Security and Privacy Control Assessment

prioritize risks to your resources. Implement a plan to reduce or minimize risks. Verify that entities are effectively managing risks

Overview

The Security and Privacy Control Assessment (SPCA) is an organizational self-assessment that aligns with the "Assess" step of the NIST Risk Management Framework. SPCA aims to determine if an organization's security and privacy controls are effective and aligned with the university's risk appetite. At The Ohio State University, our controls are documented in the Information Security Control Requirements (ISCR). Previous versions of this program included the ISSA and ISCR.a, which have been retired.

Program Strategy

The Security and Privacy Control Assessment (SPCA) program measures and reports compliance of the organization with the Information Security Control Requirements (ISCR) to identify areas of strength and weakness for effective risk management. Security Coordinators within Risk Management Entities (RME) use a self-assessment to rate the maturity of select ISCR controls within their organization on a scale from 0-4. This assessment is conducted annually, beginning in 2024.

The Digital Security and Trust (DST) Risk Management team collects and analyzes SPCA results. For individual ISCR controls, we compare each RME score against the university average. We provide the RME with this data as a yardstick to gauge their performance relative to other areas of the university.

The analysis identifies the overall risk posture of the university, trends, areas of opportunity, and changes from prior years. We share this information with DST leadership and present a high-level overview to the University Integrity and Compliance Council and Board of Trustees.

Program Goals

  • Identify Security Risks: Identifying potential security risks within the university and prioritizing the most critical risks is our primary goal  This continuous improvement ultimately elevates the university’s security posture.
  • Mitigate Risks: Develop and implement strategies to mitigate identified risks and aid in effective allocation of resources.
  • Ensure Compliance: Ensure that the organization complies with Information Security Control Requirements.  This helps to minimize legal, financial, and reputational penalties.
  • Enhance Decision-Making: Provide valuable insights that support informed decision-making regarding security investments and risk acceptance.