Site Menu
- Policy & Standards
- University
- Institutional Data
- Disclosure or Exposure of Personal Information
- Responsible Use of University Computing and Network Resources
- Archives and Records Retention
- Merchant Services & Use of Credit Cards
- Deployment and Use of Wireless Data Networks
- Statement on Public Records
- Draft Identity Theft Red Flags
- State & Federal
- Institutional Data
- Training
- Tools & Templates
- Standards & Frameworks
- FAQ
- Alternative Identifiers
- Data Classification and Access Control
- Gramm-Leach-Bliley Training
- Identity Theft Red Flag Training
- Information Security Implementation Plan
- Institutional Data Policy
- Institutional Data Policy Training
- Red Flags
- Restricted Data
- Social Security Numbers
- University Security Standards
- Campus Resources
- Contact Us
- Site Map
What's New?
- Identity Theft Red Flags Training begins.
- Learn about an IT Security Framework.
Hot Topics
- Institutional Data Policy Training
- Restricted Data Elements
- Implementation Plan
- University Security Standards (UCSS)
- Relevant Federal Laws & Regulations
2008-2009 IT Security Implementation Plan update!
The dates for the quarterly implementation plan submissions have been updated to reflect the 2008-2009 schedule.
Incident Response
Minimum Computer Security Standard (MCSS) FAQ
Below are common questions regarding the MCSS. If your question is not listed below, please use the email form at the bottom of this page to contact us.
- What is the definition of devices?
- What is the definition of automated?
- What is the definition of auditable?
- What is the definition of reasonable? Timely? Current? Up-to-date?
- What is the definition of authentication?
- Where do I send my questions about implementing the MCSS?
- What is the role of the Office of the CIO?
- What is the timeline for compliance?
- What do you consider to be restricted data?
- Identifying the computers with educational records on them is difficult with all of the faculty computers. Do you have suggestions for how to do this?
- SSN have been removed from class rosters, but since it contains student enrollment information, is the roster restricted?
- How do we demonstrate that a device does not have restricted data, especially if it is stolen?
- In the case of paper and desktops, is a locked office sufficient physical security measures?
- Is a cable necessary if the laptop is encrypted?
- My network is protected by a firewall appliance. Is this sufficient to satisfy the firewall requirement for all devices on my network?
- A firewall prevents things from coming in. Won’t this block the automatic updates?
- Does the definition of devices include devices that are remotely connecting to the network to access webmail, calendars, etc.?
- What about vendor software that is no longer supported?
- What is the exemption process?
- How should we document compensating controls?
- Is there more PGP encryption software?
- Does NAC work on a MAC?
- Does my college/unit have to use NAC?
- How do we count and certify for faculty who need to maintain administrative accounts on local machines?
- What about publicly accessible servers/folders where faculty and students can put and access materials? How do we certify these locations?
- I have questions about the Information Security monthly reports. Where do I go to learn more?
- Where can I learn more about possible solutions? Where can I learn more about what other colleges/units are doing to meet the MCSS?
What is the definition of devices?
Any network connectable device, including items such as any fixed or portable computer, laptop or handheld computer, electronic data storage mechanism or removable media, input or output device attached to or used by a computer, personal digital assistant, cellular phone, servers, printers, and routers. Devices that are supplied an IP address from an OSU source are also included.
This definition is flexible but units should use best judgment in interpreting what computing devices are of concern with the MCSS. While the above definition could be interpreted as including devices like keyboard and mouses, devices of this nature are not considered relevant unless they are subject to attacks or exploits - for instance because of inbuilt storage or an operating system.
If you have questions about the need to report and secure a device or class of devices please feel free to send an inquiry to security@osu.edu.
What is the definition of automated?
When an update or patch is made available, it is automatically applied without requiring manual intervention. Availability can be determined by the administrator of the system after a testing period or upon release from a vendor. The discretion is in the hands of the unit to determine how to apply patches and test them to prevent conflicts with software but it is expected that this process be done in a prompt and timely manor so as to keep systems current with security releases and protect against exploits and vulnerabilities.
What is the definition of auditable?
The device has a log or other function that demonstrates that the product is current and working.
What is the definition of authentication?
Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.
What is the definition of reasonable? Timely? Current? Up-to-date?
The definitions for all of these terms throughout the standard have been left purposefully elastic to allow for situations and use cases throughout the university. In the case of "reasonable" and "timely", local units are urged to help define these terms in their policy and procedures. Adding a specific time frame may not be appropriate to all situations.
"Current" and "up-to-date" are also flexibly defined as not every device or security technique can be implemented, tested and vetted immediately and local units need time to consider the impact of changes on the programs, hardware and end users. We do not want to encourage or force reckless changes on the university environment in the name of security - merely promote proper implementation in the proper time frame.
If you have questions about local policy and if units are concerned that these terms are being applied too flexibly and process or procedures are not properly addressing security concerns the CIO Security group will be happy to review and suggest options upon request.
Where do I send my questions about implementing the MCSS?
The Office of the CIO Security Group can answer questions about implementing the MCSS. You can submit questions via the email form at the bottom of this page.
What is the role of the Office of the CIO?
The Office of the CIO is serving as a facilitator in implementing the MCSS and as an information resource. The office is also taking steps to implement the MCSS and will serve as a model for other colleges and units. Information on the process, successes, and lessons learned will be shared with other colleges and administrative units to aid in their implementation plans. In addition, materials for user outreach are provided on the BuckeyeSecure website and opportunities for workshops are available. Workshops can be scheduled by contacting the Office of the CIO Security group at security@osu.edu.
