IT Security Framework

What Is the IT Security Framework?

The OSU IT Security framework is a code of practice and principles that includes process, policy and procedures used here at the university that protect and govern information security. The framework is a method of establishing, implementing, reviewing, maintaining and improving the security programs throughout the university community.

An IT Security framework is the foundation for an effective, enterprise wide security program. Ohio State University has adopted the International Standards Organization' s (ISO) Information Security Framework documented as ISO 27001 and 27002.This framework outlines many actions and controls needed to ensure the organizations appropriately protects the information assets it owns and creates.

The implementation of the OSU IT Security Framework is a multi-year project. Completing the initial work for implementing the various controls required to address information security concerns across an organizations varies as work must be parceled and planned to make the most gains using allocated resources.

Target Maturity Goals

Implementing the OSU IT Security framework is more than a process of checking boxes and saying the work is done. A successful Security Framework program considered that security is a process and various controls, once initially implemented will continue to mature and become stronger through evolution over time.

Ohio State and the Office of the CIO are adopting a maturity approach to our long term metrics associated with this program using a zero to five point scale. The scale begins at a value of zero with no work done in a control or area and reaching five when an area demonstrates an optimized implementation.

Most organizations do not achieve an overall rating higher than three or four in most domains of the framework, or choose to set organizational goals that match the effort of reduction of risk compared to the returned value of the work.

Here is the complete maturity scale and some background on each value:

0:Nonexistent There is no evidence of this standard or practice in the organization.
1: Initial The organization has an ad hoc and inconsistent approach to this privacy standard or practice.
2: Repeatable The organization has a consistent overall approach, but it is mostly undocumented.
3: Defined The organization has a documented, detailed approach, but no routine measurement or enforcement of it.
4: Managed The organization regularly measures its compliance and makes regular process improvements.
5: Optimized The organization has refined its compliance to the level of best practice.

IT Security Framework Tools and Process Documents

  • OSU IT Security Control (by Domain) Assessment Tool - Excel Spreadsheet (xls)
  • OSU IT Security Business Continuity Planning Checklist - PDF (Oct. 2010)
  • OSU IT Security Router Audit Checklist - PDF (Oct. 2010)
  • OSU IT Security Domain Maturity Self Assessment Tool - Excel Spreadsheet (xls) (Feb, 2011)

Related OSU Policy Links

See Other University Policies for links to source documents.