IT Security Framework
What Is the IT Security Framework?
The OSU IT Security framework is a code of practice and principles that includes process, policy and procedures used here at the university that protect and govern information security. The framework is a method of establishing, implementing, reviewing, maintaining and improving the security programs throughout the university community.
An IT Security framework is the foundation for an effective, enterprise wide security program. Ohio State University has adopted the International Standards Organization' s (ISO) Information Security Framework documented as ISO 27001 and 27002.This framework outlines many actions and controls needed to ensure the organizations appropriately protects the information assets it owns and creates.
The implementation of the OSU IT Security Framework is a multi-year project. Completing the initial work for implementing the various controls required to address information security concerns across an organizations varies as work must be parceled and planned to make the most gains using allocated resources.
Target Maturity Goals
Implementing the OSU IT Security framework is more than a process of checking boxes and saying the work is done. A successful Security Framework program considered that security is a process and various controls, once initially implemented will continue to mature and become stronger through evolution over time.
Ohio State and the Office of the CIO are adopting a maturity approach to our long term metrics associated with this program using a zero to five point scale. The scale begins at a value of zero with no work done in a control or area and reaching five when an area demonstrates an optimized implementation.
Most organizations do not achieve an overall rating higher than three or four in most domains of the framework, or choose to set organizational goals that match the effort of reduction of risk compared to the returned value of the work.
Here is the complete maturity scale and some background on each value:
|0:Nonexistent||There is no evidence of this standard or practice in the organization.|
|1: Initial||The organization has an ad hoc and inconsistent approach to this privacy standard or practice.|
|2: Repeatable||The organization has a consistent overall approach, but it is mostly undocumented.|
|3: Defined||The organization has a documented, detailed approach, but no routine measurement or enforcement of it.|
|4: Managed||The organization regularly measures its compliance and makes regular process improvements.|
|5: Optimized||The organization has refined its compliance to the level of best practice.|