Information Security Standard (ISS)

MGT1 Information risk management - To ensure that information risks are identified and treated.

• MGT1.1 Risk assessment - A risk assessment must be performed periodically.

• MGT1.2 Risk management strategy - A risk management strategy must be developed and maintained.​​​​​​

MGT2 Information security management - To ensure the information security program manages information risks.

• MGT2.1 Information security plan - An information security plan must be developed and maintained.

• MGT2.2 Information security roles - Information security role(s) must be assigned.

• MGT2.3: Information security resources - Information security resources must be allocated.

MGT3 Compliance management - To ensure the risk management and information security programs effectively identify and manage information risks.

• MGT3.1 Security assessment - Security assessments must be performed periodically.

• MGT3.2 Penetration test - Penetration testing must be performed when required by regulation.

MGT4 Business continuity management risk - To limit the negative impact of a disruptive event upon university operations.

• MGT4.1 Business continuity management: Business continuity plan(s) must be developed and maintained.

LEG1 Legal and regulatory compliance risk

• LEG1.1 Legal and regulatory review - Applicable legislation and regulations must be identified and reviewed periodically.

BUS1 Finance system-related risk

• BUS1.1 Segregation of duties in operations - Segregation of duties must be verified in applicable financial systems.
  
  Note: Applicable financial systems include any information system responsible for entering, approving, or processing university financial transactions.

PUR1 Contract management risk - To ensure third party software product and information service vendors are contractually obligated to satisfy Ohio State’s information security requirements.

• PUR1.1 Security-aware acquisition process - An acquisition process that includes security requirements must be used for the purchase of software products and information services.

• PUR1.2 Third party compliance - Contracts with third party software product and information service vendors must stipulate that their software and services satisfy the requirements of Ohio State’s Information Security Standard.

• PUR1.3 Third party access - Contracts with third parties that need data- and/or network-access must require documented and approved access agreements.

• PUR1.4 Third party personnel compliance - Contracts with third parties that have personnel who will need access to Ohio State’s internal information systems must require that their personnel review and comply with Ohio State’s Responsible Use of University Computing and Network Resources Policy.

• PUR1.5 Third party personnel screening - Contracts with third parties that have personnel who will need access to institutional data must require that background checks are performed on their personnel before access is granted.

• PUR1.6 Third party termination - Digital identities must be disabled/deleted, access rights must be removed, and university information assets and institutional data must be retrieved and/or relinquished when third parties are terminated.

HR1 Employment risk - To ensure that employee-related risk is managed throughout the employment lifecycle.

• HR1.1 Personnel screening - Employees must have a background check performed before being placed in positions where they will have access to institutional data.

• HR1.2 Personnel termination or transfer - Digital identities must be disabled/deleted, access rights must be removed, and university information assets and institutional data must be retrieved and/or relinquished when employees are terminated or transferred.

• HR1.3 Personnel corrective action - Appropriate corrective actions must be applied to employees who fail to comply with security requirements when required by regulation.

FAC1 Site-related physical risk - To prevent the theft of, tampering with, or destruction of information assets in university locations.

• FAC1.1 Building security - University locations must be equipped with physical access controls.
  
  Note: Information assets include infrastructure, information systems, software, or institutional data. University locations include buildings owned, managed, or leased by Ohio State.

FAC2 Workspace-related physical risk - To prevent the theft of, tampering with, or destruction of information assets within workspaces.

• FAC2.1: Workspace security: Workspace locations must be equipped with physical access controls.

  Note: Information assets include infrastructure, information systems, software, or institutional data.

DAT1 Institutional data-related risk - To ensure proper classification, labeling, and handling of institutional data.

• DAT1.1: Information categorization: Data must be categorized according to Ohio State’s Institutional Data Policy.

• DAT1.2: Records management: University records must be managed according to records retention and disposition schedules.

• DAT1.3: Protected data storage: Data must be protected during storage as indicated by the data classification level.

• DAT1.4: Protected data transport: Data must be protected during transit as indicated by the data classification level.

• DAT1.5: Cryptography: University-approved cryptography must be used as indicated by the data classification level.

• DAT1.6: Data loss prevention: The presence of restricted institutional data must be detected on information systems and networks so the data can be protected.

• DAT1.7: Data integrity: Data integrity must be protected when required by regulation.
  
  Note: Data may be in digital or physical form.

DAT2 Information access control-related risk - To ensure authorized access, use, and modification of institutional data as defined by Ohio State’s Institutional Data Policy.

• DAT2.1: Access enforcement: Information systems must enforce access controls.

