. .

Site Menu


Minimum Computer Security Standard

June 29, 2007
Comments on this standard should be sent to ITSecurity@osu.edu

Link to Compensating Control & Exception Request page

I. General Statement

The Ohio State University data network is a shared resource used by the entire university community and its affiliates in support of the university’s business practices and academic missions. Access to the data network is both an essential tool for university life and work and a valuable privilege. University units and community members must cooperate to protect the network by securing computer and network devices in order to preserve that access.

The Chief Information Officer (CIO) is responsible for the efficient, effective and secure operation of the university data network. Concurrently, academic, administrative and support units are responsible for the efficient, effective and secure operation of their local networks.

The Minimum Computer Security Standard (MCSS) is designed to help protect the university’s central and distributed telecommunications and computing environment from accidental or intentional damage and from alteration or theft of data while preserving university community members’ appropriate access and use.

The MCSS is one of four interrelated Standards, each of which addresses a different aspect of computer, network and data security. These include the Critical Computer Security Standard, Database Computer Security Standard and Web Services Computer Security Standard and are available here.

II. Scope

This Standard applies to all computer and telecommunications devices, whether owned by the university, a university community member or a 3rd party organization, that connect to the university data network or support infrastructure either directly or indirectly. Compliance with the standard is the responsibility of all university community members, including students, faculty, staff, agents, guests or employees of affiliated entities who connect a device, either directly or indirectly, to the university data network or support infrastructure.

III. The Minimum Computer Security Standard (MCSS)

A. Each device must meet the following minimum standards prior to and after connecting to the university data network or support infrastructure:
1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.
2. Current operating system and application software with current security patches must be installed.
3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.
B. Academic, Administrative, and Support unit information technology staff must:
1. Develop or obtain and deploy processes and procedures to automatically check for firewall activation and to install operating system and application software security patches, as well as virus protection updates, for all devices that connect to network resources in the unit’s areas of physical or administrative control.
2. Develop or obtain and deploy automated tools to test each device connecting or connected to their local wired or wireless data network for compliance with these standards and disconnect, disable or quarantine any noncompliant device until it is brought into compliance.
3. Certify that the devices connecting to their network are in compliance with this Standard.
C. Passwords, including those used with university name.n Internet user names, may not be shared with others and must be changed periodically.
D. In some cases it may not be possible to bring a device into compliance. For example, older laboratory equipment software may not operate with current operating systems or security patches. In these cases operating units or individuals and their information technology staff must employ compensating controls. In rare cases an exception may be made if no compensating control is possible. Units must document compensating controls and any exception. These must be reviewed, tested, and approved by the CIO Security Group and the operating unit or individual must retain the approved documentation for audit so long as the device is in operation.
E. University academic and administrative units may specify additional standards requirements within their physical or administrative areas of responsibility. Units must document, annually review, update as needed and publish additional requirements, preferably on a unit web site. Additional standards may strengthen or extend but not weaken this Standard’s provisions.
F. Any connection to the Internet or to a national or regional network from a private network operated by a university academic, administrative or support unit must be made through the university’s data network, OSUNet. The Executive Vice President and Provost, CIO, and unit head must approve any exceptions to this requirement.

IV. Enforcement

All university community members using computing and communications devices at the university and all computing and communication devices connected to university resources in any manner must comply with this Standard. Central and distributed unit information technology staff will scan or examine devices for compliance and will disconnect any noncompliant device from the university data network and support infrastructure until the device is brought into compliance. In addition, central and distributed unit information technology staff may seize or quarantine noncompliant university-owned devices.

Individual university community members who do not comply with this standard are in violation of the Policy on Responsible Use of University Computing and Network Resources. In accordance with that policy, violators may be denied access to university computing resources and may be subject to other penalties and disciplinary action including university disciplinary procedures appropriate to their university status.

V. Appeals

Decisions or measures taken to implement this standard may be appealed to the Chief Information Officer through the CIO Office Director of Information Technology Policy and Services by sending an e-mail to ITPolicy@osu.edu.

VI. Definitions

Compensating Control – A compensating control is an alternate but effective means of meeting the goal or spirit of a requirement of this Standard.
Device – For the purposes of this Standard, a device includes items such as any fixed or portable computer, laptop or handheld computer, electronic data storage mechanism or removable media, input or output device attached to or used by a computer, personal digital assistant, cellular phone.
Exception – An exception occurs when a requirement of this Standard cannot reasonably be met and no compensating control can be implemented.
Noncompliant Device – A noncompliant device is a device that does not meet the requirements of this Standard.
Support Infrastructure – The support infrastructure includes university-provided services and facilities such as electric power, voice telephone lines, and buildings and other structures.
University Community Member – A university Community Member is a student, faculty or staff member, personal or university guest or agent, or employee of an affiliated entity.
University Data Network – The university data network includes university telecommunications facilities such as the OSUNet data network with all wired or wireless attached tributaries including RESNet, OSUWireless, academic and administrative unit network facilities, network facilities serving affiliates or tenants, university connections to Internet Service Providers such as OARNet, and any ad-hoc or temporary network of university owned devices not connected to OSUNet.

Submit comments and suggestions by e-mail to ITSecurity@osu.edu.
Return to the University Computer Security Standard Page