Assessment Working Group
The Assessment Working Group (AWG) is a sub-working group of the Information Security Advisory Board (SAB).
The AWG assists the SAB in accessing and making recommendations about third party and/or vendor information systems and technology used cross-unit or university-wide. This group reviews, evaluates and makes recommendations regarding these risks to the Board.
- The Office of the Chief Information Officer (OCIO) and university units proposing to use third party vendors (and/or vendor hosted information systems and technology) share responsiblity for assessing and managing risks related to information systems and technology.
- The AWG has a separate role, and in fulfilling that role, relies on the reviews, reports and other information that OCIO’s Enterprise Security and The Ohio State University Wexner Medical Center data security teams create or present to the AWG.
- The AWG uses materials such as third party vendor risk assessment reports, the input of business stakeholders and the recommendations of IT staff and/or data steward(s) of the applicable university unit(s).
- The AWG follows the processes and procedures detailed in the university’s Risk Acceptance Function document to complete risk assessments.
The AWG is made uf of no less than 10 members. The university’s Chief Information Security Officer (CISO) or his/her designee appoint members. Members may include staff representing the following areas within the university:
- OCIO IT Risk Management and Governance
- Ohio State University Wexner Medical Center Data Security Team
- Office of Compliance and Integrity
- University Registrar
- Office of Research Compliance
- Internal Audit
- Central Purchasing
- Technology, security, or compliance leaders of other university units (Minimum of 3)
Members may be removed, or new members appointed, at any time at the discretion of the CISO or the Board. Representatives of the Office of Legal Affairs provide legal support to the AWG as required.
Procedures and Meetings
- Regular meetings: The AWG meets at least once quarterly. The AWG generally meets on a monthly basis, except for months where there are conflicts with the university calendar or there are no assessments to be reviewed.
- Special meetings: The Director of OCIO IT Risk Management and Governance or a designee can schedule special if necessary to ensure the timely review and recommendation of risk assessments.
- Organization: The Director of OCIO IT Risk Management and Governance or a designee will facilitate meetings and be responsible for scheduling, presiding over and acting as secretary of the meetings.
- Quorum: One half of the total number of current members constitutes a quorum for the transaction of business. When a quorum is present, the act of a majority is the act of the AWG.
- Recommendations: The AWG will review third party vendor risk assessments and report to the Board either recommending or rejecting a third party and/or vendor information system. The recommendation will guide what technology is used by the university. The Facilitator will summarize recommendation highlights from each meeting and provide the summary to the Board. If the AWG is unable to make a recommendation to the Board, the Director of OCIO IT Risk Management and Governance or a designee will provide notice to the Board and the Board will review the applicable assessment. The Facilitator or a designee will notify business stakeholder(s) of the recommendation in writing.
- Presence at Meeting: In-person participation is preferred. Members will also be considered present for purposes of a quorum if they attend by means of conference telephone or similar communications equipment, as long as all persons in the meeting can hear each other and participate.
- Invitees: Business stakeholder(s), IT staff and data steward(s) of university unit(s) may be invited to attend meetings as appropriate, related to the assessment(s) to be evaluated. The business stakeholder(s) and/or data steward(s) can appeal the assessment recommendation reached by the AWG to the Board for further review.
- Urgent Assessments: Under very limited circumstances, the AWG may have a special meeting to consider third party vendor risk assessment determined to be urgent and mission-critical by the CISO or a designee. Special meetings will only be used for time-sensitive risk assessments needed to enable a critical university business function, or if a delay to the next meeting would result in a material negative financial impact. In these cases, members will receive copies of the third party vendor risk assessment report and supporting documentation at least three (3) business days in advance for review and consideration.
The AWG will have the following responsibilities:
- Evaluate and discuss (with the authors of the third party vendor risk assessment, and the applicable business stakeholder(s), IT staff and data stewards) third party vendor risk assessments.Consider the business opportunity offered by the proposed third party and/or vendor-hosted information systems. Weigh the value the technology presents for the applicable business units or the university against the proposed management of the information and technology risks inherent to university operations.
- Consider and review any difficulties encountered during the course of review and preparation of the report. This includes any restrictions on the scope of the work and access to required information.
- Report the results of assessments to the Board with the recommendations the AWG deems appropriate.
- Review and update this Charter periodically as required. Any amendment to the Charter will be submitted to the Board for approval.