91.005:信息安全
批准
2018年10月26日
Craig Bantz | Chief Information Officer
Chaden Djalali | Executive Vice President and Provost
M. 杜安·内利斯|总裁
-
目的
This policy provides a framework to continuously protect and secure Ohio university’s data and information resources and comply with and maintain legal and contractual requirements.
-
范围
Ohio university organizational units operating technology resources are responsible for ensuring that the set of components for 收集ing, 创建, 存储, 处理, 传播信息, typically including hardware and 软件, 系统用户, and the data itself: (“俄亥俄州 systems”) are managed securely. Users (“users”) are defined as faculty; staff; student employees; third party agents, and any other authorized university affiliates accessing sensitive data.
Unauthorized use or disclosure of data protected by laws or contractual obligations could cause damages to the university, 大学社区的成员, as well as subject the university to penalties in the form of fines or government sanctions. Examples of such laws or contractual obligations are The Health Insurance Portability and Accountability Act (HIPAA) and payment card industry data security standard (PCI-DSS). 妥善管理这些风险, users must ensure their electronic devices and any other resources which create, 收集, 商店, 传输, or process information meet minimum information security standards.
The information security office (“ISO”) will advise and consult key stakeholders involved with the protection of data and assets on critical risk issues, and recommend remediation actions to support the information security risk management program (“ISRMP”) as defined in policy 91.006 “Information security risk management.” Ohio system and data owners will be responsible for ensuring that mission critical Ohio systems being maintained by them are adequately assessed for risk and that any identified risks are accepted, 减轻, 或转让.
-
政策
ISO will consult with stakeholders to define the information security standards which help support and maintain an adequate information security posture. The information security governance committee will approve new standards under the supervision of the information technology strategy and governance committee. Each standard identifies controls required for the data or IT resource, and assigns appropriate security risk levels.
The information security standards apply to all IT data resources owned, 租赁, 操作, 所提供的, or otherwise connected to university resources. 这包括, 实物资产,如计算机, 工作站, 外部硬盘, 移动电话, 无线设备, 操作系统, 软件, and applications (free or contracted by the university).
Users are required to apply the appropriate controls to the data and IT resource(s) following this process.
Data owners are responsible for identifying the security level for the data and IT resource following the process in policy 93.001”数据分类.” The ISO will provide advice and consultation to assist in compliance. Data owners are responsible for applying the appropriate controls from the information security standards, to the data and IT resource based on the security level. The security level defines the minimum requirements that must be followed by each classification, 然而, units may require additional controls beyond this policy, as no policy can require controls less than those indicated in this policy.
-
执行
Ohio users must report non-compliance with any part of this policy to the ISO (security@俄亥俄州.edu).
Users who do not comply with this policy or related information security standards may be denied access to information technology ("IT") resources, as well as be subjected to disciplinary action up to and including termination.
-
异常
All exceptions to this policy must be formally documented with the ISO prior to approval by the president or delegate. 政策 exceptions will be reviewed and renewed on a periodic basis by the ISO.
请求一个异常:
"Complete Initial Exception Request Form, 政策 Exception Template, and Risk Acceptance Form. (http://www.OHIO.edu/oit/security)”
评论家
Proposed revisions of this policy should be reviewed by:
-
学术领导
-
财务副总裁 & 政府的领导
-
教师参议院
-
学生参议院