Risk Assessment Services
The Information Security Office offers departments a range of information security assessments based on the National Institute of Standards and Technology (NIST) framework and industry best practices to help you identify and prioritize risks to university information, devices, and systems. This includes but is not limited to:
-
- Technology reviews are required for all information technology, communication technology or software purchases/renewals, including "free" services and services developed in house.
- Vulnerability assessments
- General recommendations for reducing information technology risk to an acceptable level.
How to Request
To request a risk assessment, email security@ohio.edu with the following information:
- Department name
- Brief description of the services the department provides.
- Description of the data types the department processes (i.e. FERPA, Student Loan Data, PCI data, Research Data, PHI, etc.).
- Are you subject to any compliance requirements (i.e. HIPAA, ITAR, GLBA, PCI-DSS, etc.)?
- Main contact within the department to facilitate the risk assessment.
- Approximate number of employees.
- Approximate number of workstations and number of individual or unit that provides desktop management.
- List of systems the department uses and indicate if any are centrally managed.
Exception Process
For those that feel that they cannot meet the obligations set forth in a given 91̽»¨ Information Security Standard they must complete the Information Security Exception Request Form. Requests for exception from an Information Security Standard are reviewed by the Information Security Office and the associated risks with not meeting the standard are communicated back to the requestor and the appropriate individuals within the institution that have the authority to accept risk on behalf of the institution in accordance with 91̽»¨â€™s Information Security Risk Management Policy (91.006).