard | This standard outlines the process for notification of and response to a security incident involving data processed, stored, or transmitted by the University. | All faculty, staff, students, and third parties that access university data. | Ohio University Incident Response 2021 |
| Security Standard for General Information Systems | A standard for the configuration of information systems at Ohio University. | All Ohio University affiliates, organizations or individuals who deploy, configure, or maintaining formation systems within the university network. | |
| Sensitive Data within One Drive Standard | This standard describes the technical and administrative controls that must be implemented when storing sensitive data within Ohio University’s OneDrive for Business(“OneDrive”)accounts. | All Ohio University operating units that wish to store sensitive information within a cloud-based solution. | OneDrive/O365 Groups Data Storage |
| Student Identification Verification Standard | This standard supports the University's Verification of Student Identity Policy (12.027) so that the university can ensure there are standardized methods of verifying identity. | OHIO programs, courses, and activities, including courses designated as Distance Education or other comparable designations. | |
| Third Party Vendor Management Standard | This standard establishes fundamental security guidelines, requirements and procedures that support the mandatory protection of information assets for business, contractual, regulatory and legal reasons. | OHIO Systems and assets, employees, vendors and agents operating on behalf of the university using OHIO Systems. | |
| Student Identification Verification Standard | This standard supports the University's Verification of Student Identity Policy (12.027) so that the university can ensure there are standardized methods of verifying identity. | OHIO programs, courses, and activities, including courses designated as Distance Education or other comparable designations. | |
| Virus Protection Standard | This standard ensures the security and integrity of university information and information technology resources against malicious software such as viruses, worms, trojans. | This standard applies to all faculty, staff, students, and third parties which do business with the university. | Anti-Virus Software |