Key Risk Indicator Dashboard Suite
In 2013, Digital Security and Trust (DST) released the Information Security Control Requirements (ISCR) to develop a common language and approach to protecting information security. The initial "Three and Green" program provided a risk based approached for units across campus to implement the ISCR and utilized tools such as the Risk Management Strategy for Risk Management Entities (RME) to report their status to comply with the requirements and their plan to further mitigate risk over the next year. This program was immensely successful in introducing the university to security and risk.
The next steps in maturity for the university is to utilize tools, services and analysis to measure an RME's ability to implement and maintain the ISCR based on present and changing risks. To meet this next step, DST has developed the Key Risk Indicator (KRI) Dashboards. The KRI Dashboards will provide current and actionable risks which are high risk and must be remediated. The KRI Dashboard will have a suite of dashboards designed for respective audiences.
- The KRI Summary and Details Dashboards
- The KRI Risk Management Profile
- The KRI University Overview
KRI Summary and Details Dashboards
The KRI Summary Dashboard is designed for use by Security Coordinators to view new and existing vulnerabilities based on risks. It provides multiple panels, each focused on a different service and score based on the DST service owners’ design. This provides a quick snapshot of those risks, which can be clicked upon to view further details in the respective KRI Details Dashboard. Details provided can be shared with the appropriate technical experts within the RME to investigate and remediate the risk.
KRI Risk Management Profile
The KRI Risk Management Profile is designed for Security Coordinators and IT Leads to present the status of the RME’s risk management to their respective senior leadership. It will be a monthly report sent to the Security Coordinators and IT Leads. This Profile provides a summary view based on the industry standard measurement, the NIST Cybersecurity Framework (CSF), and is provided based on the CSF’s 5 functional categories: Identify, Detect, Protect, Respond, and Recover. For each of these, the risk score is explained and the action necessary is provided to Security Coordinator’s and IT Leads to allow them to talk about the reason for the score and their plan to mitigate any outstanding risks. Beginning in Fall 2023, Security Coordinators and IT Leads will receive their respective Risk Management Profile along with instructions and training on the process.
KRI Overview
The KRI Overview is designed for use by DST Governance, the university's chief information security officer, and Internal Audit. The Overview provides similar data as the KRI Summary, but it allows a view of multiple RMEs to understand how they are managing risk and possible areas for improvement. This helps to identify services that may need further assistance in helping the university as a whole manage risk, as well as a risk management entity (RME) that may need assistance in managing specific risks.
Access the Service
Contact for Questions
Email: riskmgmt@osu.edu