• DAT2.2: Access management: Users must receive only the minimum amount of access required to perform their work functions.

• DAT2.3: Separation of duties: User access and duties must be segregated when required by regulation.

DAT3 University records retention-related risk - To ensure authorized access, use, and modification of institutional data as defined by Ohio State’s Institutional Data Policy.

• DAT3.1: Records retention: Records should be kept in accordance with the university’s records retention schedule.
• DAT3.2: Document destruction: Organizations must properly dispose of documents containing institutional data.
  
  Note: Documents include paper documents, paper output, and photographic media. For additional details regarding storage media disposal, please reference IT15.2.1 Storage media disposal and IT15.2.2 Restricted storage media disposal.

IT1 Disaster-related risk - To limit the negative impact of a disruptive event upon IT operations and to ensure the timely access to information assets.

• IT1.1: Information system backup: Backups must be made of all information systems periodically.
• IT1.2: Disaster recovery management: A disaster recovery plan must be developed and maintained.

IT2 Infrastructure-related risk - To ensure university locations that house infrastructure are securely maintained.

• IT2.1: Infrastructure security: Infrastructure locations must be equipped with physical access controls.
• IT2.2: Infrastructure change management: Configuration changes must be made using a formal change control process.
• IT2.3: Emergency power: Electricity must be provided from an alternate source in case of an emergency.
• IT2.4: Fire protection: Fire detection and fire suppression systems must be maintained.
• IT2.5: Temperature and humidity control: Temperature and humidity must be monitored and controlled.
  
  Note: Infrastructure locations include data centers, server rooms, and technology rooms. A data center is an infrastructure location that houses one or more high availability information systems. A server room is an infrastructure location that houses one or more server systems. A technology room is an infrastructure location that houses voice and/or data network devices, wiring, or patch panels.

IT3 Network-related risk - To ensure the secure operation of network devices and timely access to network services.

• IT3.1: Secure network device configuration: A predefined, secure configuration must be used.
• IT3.2: Least network device functionality: A minimal configuration must be used with only essential
  services enabled and configured.
• IT3.3: Network device change management: Configuration changes must be made using a formal
  change control process.
• IT3.4: Network device patch management: Software flaws must be identified and corrected.
• IT3.5: Legacy network device retirement: Current, vendor-supported software and firmware must
  be used.
• IT3.6: Network device logging: Network device and security events must be logged and monitored.
• IT3.7: Network device time synchronization: Network device clocks must be synchronized with a
  university-approved time source.
• IT3.8: Secure network remote access: Secure remote access must be enforced.
• IT3.9: Network boundary security: Secure network boundaries must be enforced.
• IT3.10: Network device vulnerability management: Network device vulnerabilities must be identified
  and managed.
• IT3.11: Network intrusion detection: The network must be monitored to detect unauthorized access
  or exploit.
• IT3.12: Network denial of service protection: The effects of denial of service attacks must be
  limited.
• IT3.13: Secure network device maintenance: Maintenance must be provided by authorized
  personnel without compromising device security or disclosing institutional data.
• IT3.14: Secure wireless network access: Secure wireless access must be enforced.
  
  Note: Network devices include routers, switches, firewalls, virtual network devices, and network
  components.

IT4 Server-related risk - To ensure the secure operation of server systems and timely access to services.

• IT4.1: Secure server system configuration: A predefined, secure configuration must be used.
• IT4.2: Least server system functionality: A minimal configuration must be used with only essential services enabled and configured.
• IT4.3: Server system change management: Configuration changes must be made using a formal change control process.
• IT4.4: Server system patch management: Software flaws must be identified and corrected.
• IT4.5: Legacy server system retirement: Current, vendor-supported software and firmware must be used.
• IT4.6: Server system logging: System and security events must be logged and monitored.
• IT4.7: Server system time synchronization: System clocks must be synchronized with a university-approved time source.
• IT4.8: Secure server system remote access: Secure remote access must be enforced.
• IT4.9: Server system boundary security: Secure system boundaries must be enforced.
• IT4.10: Server system vulnerability management: Server system vulnerabilities must be identified and managed.
• IT4.11: Server system intrusion detection: Server systems must be monitored to detect unauthorized access or exploit.
• IT4.12: Server system denial of service protection: The effects of denial of service attacks must be limited.
• IT4.13: Secure server system maintenance: Maintenance must be provided by authorized personnel without compromising server system security or disclosing institutional data.
• IT4.14: Secure name and address resolution service: Name/address resolution services must be securely configured and managed.
• IT4.15: Secure database management: Database management services must be securely configured and managed.
  
  Note: Server systems include information systems that provide application, system, or network services to other information systems.

