IT Security Policy & Priority Helper

At the urging of some community members, OCIO IT Security put together this reference for university units highlighting the major policies, standards and guidelines related to information security and a list of the Top 11 initiatives units should focus on to improve IT Security and enhance the adoption of the University IT Security Framework principals:

Policies and Standards that support the OSU IT Security Framework

Below is a list of policies and standards that are directly related to the OSU IT Security Framework. This is not and cannot be an all-inclusive list and will continue to evolve as more Security Standards and Practices are developed to support the IT Security Policy. If you are aware of a standard or policy omitted from this list please let us know and we’ll add it.

Standards:

Guidelines:

Top Priority Activities Units Can Engage in to Facilitate Adoption of OSU IT Security Framework:

  1. Establish and require periodic IT security training for all faculty & staff (General & Technical Training)
  2. Evaluate systems and servers inside the organization for compliance with security standards (Client, Critical Server, Web & Database, etc.)
  3. Implement network segmentation to Isolate and protect critical organizational assets
  4. Implement University Password Requirements on all devices and servers within the organization (Clients, Applications & Servers); Implement two-factor authentication where appropriate
  5. Adopt asset & inventory management tools for devices within your organization
  6. Adopt tools for automated patch delivery for operating systems and 3rd Party applications on client devices
  7. Locate and Remove, Redact or appropriately Secure restricted data on client and server systems
  8. Implement log monitoring and security event & incident management tools to detect potential security incidents
  9. Establish secure Remote Access Practices
  10. Review OCIO vulnerability scan reports for all systems, prioritize remediation of Critical, High and Medium results
  11. Review & Test Backup strategies; business resumption plans and disaster recovery plans annually

If you have questions or would like to consult with the OCIO IT Security team to help begin your planning, contact security@osu.edu.