What is the timeline for compliance?
The university must be in compliance with the Minimum Computing Security Standards and device data encryption by March 23, 2008. Obstacles to meeting compliance should be recorded in the unit's monthly information security plans.
What do you consider to be restricted data?
The restricted data elements consist of everything listed on the BuckeyeSecure website's Restricted Data Elements list, including grades. It should be noted that this is a dynamic list and should be periodically checked to see if any additional elements have been included.
Identifying the computers with educational records on them is difficult with all of the faculty computers. Do you have suggestions for how to do this?
We understand that there is no scanner that can locate every type of information, therefore, our recommendation is to install encryption on these computers. In addition, scanners only show a snap shot in time. It is also advisable to protect portable devices that may contain this information or prohibit their use.
SSN have been removed from class rosters, but since it contains student enrollment information, is the roster restricted?
According to FERPA, student enrollment information is classified as a restricted data element and should be protected accordingly, regardless of whether the SSN is still included. For a list of restricted data elements, refer to the BuckeyeSecure website Restricted Data Elements list. In addition, student enrollment information stored on CD, DVD, thumb drives and other portable devices must be encrypted, cleansed, or destroyed. Off-site back-ups containing this information must also be encrypted.
How do we demonstrate that a device does not have restricted data, especially if it is stolen?
During our analysis, the incidence response team will need to determine what that machine was used for and “guess” at the likelihood of restricted data’s presence.
In the case of paper and desktops, is a locked office sufficient physical security measures?
No. Because of the access to offices afforded to various people in the university it is important to recognize that a locked door is not adequate. Consider securing desktops with retaining cables or locking files in a secured cabinet for protection. Some desktop systems are as easy to take as a mobile device because of their size. Additionally, consider training faculty, students and support staff to question anyone who appears to be moving/transporting equipment or files from a locked room - even if they suspect the individual may have a legitimate reason to do so.
Is a cable necessary if the laptop is encrypted?
No, but the extra physical security measure may be wanted to protect the equipment and the unit’s investment.
My network is protected by a firewall appliance. Is this sufficient to satisfy the MCSS firewall requirement for all devices on my network?
Not for all devices connected to the network. Devices that do not have a native firewall capability can be protected in this way from external attacks but if a device or the operating system of a device has a firewall intrinsic to it (i.e. Windows and Mac built in Firewalls) or the capability to run a local software firewall (like Zone Alarm, etc.) then that firewall must be enabled to satisfy the MCSS requirement.
A firewall prevents things from coming in. Won’t this block the automatic updates?
It may be necessary to open a port on a scheduled basis so the updates can be downloaded.
Does the definition of devices include devices that are remotely connecting to the network to access webmail, calendars, etc.?
If the device is issued an IP address from an OSU source, it counts.
What about vendor software that is no longer supported?
Certain application software, such as vendor software that is no longer supported, may qualify for an exemption under the compensating control and exemption process. To find out, contact the Office of the CIO Security group (security@osu.edu) and review the information on Compensating Controls.
What is the exemption process?
In rare cases an exemption may be made if a device cannot be brought into compliance with one or more of the MCSS elements and the element(s) cannot be addressed via a compensating control or controls. More information about this process is on the Information Security Compensating Controls page.
How should we document compensating controls?
In the case of compensating controls, units must request compensating controls using the process described on the Information Security Compensating Controls page. Questions about compensating controls should be directed to the Office of the CIO Security group at security@osu.edu.
Is there more PGP encryption software?
Licenses are still available for purchase. Contact Greg Niemeyer (niemeyer.8) for more information about purchasing licenses. Those operating MACs should use FileVault.
Does NAC work on a MAC?
Several solutions will support MAC. More information will be available over the coming months.
Does my college/unit have to use NAC?
No. NAC is one possible solution for providing the automated validation of MCSS compliance. Your individual college or unit should determine which solution works best for your environment and needs.
How do we count and certify for faculty who need to maintain administrative accounts on local machines?
Our recommendation is to begin cataloging these situations and then determine which solutions are available and what the risks are of an individual maintaining administrative rights. When and if it is necessary to delegate responsibility to an individual, the unit should have a signed statement for all parties involved and the Dean/Chair should be made aware of the situation. We highly encourage a unit to document as much of this process as possible.
What about publicly accessible servers/folders where faculty and students can put and access materials? How do we certify these locations?
If these are intended to be temporary storage locations, then the unit can wipe or refresh nightly (or a time frame of your choice). If the storage is needed for longer periods of time, then it should be encrypted.
I have questions about the Information Security monthly reports. Where do I go to learn more?
Information on the monthly reporting process is located on the Information Security Implementation Plan page, under Tools & Templates in the right navigation bar. This page includes the link to access your unit's monthly report, instructions for completing the report, and frequently asked questions.
Where can I learn more about possible solutions? Where can I learn more about what other colleges/units are doing to meet the MCSS?
The Office of the CIO Security Group can be consulted with on possible solutions for the MCSS. They can be contacted via email at security@osu.edu. Members of the security group can also meet with individuals from your unit to discuss implementation questions or issues.
In addition, DISTCONS is a network of computer support staff distributed throughout the university and the OIT personnel who work with them. This community serves as a sounding board for solutions that other colleges and units are using to meet compliance with the MCSS. Membership information is available at http://8help.osu.edu/2363.html.
Further Questions?
If you have a question about the above standard, please use the form below to contact the Office of the CIO. We will respond to your inquiry as soon as possible.