IT5 Identity-related risk - To ensure the secure use and management of digital identities and that secure authentication processes are used.

• IT5.1: Identification and authentication: Information systems must require identification and authentication before providing access.
• IT5.2: Identity management: Digital identities must be securely managed.
• IT5.3: Credential management: Authentication credentials must be securely managed.
• IT5.4: Invalid login protection: Authentication processes must enforce a limit of consecutive invalid logon attempts.
• IT5.5: Secure identity server management: Identity management servers must be securely configured and managed.
  
  Note: Digital identities include accounts (e.g., user, service, and administrative), groups, and authentication credentials (e.g., passwords, tokens, and certificates)

IT6 Malicious software risk - To ensure information systems and networks are protected from exploitation by malicious software.

• IT6.1: Endpoint protection platform software: Endpoint protection platform software must be used to detect and remove malicious software.

IT7 Application development-related risk - To ensure secure operation of applications; that applications produce the correct results and perform only authorized transactions; and that data is not inadvertently exposed during processing.

• IT7.1: Input validation: Input data must be validated.
• IT7.2: Secure error handling: Error messages must be produced without exposing data.
• IT7.3: Segregation of duties in development: Segregation of duties must be implemented in applicable financial systems.
• IT7.4: Application banner: A system use notification banner must be displayed.
• IT7.5: Application boundary security: Secure application boundaries must be enforced using application-based tools.
• IT7.6: Application logging: Application and security events must be logged.
• IT7.7: Application session lock: Session locks must be enforced after periods of inactivity.
• IT7.8: Application denial of service protection: Applications must limit the effects of denial of service attacks.
• IT7.9: Application data protection: Application data must be protected during processing as indicated by the data classification level.
• IT7.10: Application developer training: Application developers must have the requisite skills to develop secure applications.
• IT7.11: Legacy development environment retirement: Current, vendor-supported development environments and tools must be used.
  
  Note: An application is a program or piece of software developed to perform a particular task. Application development is defined as writing a program or software to perform a particular task. An application developer is someone who writes a program or software to perform a particular task.

IT8 Development process-related risk - To ensure the application development process produces secure applications.

• IT8.1: Application development process: A formal application development process must be used.
• IT8.2: Application development change management: Application and configuration changes must be made using a formal change control process.
• IT8.3: Application development third party compliance: Third-party agreements must require that external information service providers satisfy the requirements of Ohio State’s Information Security Standard.
• IT8.4: Application development security: Internal and external connections to university information systems must be documented and approved.

IT9 Vendor management risk - To ensure third party software product and information service vendors are meeting contractually defined service levels and Ohio State’s information security requirements.

• IT9.1: Third party service management: Software and services provided by third-party software product and information service vendors must be verified to ensure they satisfy the requirements of Ohio State’s Information Security Standard.

IT10 Client-related risk - To ensure the secure operation of client systems and applications.

• IT10.1: Secure client system configuration: A predefined, secure configuration must be used.
• IT10.2: Least client system functionality: A minimal configuration must be used with only essential services enabled and configured.
• IT10.3: Client system change management: Configuration changes must be made using a formal change control process.
• IT10.4: Client system patch management: Software flaws must be identified and corrected.
• IT10.5: Legacy client system retirement: Current, vendor-supported software and firmware must be used.
• IT10.6: Client system logging: System and security events must be logged and monitored.
• IT10.7: Client system time synchronization: System clocks must be synchronized with a university-approved time source.
• IT10.8: Secure client system remote access: Secure remote access must be enforced.
• IT10.9: Client system boundary security: Secure system boundaries must be enforced.
• IT10.10: Client system vulnerability management: Client system vulnerabilities must be identified and managed.
• IT10.11: Client system intrusion detection: Client systems must be monitored to detect unauthorized access or exploit.
• IT10.12: Secure client system maintenance: Maintenance must be provided by authorized personnel without compromising client system security or disclosing institutional data.
  
  Note: Client systems run general purpose operating systems (e.g., Microsoft Windows, Apple Mac OS X, Linux/UNIX) and don’t host shared services to other information systems.

IT11 Mobile device-related risk - To ensure the secure operation of mobile devices and applications.

