Site Menu
- Policy & Standards
- University
- Institutional Data
- Disclosure or Exposure of Personal Information
- Responsible Use of University Computing and Network Resources
- Archives and Records Retention
- Merchant Services & Use of Credit Cards
- Deployment and Use of Wireless Data Networks
- Statement on Public Records
- Draft Identity Theft Red Flags
- State & Federal
- Institutional Data
- Training
- Tools & Templates
- Standards & Frameworks
- FAQ
- Alternative Identifiers
- Data Classification and Access Control
- Gramm-Leach-Bliley Training
- Identity Theft Red Flag Training
- Information Security Implementation Plan
- Institutional Data Policy
- Institutional Data Policy Training
- Red Flags
- Restricted Data
- Social Security Numbers
- University Security Standards
- Campus Resources
- Contact Us
- Site Map
OSU IT Security Framework
Essential steps are being taken across the university to identify, locate, and protect our most valuable information assets. Information security policies, such as the Institutional Data policy and the Disclosure or Exposure of Personal Information policy, are being implemented to support the university’s teaching, research, and outreach missions while protecting the privacy of university community members and clients. All of these efforts will soon be joined under the umbrella of the IT Security Framework.
What is the IT Security Framework?
The ISO Security Framework
The Elements of the IT Security Framework
IT Security Framework Terms
The IT Security Framework Training
What is a Security Framework?
An IT Security framework is the foundation for an effective, enterprise wide security program. Ohio State University has adopted the International Standards Organization' s (ISO) Information Security Framework documented as ISO 27001 and 27002.
The ISO Security Framework
The ISO framework covers process, policy and procedures used here at the university that protect and govern information security.The framework is a method of establishing, implementing, reviewing, maintaining and improving the security programs throughout the university community.
The Elements of the Security Framework
The framework itself covers 11 elements (also called domains) with overlap and interaction. These elements encompass various areas of policy and procedure with an emphasis on "BEST PRACTICE" and risk based assessments.
- Security Policy
- Organization of Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
IT Security Framework Terms
There are certain words commonly used when developing and discussing the IT Security Framework, for your convenience the meanings, as they relate to this field are outlined below.
- asset: Anything that has value for an organization.
- control: Means of managing risk; includes policy, procedure, guidelines, practices or organizational structures that can be administrative, technical, managerial or legal in nature. Controls are synonymous with safeguard or countermeasure.
- guideline: A directive or description that clarifies what and how something should be accomplished to achieve objectives set forth in policy.
- information security: The preservation of confidentiality, integrity and availability of information.
- policy: The overall intention and direction as formally expressed by management.
- risk: The combination of an events probability and its consequences.
- risk analysis: The systematic use of information to identify sources and estimate the related risk.
- risk assessment: The process of risk analysis and risk evaluation.
- risk evaluation: The comparative process where estimated risk is rated and prioritized based upon its assumed organizational impact.
- threat: A potential cause of an unwanted incident, which may result in harm to a system or organization.
- vulnerability: The weakness of an asset or group of assets that can be exploited by a threat or threats.
