Security and Trust Advisory Board
The Information Security and Trust Advisory Board was established by the Senior Vice President and Chief Financial Officer and reports to the university's Risk Management Committee.
Documents relevant to this group include:
- Risk Acceptance Function
- Information Security Risk Assessment Service
- Cloud Assessment Registry
The Information Security and Trust Advisory Board (“STAB”) ensures effective oversight of the university's information and technology risk management and compliance practices. Their goal is to support the university’s mission and core values while managing information and technology risks inherent in university operations.
Procedures & Meetings
The STAB meets as frequently as necessary or advisable in order to perform its responsibilities. It plans meetings by taking into account developments since the most recent meeting, including changes in the University’s organization and business segments, and any change in economic or higher education industry conditions. Regular meetings are held at least quarterly.
The Ohio State University Chief Information Officer (CIO) is chairperson (the “Chairperson”) of the STAB. The CIO may designate chairperson duties to the Chief Information Security Officer as necessary. The Chairperson schedules and presides over meetings.
The STAB will accept or reject items presented for consideration based on the majority of voting members present at the time of vote. A minimum of seven members must be present to form a voting quorum.
At the advice of the Digital Security and Trust team, the STAB creates sub-working groups of subject matter experts to create and modify standards, guidelines, requirements and practices. Current working groups include the Assessment Working Group, Research Security Standards Technical Working Group, and Research Security Working Group.
The CIO or Designee will provide an Annual Report to the Risk and Compliance Committee. The report will summarize STAB activities and report on significant Information Security Activities in the current reporting period.
The STAB assists the university's Risk Management Committee ("Committee") in fulfilling its responsibility for oversight of the university’s information and security risk management practices, and monitoring and control of information and security risk exposures, by performing the following tasks:
- Ensure guidelines, controls or other procedures (which may include procedures currently used by the university) are established and are designed to appropriately manage the university’s exposure to information and technology risk and ensure compliance with relevant laws and regulations.
- Discuss with the Committee, as necessary or advisable, relevant information with respect to the Committee’s proceedings, including the STAB’s oversight and review of the university’s Information Risk Management Framework and its policies, procedures, and practices employed to manage information and technology risk.
- Periodically review the university's Information Risk Framework and survey results, and recommend actions as necessary or advisable to the Committee for approval.
- Recommend and monitor ongoing mitigation.
- Review the results from any incidents that arise from the Data Incident Response team to recommend adjustments to policies, controls or procedures as necessary.
- Perform other responsibilities as determined by the Committee.
STAB Membership Responsibilities
STAB Members are responsible for participating in quarterly meetings, or sending qualified designees when absences cannot be avoided. Members are required to:
- Identify representatives to the STAB's working groups, to ensure university-wide representation according to the focus of the working group.
- Participate in STAB voting procedures.
- Ensure STAB decisions are communicated to their units.
- Complete all assigned STAB action items.
The Information Security and Trust Advisory Board Charter can be found here.