Security Coordinators

The Ohio State IT Security Policy specifies the requirement for establishing security representatives from colleges, units, and campuses. The security representative, known as the Security Coordinator, serves as the unit liaison with Digital Security and Trust (DST) for security-related matters and activities, and is responsible for the execution of security activities in their college or unit.

Contact: Digital Security and Trust Security Governance

Last updated: April 23, 2024


For a list of Security Coordinators by organization, please click here


Security Coordinator Onboarding

Office of Technology and Digital Innovation, Digitial Security and Trust | Contact Us
 

Security Governance

  • Oversees the security requirements for the university
  • Offer guidance to RMEs (Risk Management Entities) in meeting security controls and risk management
  • Measure RMEs ability to manage risk

Security Governance mailbox: riskmgmt@osu.edu

Institutional Data Policy Training: Search for “IDP” and take the current FY’s training; training window opened on February 1, closes April 29

Framework: Based on National Institute of Standards and Technology Special Publication 800-53 (Low)

      Framework foundational documents:

  • Institutional Data Policy: outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use.
    • The university’s institutional data are significant assets that must be effectively managed and protected by all members of the university community.
      • More details are in the Information Security Standard (ISS)
      • The Information Security Control Requirements (ISCR) provides the granular details outlined in the ISS
    • Key points in the IDP
      • Data classifications
        • Public (S1): Institutional data intended for public use that has no access or management restrictions.
        • Internal (S2): Institutional data used to conduct university business and operations. Unless otherwise indicated, internal is the default level for institutional data.
        • Private (S3): Institutional data classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data.
        • Restricted (S4): Institutional data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements.
  • Information Security Standard: defines thirty-eight risk areas for the university. Each risk area includes a security objective, as well as a list of security controls to be used to meet the stated objective.
     
  • Information Security Control Requirements: provides detailed implementation guidance for each security control specified in the Information Security Standard (ISS). These control requirements apply to all university information systems and assets under the university’s control and to the people who access these systems.
     
  • Information Risk Management Framework: cross-references or “maps” the security controls of Ohio State’s Information Security Standard (ISS) and Information Security Control Requirements (ISCR) to other security standards and regulations.
    • NIST SP 800-53: This appendix is intended as a guide for understanding how Ohio State has implemented the special publication. In general, the IRMF includes the controls NIST specified in the Special Publication 800-53 low baseline.
    • FedRAMP: Provides a mapping from the security controls in Ohio State’s Information Risk Management Framework (IRMF) to the security safeguards adhering to the Federal Risk and Authorization Management Program (FedRAMP, cloud services).
    • HIPAA Security Rule: The HIPAA regulations apply to organizations that are covered entities. As OSU is a hybrid covered entity, at OSU, the HIPAA regulations apply to covered health care components and units performing business associate functions for an OSU health care component.
    • NIST SP 800-171: provides a mapping from the security controls in The Ohio State University Information Security Control Requirements (ISCR) to NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
    • Payment Card Industry (PCI): Provides a mapping from the security controls in Ohio State’s Information Risk Management Framework (IRMF) to the security safeguards adhering to The Payment Card Industry Data Security Standards (PCI DSS).
    • NIST Privacy Framework
       
  • Job Aids: Job Aids have been developed to aid those implementing Ohio State’s Information Security Control Requirements (ISCR) on university information systems, assets under the university’s control and to the people who access these systems.

  • University-Approved ListsUniversity-Approved Lists have been developed to aid those implementing Ohio State’s Information Security Control Requirements (ISCR) on university information systems, assets under the university’s control and to the people who access these systems.
     

Cyber and Privacy Legal Reviewsummary of state, federal, and international laws as well as industry standards. Provides guidance if OSU must take action to comply with the law/regulation.

​​​​​
Technical Testing

  • Technical tests prove effectiveness and action items should any appear because of the scans
    • Configuration scanning inventory, log testing, web app scanning, etc.
    • Actionable results from the technical scans are made available via the Key Risk Indicator (KRI) dashboard and are made available to the Security Coordinators and their senior leadership

Security and Privacy Controls Assessment (SPCA)

  • Reboot of the Information Risk Summary (IRS) - expect to see later in 2024
     

Technology and Information Exception Request Process (TIER)

  • The university has defined information security control requirements which offer structure on how to protect the university's institutional data and systems and comply with the Institutional Data and IT Security policies. While the expectation is to meet these requirements, there are circumstances where meeting specific requirements may not be possible. These specific cases are defined as exceptions and must be documented, reviewed, and approved.
  • The Technology and Information Exception Request Process facilitates the documenting, reviewing, and either approving or rejecting exceptions. The foundation of this process is a workflow which includes experts from the following fields: information security, privacy, technology, and regulatory and contractual experts. Following this process provides reviewers with enough information to either accept the risk or reject the request.

    Responsibilities (currently under revision)

    • Primary point of contact for the implementation of the security framework in their unit
    • Attends monthly Security Coordinator meetings
    • Provides input and feedback on current and future security standards and initiatives
    • Ensures the review of internal processes, standards, guidelines, requirements, and practices
    • Coordinates unit-level efforts on regulatory compliance, including completion of annual surveys, assessments, and security strategies
    • Identifies unit security training needs and works with the unit training coordinator to ensure completion of training requirements
    • Facilitates the protection of institutional data collected in accordance with policies
    • Facilitates remediation, recovery, and reporting of proven or suspected exposure or disclosure of protected information between the unit and DST
    • Ensures the organization has defined and staffed a privacy role, if required
    • Ensures communication of security information and reporting to the unit
    • Represents their unit during security process and product evaluations
    • Assists with DST's development and delivery of security job aids and training documents
    • Facilitates the completion of internal infrastructure, systems, and third-party risk assessments as required by the security framework
    • Ensures Business Continuity and Disaster Recovery plans are created and tested
    • Facilitates reporting of security metrics to DST
    • Security Coordinators in units covered by HIPAA regulations are also the designated HIPAA Security Officer, unless otherwise designated by unit leadership

    Security Coordinator Skill & Training Requirements (currently under revision)

    Security Coordinators should meet the following requirements to best represent the university's security practice and their unit:

    • Must hold a position within the unit empowered to address security-related issues and concerns
    • Must complete the Ohio State Institutional Data Policy Training annually
    • Completion of Risk Assessment Training, delivered by DST
    • Must be able to commit a minimum of 24 hours a month to the Security Coordinator role
    • Should have technical IT security experience
    • Should be familiar with unit IT practices

    Units are asked to appoint Security Coordinators as a college and administrative office job duty. Replacement of the Security Coordinator appointed by the unit leaders should be timely and gaps introduced by personnel changes should be kept to a minimum to ensure the unit is adequately represented in security conversations at all times.

    Monthly Information Security Community Meeting

    Virtual meetings are held monthly. To be added to the attendee list and receive meeting invitations, please send a request to riskmgmt@osu.edu.