University Community

What employees and students need to know about new OHIO information security standards

Ohio University has adopted new Information Security Standards that serve to guide the University community on how best to secure the technology that accesses, stores, processes or transmits University data. 

This article provides an overview of all of the new standards as well as background information on how and why they were established. 

Launch of the IT Standing Committee: Information Security

In January 2020 the IT Governance Framework was established for OHIO. As the governance framework has evolved over the last year, the IT Standing Committee: Information Security was formed. The Information Security Governance Standing Committee is charged annually by the IT Strategy & Governance Committee and is empowered to inform strategy and decision rights for all University information security matters. This includes establishing roadmaps, shepherding initiatives and producing clearly defined decision authority and escalation paths. 

Additionally, per OHIO Policy 91.005 Information Security the IT Standing Committee: Information Security Governance is responsible for approving information security standards.  

First Group of Security Standards

The first group of University wide Information Security Standards approved by this committee are as follows:

  • Acceptable Encryption Standard: All devices that store sensitive data, all authentication, and all network communications transmitting sensitive data must be encrypted. 
    • IT Impact: This standard will be implemented by OHIO IT professionals across all Ohio University campuses
    • OHIO Community Impact: All students, faculty and staff students should be aware that email is not an acceptable method for transmitting sensitive data. In order to secure sensitive data that must be sent via email, it must be sent as an encrypted attachment.
  • Data Breach Response Standard: Establishes a formal process for providing timely notice to affected individuals when there has been a breach of security involving their personally identifiable information.
    • IT Impact: Cooperate with Information Security Office in the event of a data breach.
    • OHIO Community Impact: Ohio University employees and students must report any incident where a breach of university data is suspected to the information security office.
  • Microsoft O365- Remote Data Wipe: Describes the ability to remote wipe an individual’s OHIO University Microsoft O365 account in the event of device theft or loss. This action will prevent the compromise of university data under such circumstances.
    • IT Impact: Notify the Information Security Office in the event a device containing university data has been lost or stolen. 
    • OHIO Community Impact: Notify the Information Security Office in the event a device containing university data has been lost or stolen. 
  • Mobile Device Standard: Ensures all University personnel who access, store, or process University data via a mobile device including cellphones, laptops, and external storage have the appropriate safeguards applied in the event the device is lost or stolen.
    • IT Impact: The technical components of this standard will most often be implemented by OHIO IT Professionals across all Ohio University campuses.
    • OHIO Community Impact: All individuals with mobile devices accessing, storing, or processing sensitive data have a responsibility to physically secure devices by storing them appropriately, not leaving devices unattended, and implementing tracking or recovery software to facilitate return in the event a device is lost or stolen.
  • Patch Management Standard: Ensures that all University owned devices as well as devices that store, process, or transmit University data are proactively managed and patched with appropriate security updates.
    • IT Impact: This standard will be implemented by OHIO IT professionals across all Ohio University campuses.
    • OHIO Community Impact: This standard will impact researchers, faculty or staff that have systems processing university data that are not managed by OHIO IT professionals, as these systems must also be patched in accordance with this standard.
  • Secure Computer Management Standard: Ensures that all University owned devices as well as devices that store, process, or transmit University data are configured in a way that seeks to prevent the compromise of University data. 
    • IT Impact: This standard will be implemented by OHIO IT professionals across all Ohio University campuses
    • OHIO Community Impact: This standard will impact researchers, faculty or staff that have systems processing university data that are not managed by OHIO IT professionals, as these systems must be managed in accordance with this standard.

All Information Security Standards have an exception process available, should an individual or unit have circumstances preventing them from complying with a standard.

The Ohio University community is encouraged to read the full standards by visiting the Information Security Standards Webpage

Published
April 1, 2021
Author
Staff reports

An Introduction to Information Security at OHIO

The Ohio University Information Security Office strives to educate and empower the University community to appropriately manage risks and protect OHIO’s information and systems. This effort is facilitated through policies, standards and an information security risk management program, as well as other tools and guidance that are provided to the University community. This modern approach creates a safe computing environment in which the university community can teach, learn and conduct research.

The services provided to the OHIO community by the Information Security Office include incident response, forensics and investigations, risk assessments, vendor security reviews, consultations, training and awareness, monitoring and the development of information security policies and practices. Through these service offerings, the Information Security Office works to guide the campus community on effective data handling practices.