IT Governance approves third group of Information Security Standards
One of the top priorities of the Information Security Standing Committee is the creation of Information Security Standards that serve to guide the University community on how best to secure the technology that accesses, stores, processes, or transmits University data.
The third group of University-wide Information Security Standards approved by this committee in February of 2022 are as follows:
Security Standard for General Information Systems
This standard outlines how University systems shall be configured based on the level of sensitivity of the data stored, processed, or transmitted via those systems.
- IT Impact: OHIO IT Professionals will use this guide when implementing system controls to ensure the level of protection aligns with the sensitivity of data stored, processed, or transmitted on the system.
- OHIO Community Impact: All members of the University community have a responsibility to know what sensitive data is, the sensitivity level of the data they work with each day, and ensure that system administrators know the sensitivity of data stored, processed, or transmitted on a given system.
Information Security Risk Assessment Standard
This standard outlines the process for assessing risks associated with University data and information systems as well as the process for documenting and communicating such risks to University leadership.
- IT Impact: Ohio University’s Information Security Office will perform Risk Assessments for IT vendors, IT systems, and University departments.
- OHIO Community Impact: All members of the University community have a responsibility to participate in the risk assessment process as applicable.
Information Security Risk Management Program (ISRMP) Strategy
This standard outlines the cadence by which risk assessments shall be performed in accordance with the data sensitivity processed by a University system or unit.
- IT Impact: Ohio University’s Information Security Office will prioritize and complete Risk Assessments in accordance with the sensitivity of the data stored, processed, or transmitted via the IT vendor, IT system or University department.
- OHIO Community Impact: All members of the University community have a responsibility to know what sensitive data is and their responsibility for participating in this process according to the cadence outlined within this standard.
Third-Party Vendor Management Standard
This standard outlines the process by which software vendors are reviewed to ensure that their data security practices are adequate to effectively protect University data stored, processed, or transmitted via a cloud-hosted vendor.
- IT Impact: OIT will perform a review of software vendors to ensure the security of data stored, processed, and transmitted via software vendors.
- OHIO Community Impact: Participate in the technology review process by completing a Request for Review Form for any utilized software.
Virus-Malware Protection Standard
This standard outlines the requirement that all devices used for collecting, creating, storing, processing, or distributing University data must have antivirus/malware software installed and actively check for viruses at regular intervals.
- IT Impact: OHIO IT Professionals will assist with ensuring that all devices used for collecting, creating, storing, processing, or distributing University data have antivirus/malware software installed and actively checking for viruses at regular intervals.
- OHIO Community Impact: All members of the University community have a responsibility to report and remediate any viruses or malware identified by the software.
All Information Security Standards have an exception process, should an individual or unit have circumstances preventing them from complying with a Standard.
The Ohio University community is encouraged to read the full Information Security Standards and understand their impact. Additionally, the Information Security Office is hosting a Standards Q&A Session on April 29, 2022, at 1 pm. Interested participants can register for the Q&A session by sending an email to security@ohio.edu.