Information Risk Management Program
Increasingly, OSU depends on the reliable functioning of its information technology infrastructure. From systems that support OSU’s academic mission in the classroom and world-class research facilities to the network that interconnects all the universities administrative offices, OSU’s infrastructure has become critical to the university’s daily operations.
To help manage the cybersecurity risk to OSU’s infrastructure and information assets, the Office of the Chief Information Officer’s (OCIO) Enterprise Security group has developed a new Information Risk Management program.
Information Risk Management Program
OSU's Information Risk Management Program has been developed with three broad goals:
1. Simplified design. Standards are often lengthy and complex. For example, NIST SP 800-53 has over 200 controls. The new program defines 30 risk areas, grouped into seven business functions in eight pages.
2. Structured for business leaders, managers and IT professionals. Information security standards are generally written for IT or risk management professionals. The new program has been written and organized for non-technical business managers with linkage to security controls, procedures and job aides for IT professionals. Risks are categorized into seven different business functions that cross most organizations:
- management risk
- legal risk
- business (finance) risk
- purchasing risk
- human resources risk
- facilities risk
- information technology risk
An eighth category is "institutional data risk", which is separated as this risk crosses all business functions.
3. Prioritized. Standards typically don’t offer concrete guidance in how to prioritize risk. The new program specifies risk priority levels for each risk area, making it clear which risks to address first:
- P1 (critical priority)
- P2 (high priority)
- P3 (medium priority)
Finally, the new Information Risk Management Program is built on the premise that information security and information risk management is a university responsibility, not exclusively an IT responsibility.
Information Risk Management Process
As part of the new Information Risk Management Program, OSU is implementing a new three-step process for managing information risk:
1. The first step is to assess information risks. This step involves identifying and prioritizing risks to your business information resources (Internet hacking, stolen laptops, government regulations, etc.). Additionally, a risk treatment plan is created, which defines the information risks your business ranks as too high to tolerate.
2. The second step is to implement an information security program. The goal of this step is to reduce or eliminate the risks identified in the previous step. This is a very pragmatic way to implement information security: the focus is on business risks and not on the latest available technology.
3. The third step is to verify compliance, with both your information security program and with applicable laws and regulations. This step assures the business owners that information risks are being managed.
Using this three-step process, all OSU departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.
Information Risk Management Standards
A final part of the new Information Risk Management Program is the development and implementation of new information security standards at OSU. The hierarchy of standards is represented by the pyramid below:
At the top of the pyramid is the OSU Information Security Standard (ISS). The ISS provides a definitive set of security requirements for all information systems and assets at OSU. The ISS defines the security objectives for the 30 risk areas, organized by seven business functions. The OSU standard is primarily based on the NIST SP 800-53 security standard, but tailored to address specific University priorities, regulations and compliance risk. Additional documents in the pyramid are under development and will be published in the coming months.