. .

Information Security Implementation Plan FAQ

Below are common questions regarding the Information Security Implementation Plan. If your question is not listed below, please use the email form at the bottom of this page to contact us.

  1. What level should the primary contact be?
  2. Which devices should be counted? All of them or just the ones that have restricted data?
  3. What about back-up tapes that have restricted data – should these be included?
  4. What are we including as restricted data?
  5. Identifying the computers with educational records on them is difficult with all of the faculty computers. Do you have suggestions for how to do this?
  6. Is our unit responsible for the centers or institutes? Should we include these numbers in our counts? Is the college responsible for picking up those faculty members located in the centers or institutes?
  7. SSN have been removed from class rosters, but since it contains student enrollment information, is the roster restricted?
  8. How do we demonstrate that a device does not have restricted data, especially if it is stolen?
  9. What would be considered a “policy to protect restricted data on mobile devices”?
  10. What is considered an “additional measure…to increase physical security of mobile devices”?
  11. In the case of paper and desktops, is a locked office sufficient physical security measures?
  12. Is a cable necessary if the laptop is encrypted?
  13. What is the definition of devices?
  14. What is the definition of automated?
  15. What is the definition of auditable?
  16. My network is protected by a firewall appliance. Is this sufficient to satisfy the firewall requirement for all devices on my network?
  17. A firewall prevents things from coming in. Won’t this block the automatic updates?
  18. Does the definition of devices include devices that are remotely connecting to the network to access webmail, calendars, etc.?
  19. Where do I count vendor software that is no longer supported?
  20. What is the definition of authentication?
  21. Is there more encryption software?
  22. Does NAC work on a MAC?
  23. How do we count and certify for faculty who need to maintain administrative accounts on local machines?
  24. What about publicly accessible servers/folders where faculty and students can put and access materials? How do we certify these locations?

Download a PDF of the Information Security Implementation Plan FAQ

What level should the primary contact be?

Each college was asked for an administrative contact as well as an IT contact. Either one of these can be the primary contact.

Which devices should be counted? All of them or just the ones that have restricted data?

Section II, question 1 asks for those devices containing restricted data, however, it is allowable for you to count all of the devices within your unit. You do not need to include those that do not have restricted data, however, if you do, indicate this in your comments.

What about back-up tapes that have restricted data – should these be included?

Yes, however in order to prevent the quantity of backup tapes from hiding overall progress toward core device compliance, it is suggested you annotate the quantity of backup tapes and the number that are encrypted in the comment field of Section II, question 1 on the web report rather than in the restricted data device totals. Please indicate if these backup tapes are being sent off-site or outside of university control.

Return to Top

What are we including as restricted data?

The restricted data elements consist of everything listed on the BuckeyeSecure website's Restricted Data Elements list, including grades. It should be noted that this is a dynamic list and should be periodically checked to see if any additional elements have been included.

Identifying the computers with educational records on them is difficult with all of the faculty computers. Do you have suggestions for how to do this?

We understand that there is no scanner that can locate every type of information, therefore, our recommendation is to install encryption on these computers. In addition, scanners only show a snap shot in time. It is also advisable to protect portable devices that may contain this information or prohibit their use.

Is our unit responsible for the centers or institutes? Should we include these numbers in our counts? Is the college responsible for picking up those faculty members located in the centers or institutes?

First, ask whether the center or institute is in your network domain or not. If so, then the center or institute should be included in your counts. Second, ask who administers the machine. The administrator for that machine should be responsible.

Return to Top

SSN have been removed from class rosters, but since it contains student enrollment information, is the roster restricted?

According to FERPA, student enrollment information is classified as a restricted data element and should be protected accordingly, regardless of whether the SSN is still included. For a list of restricted data elements, refer to the BuckeyeSecure website Restricted Data Elements list. In addition, student enrollment information stored on CD, DVD, thumb drives and other portable devices must be encrypted, cleansed, or destroyed. Off-site back-ups containing this information must also be encrypted.

How do we demonstrate that a device does not have restricted data, especially if it is stolen?

During our analysis, the incidence response team will need to determine what that machine was used for and “guess” at the likelihood of restricted data’s presence.

