Assessment Working Group

The Assessment Working Group is a sub-working group of the Information Security and Trust Advisory Board.

The Assessment Working Group (AWG) assists the Information Security and Trust Advisory Board (STAB) in accessing and making recommendations about third party and/or vendor information systems and technology used cross-unit or university-wide. This group reviews, evaluates and makes recommendations regarding these risks to the STAB.

OTDI and university units proposing to use third party vendors (and/or vendor hosted information systems and technology) share responsibility for assessing and managing risks related to information systems and technology. The AWG has a separate role, and in fulfilling that role, relies on the reviews, reports, and other information that OTDI’s Digital Security and Trust team and The Ohio State University Wexner Medical Center data security teams create or present to the AWG.

The AWG uses materials such as third-party vendor risk assessment reports, the input of business stakeholders, and the recommendations of IT staff and/or data steward(s) of the applicable university unit(s).

The AWG follows the processes and procedures detailed in the university’s Risk Acceptance Function document to complete risk assessments.

The AWG is made of of no less than ten members. The university’s Chief Information Security Officer (CISO) or his/her designee appoint members. Members may include staff representing the following areas within the university:

  • OTDI IT Risk Management and Governance
  • Wexner Medical Center Data Security Team
  • Office of Compliance and Integrity
  • University Registrar
  • Office of Research Compliance
  • Internal Audit
  • University Purchasing
  • Technology, security or compliance leaders of other university units (minimum of three)

Members may be removed, or new members appointed, at any time at the discretion of the CISO or the STAB. Representatives of the Office of Legal Affairs provide legal support to the AWG as required.

 

Procedures and Meetings

  1. Regular meetings: The AWG meets at least once quarterly. The AWG generally meets on a monthly basis, except for months where there are conflicts with the university calendar or there are no assessments to be reviewed.
  2. Special meetings: The director of OTDI IT Risk Management and Governance or a designee can schedule special meetings, if necessary, to ensure the timely review and recommendation of risk assessments.
  3. Organization: The director of OTDI IT Risk Management and Governance or a designee will facilitate meetings and be responsible for scheduling, presiding over, and acting as secretary of the meetings (the "Facilitator").
  4. Quorum: One half of the total number of current members constitutes a quorum for the transaction of business. When a quorum is present, the act of a majority is the act of the AWG.   
  5. Recommendations: The AWG will review third-party vendor risk assessments and report to the STAB, either recommending or rejecting a third-party and/or vendor information system. The recommendation will guide what technology is used by the university. The Facilitator will summarize recommendation highlights from each meeting and provide the summary to the Board. If the AWG is unable to make a recommendation to the Board, the director of OTDI IT Risk Management and Governance or a designee will provide notice to the Board, who will then and review the applicable assessment. The Facilitator or a designee will notify business stakeholder(s) of the recommendation in writing.
  6. Presence at Meeting: In-person participation is preferred. Members will be considered present for the purposes of a quorum if they attend by means of a conference telephone or similar communications equipment, as long as all people in the meeting can hear each other and participate. 
  7. Invitees: Business stakeholder(s), IT staff, and data steward(s) of university unit(s) may be invited to attend meetings as appropriate, related to the assessment(s) to be evaluated. The business stakeholder(s) and/or data steward(s) can appeal the assessment recommendation reached by the AWG to the STAB for further review.
  8.  Urgent Assessments: Under very limited circumstances, the AWG may have a special meeting to consider third party vendor risk assessment determined to be urgent and mission critical by the CISO or a designee. Special meetings will only be used for time-sensitive risk assessments needed to enable a critical university business function, or if a delay to the next meeting would result in a material negative financial impact. In these cases, members will receive copies of the third-party vendor risk assessment report and supporting documentation at least three business days in advance for review and consideration.

 

Responsibilities

The AWG will have the following responsibilities:

  1. Evaluate and discuss third-party vendor risk assessments with the author(s) of said assessment and the applicable business stakeholder(s), IT staff, and data stewards). Authors of these risk assessments should consider the business opportunity offered by the proposed third-party and/or vendor-hosted information systems and weigh the value the technology presents for the applicable business unit(s) or the university against the proposed management of the information and technology risks inherent to university operations.
  2. Consider and review any difficulties encountered during the course of review and preparation of the report. This includes any restrictions on the scope of the work and access to required information.
  3. Report the results of assessments to the STAB with the recommendations the AWG deems appropriate.
  4. Review and update this Charter periodically as required. Any amendment to the Charter will be submitted to the Board for approval.