Assessment Working Group

The Assessment Working Group is a sub-working group of the Information Security and Trust Advisory Board.

The Assessment Working Group (AWG) assists the Information Security and Trust Advisory Board (STAB) in assessing and making recommendations regarding the information security risks introduced by third party vendors hosting or processing university institutional data.

The AWG uses materials such as third-party vendor risk assessment reports, the input of business stakeholders, and the recommendations of IT staff and/or data steward(s) of the applicable university unit(s) to make recommendations.

AWG Responsibilities

The AWG will have the following responsibilities:

  1. Review and discuss third-party vendor risk assessments with the author(s) of said assessment and the applicable business stakeholder(s), IT staff, and data stewards. This evaluation of risk assessments should consider the business opportunity offered by the proposed vendor-hosted information systems and weigh the value the technology presents for the applicable business unit(s) or the university against the proposed management of the information and technology risks inherent to university operations.
  2. Consider and review any difficulties encountered during review and preparation of the report. This includes any restrictions on the scope of the work and access to required information.
  3. Report the results of assessments to the STAB with the recommendations the AWG deems appropriate.
  4. Advise on the development or enhancements of risk assessment procedures to address identified gaps or new technologies.
  5. Review and update this Charter periodically as required. Any amendment to the Charter will be submitted to the Board for approval.

Group Organization

The university’s Chief Information Security Officer (CISO) chooses a designee (the "Facilitator") to schedule, facilitate, and preside over meetings as well as appoint members. Members may be added or removed at any time.

Members may include, but are not limited to, staff representing the following areas within the university:

  • Digital Security and Trust
  • OTDI IT Risk Management
  • Wexner Medical Center IT Risk Management
  • IT Security Coordinators from university risk management entities
  • Office of Compliance and Integrity
  • University Registrar
  • Office of Research Compliance
  • Internal Audit
  • University Purchasing
  • University Libraries
  • Office of Legal Affairs

A subset of AWG members will be appointed as “voting members” for quorum purposes. Voting members are appointed annually.

Procedures and Meetings

  1. Regular meetings: The AWG generally meets on a monthly basis.
  2. Special meetings: Under limited circumstances, the AWG may have a special meeting to review a third-party vendor risk assessment determined to be urgent and mission critical by the CISO or a designee. Special meetings will only be used for time-sensitive risk assessments needed to enable a critical university business function, or if a delay to the next meeting would result in a material negative financial impact.
  3. Quorum: One half of the total number of current voting members constitutes a quorum for the transaction of business. When a quorum is present, the act of a majority is the act of the AWG.
  4. Recommendations: The AWG will review third-party vendor risk assessments and report to the STAB, either recommending or suggesting further risk mitigation strategies with a third-party vendor providing information system(s). If the AWG is unable to make a recommendation or suggest further risk mitigation strategies, the Facilitator will provide a notice to the STAB, who will then review the applicable assessment. The Facilitator will notify business stakeholder(s) of the recommendation in writing.
  5. Presence at Meeting: Meetings will be conducted virtually. Members will be considered present for the purposes of a quorum if they are able to join the meeting, hear communications, and participate in discussion via voice or in-meeting chat. 

Invitees: Business stakeholder(s), IT staff, and data steward(s) of university unit(s) may be invited to attend meetings as appropriate, related to the assessment(s) to be evaluated. The business stakeholder(s) and/or data steward(s) can appeal the assessment recommendation reached by the AWG to the STAB for further review.