What would be considered a “policy to protect restricted data on mobile devices”?

Examples include policies that prohibit storage of restricted data on mobile devices, enforce encryption on mobile devices, set requirements for physical storage, put in place restrictions on or prohibit the use of PDA or thumb drives.

Return to Top

What is considered an “additional measure…to increase physical security of mobile devices”?

Examples include deploying physical security measures for portable devices, such as laptop locks or elimination of the ability to use USB drives.

In the case of paper and desktops, is a locked office sufficient physical security measures?

No. Because of the access to offices afforded to various people in the university it is important to recognize that a locked door is not adequate. Consider securing desktops with retaining cables or locking files in a secured cabinet for protection. Some desktop systems are as easy to take as a mobile device because of their size. Additionally, consider training faculty, students and support staff to question anyone who appears to be moving/transporting equipment or files from a locked room - even if they suspect the individual may have a legitimate reason to do so.

Is a cable necessary if the laptop is encrypted?

No, but the extra physical security measure may be wanted to protect the equipment and the unit’s investment.

Return to Top

What is the definition of devices?

Any network connectible device, including items such as any fixed or portable computer, laptop or handheld computer, electronic data storage mechanism or removable media, input or output device attached to or used by a computer, personal digital assistant, cellular phone, servers, printers, and routers. Devices that are supplied an IP address from an OSU source are also included.

What is the definition of automated?

When an update or patch is made available, it is automatically applied without requiring manual intervention. Availability can be determined by the administrator of the system after a testing period or upon release from a vendor. The discretion is in the hands of the unit to determine how to apply patches and test them to prevent conflicts with software but it is expected that this process be done in a prompt and timely manor so as to keep systems current with security releases and protect against exploits and vulnerabilities.

What is the definition of auditable?

The device has a log or other function that demonstrates that the product is current and working.

Return to Top

My network is protected by a firewall appliance. Is this sufficient to satisfy the MCSS firewall requirement for all devices on my network?

Not for all devices connected to the network. Devices that do not have a native firewall capability can be protected in this way from external attacks but if a device or the operating system of a device has a firewall intrinsic to it (i.e. Windows and Mac built in Firewalls) or the capability to run a local software firewall (like Zone Alarm, etc.) then that firewall must be enabled to satisfy the MCSS requirement.

A firewall prevents things from coming in. Won’t this block the automatic updates?

It may be necessary to open a port on a scheduled basis so the updates can be downloaded.

Does the definition of devices include devices that are remotely connecting to the network to access webmail, calendars, etc.?

If the device is issued an IP address from an OSU source, it counts.

Where do I count vendor software that is no longer supported?

Software that is no longer supported should be counted under “not started.” Certain application software may qualify for an exemption under the compensating control and exemption process.

Return to Top

What is the definition of authentication?

Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.

Is there more encryption software?

Licenses are still available for purchase. Contact Greg Niemeyer (niemeyer.8) for more information about purchasing licenses. Those operating MACs should use FileVault.

Does NAC work on a MAC?

Several solutions will support MAC. More information will be available over the coming months.

Return to Top

How do we count and certify for faculty who need to maintain administrative accounts on local machines?

Our recommendation is to begin cataloging these situations and then determine which solutions are available and what the risks are of an individual maintaining administrative rights. When and if it is necessary to delegate responsibility to an individual, the unit should have a signed statement for all parties involved and the Dean/Chair should be made aware of the situation. We highly encourage a unit to document as much of this process as possible.

What about publicly accessible servers/folders where faculty and students can put and access materials? How do we certify these locations?

If these are intended to be temporary storage locations, then the unit can wipe or refresh nightly (or a time frame of your choice). If the storage is needed for longer periods of time, then it should be encrypted.

Return to Top

Further Questions?

If your question is not listed in the above FAQ, please use the form below to contact the Office of the CIO. We will respond to your inquiry as soon as possible.

Your Name:

Your e-mail address:

If phone contact is preferred, the phone number where you can be reached:

Message:

Please enter the word(s) shown below in the "Captcha" box. This helps prevent spam from filling our email so we can focus on legitimate questions like yours.