Security Advisory Board
The Information Security Advisory Board (the “SAB”) was established by the Senior Vice President and Chief Financial Officer. It reports to the University Risk Management Committee (the “Committee”) of The Ohio State University. Documents relevant to this group include:
- Risk Acceptance Function
- Information Security Risk Assessment Service
- Cloud Assessment Registry
The Information Security Advisory Board (SAB) ensures effective oversight of the university's information and technology risk management and compliance practices. The SAB’s goal is to support the University’s mission and core values while managing information and technology risks inherent in university operations.
The SAB is comprised of at least 12 members, appointed by the Chief Information Security Officer. A list of the SAB members can be found here.
Procedures & Meetings
The SAB meets as frequently as necessary or advisable in order to perform its responsibilities. It plans meetings by taking into account developments since the most recent meeting, including changes in the University’s organization and business segments, and any change in economic or higher education industry conditions. Regular meetings are held at least quarterly.
The Ohio State University Chief Information Officer (CIO) is chairperson (the “Chairperson”) of the SAB. The CIO may designate chairperson duties to the Chief Information Security Officer as necessary. The Chairperson schedules and presides over meetings.
The SAB will accept or reject items presented for consideration based on the majority of voting members present at time of vote. A minimum of 7 members must be present to form a voting quorum.
At the advice of the Enterprise Security team, the SAB creates working groups of subject matter experts to create and modify standards, guidelines, requirements and practices. These working groups meet monthly as long as they are in effect and report to the SAB. A permanent working group has been created to evaluate and assess risk acceptance activities.
The CIO or Designee will provide an Annual Report to the Risk & Compliance Committee. The report will summarize SAB activities, and report on significant Information Security Activities in the current reporting period.
The SAB assists the Committee in fulfilling its responsibility for oversight of the university’s information and security risk management practices, and monitoring and control of the university’s information and security risk exposures, by performing the following tasks, in each case subject to the supervision and oversight of the University Risk Management Committee, as necessary or advisable:
- Ensure guidelines, controls or other procedures (which may include procedures currently used by the University) are established, that are designed to appropriately manage the University’s exposure to information and technology risk and ensure compliance with relevant laws and regulations.
- Discuss with the Committee, as necessary or advisable, relevant information with respect to the Committee’s proceedings, including the SAB’s oversight and review of the University’s Information Risk Management Framework and its policies, procedures, and practices employed to manage information and technology risk.
- Periodically review the University Information Risk Framework and Survey results, and recommend actions as necessary or advisable to the Committee for approval.
- Recommend and monitor ongoing mitigation
- Review the results from any incidents that arise from the Data Incident Response team, to recommend adjustments to policies, controls or procedures as necessary.
- Perform such other responsibilities as the Committee may assign to it from time to time
SAB Membership Responsibilities
SAB Members are responsible for participating in quarterly meetings, or sending qualified designees when absences cannot be avoided. Members are required to:
- Identify representatives to sub-working groups, to ensure university-wide representation according to the focus of the working group
- Participate in SAB voting procedures
- Ensure SAB decisions are communicated to their units
- Complete all assigned SAB action items
The Information Security Advisory Board Charter can be found here.