Security Coordinators

Office of Technology and Digital Innovation, Digital Security and Trust - Contact Us

Security Governance:

• Oversees the security requirements for the university
• Offer guidance to RMEs (Risk Management Entities) in meeting security controls and risk management
• Measure RMEs ability to manage risk

Security Governance mailbox: riskmgmt@osu.edu

Institutional Data Policy Training: Search for “IDP” and take the current FY’s training

Framework: Based on National Institute of Standards and Technology Special Publication 800-53 (Low)

      Framework foundational documents:

• Institutional Data Policy: outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use.
   
• Information Security and Privacy Standard: defines thirty-nine risk areas for the university. Each risk area includes a security objective, as well as a list of security controls to be used to meet the stated objective.
   
• Information Security and Privacy Control Requirements: provides detailed implementation guidance for each security control specified in the Information Security Standard (ISS). These control requirements apply to all university information systems and assets under the university’s control and to the people who access these systems.
   
• Information Risk Management Framework: cross-references or “maps” the security controls of Ohio State’s Information Security and Privacy Standard (ISPS) and Information Security and Privacy Control Requirements (ISPCR) to other security standards and regulations.
   
• Job Aids: Job Aids have been developed to aid those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control and to the people who access these systems.
   
• University-Approved Lists: University-Approved Lists have been developed to aid those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control and to the people who access these systems. 

Cyber and Privacy Legal Review: summary of state, federal, and international laws as well as industry standards. Provides guidance if OSU must take action to comply with the law/regulation.

Technical Testing

• Technical tests prove effectiveness and action items should any appear because of the scans
  • Configuration scanning inventory, log testing, web app scanning, etc..
  • Actionable results from the technical scans are available via the Key Risk Indicator (KRI) dashboard and available to the Security Coordinators and their senior leadership.

Security and Privacy Controls Assessment (SPCA)

• The Security and Privacy Control Assessment (SPCA) is an organizational self-assessment which aligns with the "Assess" step of the NIST Risk Management Framework. This program is one component of a larger risk management program which aims to determine if an organization's security and privacy controls are effective and aligned with the university's risk appetite. At The Ohio State University, our controls are documented in the Information Security and Privacy Control Requirements (ISPCR). Previous versions of this program included the ISSA and ISCR.a, which have been retired. 

Technology and Information Exception Request Process (TIER)

• The university has defined information security control requirements which offer structure on how to protect the university's institutional data and systems and comply with the Institutional Data and IT Security policies. While the expectation is to meet these requirements, there are circumstances where meeting specific requirements may not be possible. These specific cases are defined as exceptions and must be documented, reviewed, and approved.
• The Technology and Information Exception Request Process facilitates the documenting, reviewing, and either approving or rejecting exceptions. The foundation of this process is a workflow which includes experts from the following fields: information security, privacy, technology, and regulatory and contractual experts. Following this process provides reviewers with enough information to either accept the risk or reject the request.

Microsoft Team Channels

• Security Coordinators: Security Governance makes announcements here (also by email).
   
• ISPCR Revision Tracking: discussion space for proposed changes to the Information Security and Privacy Control Requirements (ISPCR).

• Primary point of contact for the implementation of the security framework in their unit
• Attends monthly Security Coordinator meetings
• Provides input and feedback on current and future security standards and initiatives
• Ensures the review of internal processes, standards, guidelines, requirements, and practices
• Coordinates unit-level efforts on regulatory compliance, including completion of annual surveys, assessments, and security strategies
• Identifies unit security training needs and works with the unit training coordinator to ensure completion of training requirements
• Facilitates the protection of institutional data collected in accordance with policies
• Facilitates remediation, recovery, and reporting of proven or suspected exposure or disclosure of protected information between the unit and DST
• Ensures the organization has defined and staffed a privacy role, if required
• Ensures communication of security information and reporting to the unit
• Represents their unit during security process and product evaluations
• Assists with DST's development and delivery of security job aids and training documents
• Facilitates the completion of internal infrastructure, systems, and third-party risk assessments as required by the security framework
• Ensures Business Continuity and Disaster Recovery plans are created and tested
• Facilitates reporting of security metrics to DST
• Security Coordinators in units covered by HIPAA regulations are also the designated HIPAA Security Officer, unless otherwise designated by unit leadership

Security Coordinators should meet the following requirements to best represent the university's security practice and their unit:

• Must hold a position within the unit empowered to address security-related issues and concerns
• Must complete the Ohio State Institutional Data Policy Training annually
• Completion of Risk Assessment Training, delivered by DST
• Must be able to commit a minimum of 24 hours a month to the Security Coordinator role
• Should have technical IT security experience
• Should be familiar with unit IT practices

Units are asked to appoint Security Coordinators as a college and administrative office job duty. Replacement of the Security Coordinator appointed by the unit leaders should be timely and gaps introduced by personnel changes should be kept to a minimum to ensure the unit is adequately represented in security conversations at all times.

Virtual meetings are held monthly. To be added to the attendee list and receive meeting invitations, please send a request to securityawareness@osu.edu.