• IT11.1: Basic secure mobile device configuration: Mobile devices accessing Ohio State’s institutional data must be configured with a basic security configuration.
  ................................................................................................................................................................................................................
  The following controls are required for mobile devices accessing, processing, storing, or transmitting restricted institutional data.
• IT11.2: Mobile device or application management: Mobile devices must be securely managed (mobile device management (MDM)) or configured with a secure access application (mobile application management (MAM)).
• IT11.3: Mobile device or application change management: Configuration changes to the MDM or MAM system must be made using a formal change control process.
• IT11.4: Mobile device or application patch management: Software flaws in MDM or MAM systems and mobile devices must be identified and corrected.
• IT11.5: Legacy mobile device or application management: Current, vendor-supported MDM and MAM software must be used.
• IT11.6: Mobile device or application logging: System and security events from MDM or MAM systems must be logged and monitored.
• IT11.7: Secure mobile device configuration: A predefined, secure configuration must be used.
• IT11.8: Mobile device secure wipe: MDM systems must be able to be remotely erase and reset mobile devices; MAM systems must be able to remotely erase the MAM application data.
• IT11.9: Mobile device exploit detection: MDM or MAM systems must be monitored to detect unauthorized administrative access or exploit.
  
  Note: Mobile devices are portable systems that run embedded operating systems (e.g., Apple iOS, Google Android, and Blackberry OS). These requirements apply to personally-owned and university-owned mobile devices that are being used to access institutional data.

IT12 Message service-related risk - To ensure the secure operation of and timely access to messaging services.

• IT12.1: Message service anti-spam mechanism: Filter mechanisms must be used to detect and remove or block unsolicited bulk messages (e.g., spam or Spam over Internet Telephony (SPIT)).
• IT12.2: Message service endpoint protection platform: Endpoint protection platform software must be used to detect and remove or block malicious messages or attachments.
• IT12.3: Secure message service: Messaging servers must be securely configured and managed.
• IT12.4: Secure message transmission: Messages must be transmitted using encryption as indicated by the data classification level.
• IT12.5: Secure Voice over Internet Protocol (VoIP): Voice over Internet Protocol (VoIP) services must be securely configured and managed.
• IT12.6: Secure collaborative computing: Collaborative computing must be securely configured and managed.
• IT12.7 Secure multi-function devices: Multi-function devices must be securely configured and managed.
• IT12.8: Secure messaging: Electronic messages must be handled in a manner that protects institutional data.
• IT12.9: Secure third-party messaging: Organizations must use identity security protocols.

Note: Messaging services include electronic mail, instant messaging, and Voice over Internet Protocol (VoIP) services. Collaborative computing includes applications, services, systems, or devices that allow two or more individuals to share information real time internal or external to the university (e.g., interactive whiteboard, screen sharing, and audio or video group conferencing). Multi-function devices incorporate the functionality of multiple devices in one to provide centralized document management/distribution/production while combining some or all of the following services (e.g., email, faxing, printing, copying, and scanning).

IT13 Web application-related risk - To ensure the secure operation of web applications.

• IT13.1: Secure web sessions: Secure sessions must be enforced. IT13.2: Web application vulnerability management: Web application vulnerabilities must be identified and managed.

IT14 Security incident-related risk - To ensure a prompt and effective response to information security incidents.

• IT14.1: Security incident response plan: An incident response plan must be developed and maintained.
• IT14.2: Security incident response capability: Responses to information security incidents must be coordinated and managed.
• IT14.3: Security incident reporting: Security incidents must be reported promptly to Ohio State’s Chief Information Security Officer.

IT15 Storage media-related risk - To ensure that storage media and documents are used securely.

• IT15.1: Storage media physical security: Physical access to storage media and documents must be controlled.
• IT15.2: Storage media disposal: Storage media and documents must be disposed of securely.
• IT15.3: Storage media data protection: Institutional data must be encrypted on storage media as indicated by the data classification level.
  
  Note: Storage media includes optical media (e.g., CDs, DVDs), magnetic media (e.g., backup tapes, diskettes), storage drives (e.g., external drives, portable drives, or drives removed from information systems), and flash memory storage devices (e.g., SSDs or USB flash drives). For additional details regarding document disposal, please reference DAT3.2.1 Document Disposal.

IT16 User-related risk - To ensure users are aware of security threats and behavior that makes them vulnerable and capable of performing information security-related roles.

• IT16.1: Information security awareness: All users must participate in information security awareness programs.
• IT16.2: Role-based information security training: All users must receive training to perform their information security roles and responsibilities.

IT17 Information asset management risk - To ensure that information assets are identified so they can be managed securely.

• IT17.1: Information asset inventory: An inventory must be maintained of all university-owned network devices, information systems, and mobile devices.

IT18 Software license management risk - To ensure that software is being used in compliance with license agreements and copyright law.

• IT18.1: Software license management: An inventory must be maintained of all software, software licenses, and related purchase records.

