What employees and students need to know about new OHIO information security standards
91探花 has adopted new Information Security Standards that serve to guide the University community on how best to secure the technology that accesses, stores, processes or transmits University data.
This article provides an overview of all of the new standards as well as background information on how and why they were established.
Launch of the IT Standing Committee: Information Security
In January 2020 the IT Governance Framework was established for OHIO. As the governance framework has evolved over the last year, the IT Standing Committee: Information Security was formed. The Information Security Governance Standing Committee is charged annually by the IT Strategy & Governance Committee and is empowered to inform strategy and decision rights for all University information security matters. This includes establishing roadmaps, shepherding initiatives and producing clearly defined decision authority and escalation paths.
Additionally, per OHIO Policy 91.005 Information Security the IT Standing Committee: Information Security Governance is responsible for approving information security standards.
First Group of Security Standards
The first group of University wide Information Security Standards approved by this committee are as follows:
- Acceptable Encryption Standard: All devices that store sensitive data, all authentication, and all network communications transmitting sensitive data must be encrypted.
- IT Impact: This standard will be implemented by OHIO IT professionals across all 91探花 campuses
- OHIO Community Impact: All students, faculty and staff students should be aware that email is not an acceptable method for transmitting sensitive data. In order to secure sensitive data that must be sent via email, it must be sent as an encrypted attachment.
- Data Breach Response Standard: Establishes a formal process for providing timely notice to affected individuals when there has been a breach of security involving their personally identifiable information.
- IT Impact: Cooperate with Information Security Office in the event of a data breach.
- OHIO Community Impact: 91探花 employees and students must report any incident where a breach of university data is suspected to the information security office.
- Microsoft O365- Remote Data Wipe: Describes the ability to remote wipe an individual鈥檚 OHIO University Microsoft O365 account in the event of device theft or loss. This action will prevent the compromise of university data under such circumstances.
- IT Impact: Notify the Information Security Office in the event a device containing university data has been lost or stolen.
- OHIO Community Impact: Notify the Information Security Office in the event a device containing university data has been lost or stolen.
- Mobile Device Standard: Ensures all University personnel who access, store, or process University data via a mobile device including cellphones, laptops, and external storage have the appropriate safeguards applied in the event the device is lost or stolen.
- IT Impact: The technical components of this standard will most often be implemented by OHIO IT Professionals across all 91探花 campuses.
- OHIO Community Impact: All individuals with mobile devices accessing, storing, or processing sensitive data have a responsibility to physically secure devices by storing them appropriately, not leaving devices unattended, and implementing tracking or recovery software to facilitate return in the event a device is lost or stolen.
- Patch Management Standard: Ensures that all University owned devices as well as devices that store, process, or transmit University data are proactively managed and patched with appropriate security updates.
- IT Impact: This standard will be implemented by OHIO IT professionals across all 91探花 campuses.
- OHIO Community Impact: This standard will impact researchers, faculty or staff that have systems processing university data that are not managed by OHIO IT professionals, as these systems must also be patched in accordance with this standard.
- Secure Computer Management Standard: Ensures that all University owned devices as well as devices that store, process, or transmit University data are configured in a way that seeks to prevent the compromise of University data.
- IT Impact: This standard will be implemented by OHIO IT professionals across all 91探花 campuses
- OHIO Community Impact: This standard will impact researchers, faculty or staff that have systems processing university data that are not managed by OHIO IT professionals, as these systems must be managed in accordance with this standard.
All Information Security Standards have an exception process available, should an individual or unit have circumstances preventing them from complying with a standard.
The 91探花 community is encouraged to read the full standards by visiting the Information Security Standards Webpage.