Ohio State’s Enterprise Security group developed the Information Risk Management Program (IRMP), commonly referred to as the "Security Framework," to manage information security risk to Ohio State’s information systems and assets. The IRMP has produced a series of information security and risk management documents to assist organizations in understanding the program and in implementing strategies to manage information risk. To learn more click on one of the areas below.
- Information Risk Management Framework (IRMF)
- ISCR Attestation (ISCR.a)
- Information Security Control Requirements (ISCR)
- Information Security Standard (ISS)
- Information Security Self-Assessment (ISSA)
OSU's Information Risk Management Program has been developed with three broad goals:
1. Simplified design. Standards are often lengthy and complex. For example, NIST SP 800-53 has over 200 controls. The new program defines 30 risk areas, grouped into seven business functions in eight pages.
2. Structured for business leaders, managers and IT professionals. Information security standards are generally written for IT or risk management professionals. The new program has been written and organized for non-technical business managers with linkage to security controls, procedures and job aides for IT professionals. Risks are categorized into seven different business functions that cross most organizations:
- management risk
- legal risk
- business (finance) risk
- purchasing risk
- human resources risk
- facilities risk
- information technology risk
An eighth category is "institutional data risk", which is separated as this risk crosses all business functions.
3. Prioritized. Standards typically don’t offer concrete guidance in how to prioritize risk. The new program specifies risk priority levels for each risk area, making it clear which risks to address first:
- P1 (critical priority)
- P2 (high priority)
- P3 (medium priority)
Finally, the new Information Risk Management Program is built on the premise that information security and information risk management is a university responsibility, not exclusively an IT responsibility.
Information Risk Management Process
As part of the new Information Risk Management Program, OSU is implementing a new three-step process for managing information risk:
1. The first step is to assess information risks. This step involves identifying and prioritizing risks to your business information resources (Internet hacking, stolen laptops, government regulations, etc.). Additionally, a risk treatment plan is created, which defines the information risks your business ranks as too high to tolerate.
2. The second step is to implement an information security program. The goal of this step is to reduce or eliminate the risks identified in the previous step. This is a very pragmatic way to implement information security: the focus is on business risks and not on the latest available technology.
3. The third step is to verify compliance, with both your information security program and with applicable laws and regulations. This step assures the business owners that information risks are being managed.
Using this three-step process, all OSU departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.