The Art of Balance: How Do We Address IT Security Needs Without Impacting Research?

Securing institutional data is the goal of the Ohio State University IT Security Framework. The outcome of leveraging the OSU IT Security Framework is protection of the integrity, confidentiality, and availability of university research tools and data without disrupting the research process.

Research institutions, like Ohio State, have great opportunities for collaboration. Securing transmission and access to instruments and data are a key part of the university’s IT Security Framework. A key objective is to enable researchers to focus on work, while transparently keeping the technology and policy from being a hindrance and designing secure processes in parallel to support critical research efforts.

The IT Security Framework is a code of practice based upon international standards of information security and a proven methodology to achieve the balance. Recently, the OSU IT Security Policy (ocio.osu.edu/assets/Policies/ITSecurity.pdf) was approved by the university – which directs the university to consider the impact of the various information security controls on the way Ohio State conducts research, instruction, collaboration and administration.

The IT Security Framework includes basic questions and concepts to enable security practices to be devised and adopted to meet our core research and business needs. The IT Security Framework highlights controls to mitigate risks and suggests possible solutions for consideration when establishing processes, developing agreements and implementing the technology to enable these solutions.

For example, one focus area of the IT Security Framework concerns information sharing between institutions that can be an important aspect to many research programs. Mitigating risks of sharing data include:

  • Ensuring only approved representatives can change the data.
  • Making sure only approved people can create, read, update or delete data.
  • Identifying the right people to approve.
  • Securing and safely transmitting and storing the information we share.
  • Protecting access to the data (i.e., strong passwords, two-factor authentication).
  • Protecting university liabilities through agreements, which define the roles, responsibilities, and expectations of sharing organizations.

Implementing the risk mitigation does not prevent the sharing of data between institutions, but strengthens the protections by allowing secure exchange of information, thus lowering the university risk. Risk mitigation bolsters our research program by demonstrating our commitment to protecting the management and creation of valuable research between the university and its partners.

Information security is not a driver of research, but needs to be a factor in ensuring the university exercises due diligence to protect the intellectual property.

Integrating the IT Security Framework and controls should not cause any process to fail or become inefficient. The impacts of designing security into a process should not outweigh the gains in achieving appropriate protections and make a process unusable.

The goal of any security program or practice is to ensure integrity, confidentiality and availability of services and data are maintained. Security costs should be balanced with the benefit it provides.

The College of Arts and Sciences (ASC) recently highlighted how research and information security policy work together through a series of videos featuring how to achieve a productive balance. These videos are available on the ASC Technology Services YouTube channel - www.youtube.com/user/ASCTechnologyService.

Secure remote instrumentation and data sharing without disruption depend on the planning and collaboration of Office of the Chief Information Officer staff, its clients and partners. OCIO can assist university faculty and IT staff researchers in implementing secure technology and processes.

For more about how the Information Security Framework can enhance your research and academic practices, contact the Office of the Chief Information Officer IT security team at security@osu.edu. You can find out more about the goals of the IT Security Framework at ocio.osu.edu/itsecurity/framework or contact Shawn Sines at sines.22@osu.edu.

Tagged with: 
Posted in: