Standards
The Information Security Office, in collaboration with the IT Security Governance Committee, develops standards for the protection of University data and systems. The standards set the minimum necessary controls, but does not relieve the University or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. Given that standards may address minimum controls based on data type, prior to implementing a standard, data owners must properly classify their data as outlined in the University's Data Classification policy.
Standards, both in final and draft state, are available to anyone with valid OHIO credentials. While draft standards may have slight changes once implemented in their final state, they still provide industry best practices for various facets of information handling.
- View Standards (Log in with your OHIO credentials)
Exception Process
For those that feel that they cannot meet the obligations set forth in a given Ohio University Information Security Standard they must complete the Information Security Exception Request Form . Requests for exception from an Information Security Standard are reviewed by the Information Security Office. The risks of not meeting a given standard are communicated to the requestor and the authorized individuals within the institution who can accept the risk on its behalf. This is in accordance with Ohio University’s Information Security Risk Management Policy (91.006) .
Additional Guidance
For those topics that are not explicitly referenced above, or for additional guidance, the NIST 800 Series Publications are to be used. The Information Security Office follows NIST as its framework for consultation provided to the University departments and within the Office of Information Technology (OIT) for the prioritization of security controls.