ICS1 Industrial Control Systems Management Risk - To ensure that Industrial Control Systems and availability requirements are identified and managed.

• ICS1.1: Risk assessment: Security assessments must be performed prior to establishing network connectivity.

ICS2 Portable device-related risk - To ensure all portable assets and media used in Industrial Control System environments have been designated and validated for use.

• ICS2.1: Portable device risk: All portable media used in ICS environments must be managed.

ICS3 Network-related risk - To ensure the secure operation and availability of networks that support Industrial Control Systems.

• ICS3.1: Network risk: Secure network architecture must be enforced.

ICS4 Operations management-related risk - To ensure the secure management of Industrial Control Systems.

• ICS4.1: Operations risk: Secure configurations, policies and procedures must be enforced.

ICS5 Wireless management-related risk - To ensure the secure use of wireless communication within Industrial Control Systems.

• ICS5.1: Wireless communication risk: Secure wireless access and restrictions must be enforced.

ICS6 Remote access-related risk - To ensure the use of secure remote access to Industrial Control Systems and process control networks.

• ICS6.1: Remote access risk: Secure remote access must be enforced.

ICS7 Vendor management-related risk - To ensure third-parties are contractually obligated to satisfy Ohio State’s Information Security Control Requirements and third-party access to Industrial Control Systems is managed through service level agreements.

• ICS7.1: Vendor risk: Service Level Agreements and restricted access must be enforced.

Ohio State Information Security and Risk Management Documentation Pyramid

Ohio State’s Information Technology Security Policy (ITSP) establishes high-level information security requirements. The ITSP provides the mandate for the IRMP at Ohio State. It establishes the overall intent of the university to support and promote information security in all its practices. Additionally, the ITSP specifically delegates to the Office of the Chief Information Officer the responsibility to create new policies, standards, guidelines, requirements, and practices to support the intent of the policy and ensure information security.

The IRMP is also closely tied to Ohio State’s Institutional Data Policy (IDP). The IDP defines different types of institutional data at Ohio State as well as high-level management and access requirements.

The Information Security Standard (this document) defines thirty-eight risk areas for the university. Each risk area includes a security objective, as well as a list of security controls to be used to meet the stated objective. These risk areas are used to organize, measure, and manage risk levels consistently across the university. The ISS takes its mandate from the ITSP and is tightly aligned with the IDP.

The Information Security Control Requirements (ISCR) provides detailed implementation guidance for each security control specified in the ISS. The ISCR could be interpreted as a more detailed version of the ISS. As such, a coding scheme makes it easy to cross-reference between the two documents. To better guide implementation efforts, the detailed control requirements in the ISCR are specified according to the level of institutional data being protected, as defined by the IDP.

The Information Risk Management Framework (IRMF) cross-references or maps the ISS security controls and ISCR control requirements to other security standards and regulations. As new information security regulations are created at the federal, state, or industry level, the IRMF will be expanded with additional appendices to document how the IRMP keeps Ohio State compliant with all relevant legislation and rules. The IRMF employs the same coding scheme utilized in the ISS and ISCR.

Over a multi-year period, the IRMP will develop job aids in the form of documentation (procedures, checklists, templates) and software tools as needed to support the implementation of the ISS and ISCR. Job aids will help organizations implement controls and control requirements effectively and efficiently.

The Ohio State University Information Risk Management Program documentation is licensed for use under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0). Refer to the Information Risk Management Program Documentation License for additional information (see "Appendix B: Information Risk Management Program Documentation License").

Issued: v1.0 (07/01/2017)

Ohio State’s Digital Security and Trust team developed the Information Risk Management Program (IRMP) to manage information security risk to the university's information systems and assets. The IRMP has produced a series of information security and risk management documents to assist organizations in understanding the program and implementing strategies to manage information risk. This Documentation License describes the terms of use for organizations who use the program documents.

This Documentation License applies to the following program documents:

• Information Security Standard (ISS)
• Information Security Control Requirements (ISCR)
• Information Risk Management Framework (IRMF)  
• Information Risk Areas (IRA)
• Information Risk Metrics (IRM)
• Job Aids

The Ohio State University Information Risk Management Program documentation is licensed for use under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) Note: this is a human-readable summary of (and not a substitute for) the license.

You are free to:

• share: copy and redistribute the material in any medium or format; and
• adapt: remix, transform, and build upon the material.

The licensor cannot revoke these freedoms if you follow the license terms.

Under the following terms:

• attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use;
• noncommercial: you may not use the material for commercial purposes; and
• share alike: if you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.

No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

Notices:

You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.

No warranties are given. The license may not give you all the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.