IT Security Framework
Ohio State’s Information Risk Management Program (IRMP) has produced a series of information security and risk management documents to assist organizations in organizing, measuring, and managing information risk.
Ohio State’s Information Technology Security Policy (ITSP) establishes high-level information security requirements. The ITSP provides the mandate for the IRMP at Ohio State. It establishes the overall intent of the university to support and promote information security in all its practices. Additionally, the ITSP specifically delegates to the Office of the Chief Information Officer the responsibility to create new policies, standards, guidelines, requirements, and practices to support the intent of the policy and ensure information security.
The IRMP is also closely tied to Ohio State’s Institutional Data Policy (IDP). The IDP defines different types of institutional data at Ohio State as well as high-level management and access requirements.
The Information Security Standard (ISS) defines 30 risk areas for the university. Each risk area includes a security objective, as well as a list of security controls to be used to meet the stated objective. These risk areas are used to organize, measure, and manage risk levels consistently across the university. The ISS takes its mandate from the ITSP and is tightly aligned with the IDP.
The Information Security Control Requirements (ISCR) provides detailed implementation guidance for each security control specified in the ISS. The ISCR could be interpreted as a more detailed version of the ISS. As such, a coding scheme makes it easy to cross-reference between the two documents. To better guide implementation efforts, the detailed control requirements in the ISCR are specified according to the level of institutional data being protected, as defined by the IDP.
The Information Risk Management Framework (IRMF) cross-references or maps the ISS security controls and ISCR control requirements to other security standards and regulations. As new information security regulations are created at the federal, state, or industry level, the IRMF will be expanded with additional appendices to document how the IRMP keeps Ohio State compliant with all relevant legislation and rules. The IRMF employs the same coding scheme utilized in the ISS and ISCR.
Over a multi-year period, the IRMP will develop job aids in the form of documentation (procedures, checklists, templates) and software tools as needed to support the implementation of the ISS and ISCR. Job aids will help organizations implement controls and control requirements effectively and efficiently.
Ohio State Information Security & Risk Management Documentation Pyramid