Research Security Standards Technical Working Group
The Research Security Standards Technical Working Group (RSTG) is a sub-working group of the Information Security Advisory Board (SAB).
Its mission is to identify and recommend processes, technology, and controls that can be implemented for research systems in order for the university to fulfill and maintain its compliance obligations to data security standards and regulations in a consistent, cost-effective manner based on an agreed upon university interpretation.
More specifically, the RSTG’s purpose will be to advise on the process, technology, controls and best practices that can be applied in order for the university to fulfill and maintain its compliance obligations with specific federal and industry data security standards and regulations that are contractually specified.
Procedures and Meetings
The following provides the standard operations and procedures the RSTG will follow to fulfill its purpose and mission.
- Regular meetings: The RSTG will meet at least once quarterly. It is anticipated the RSTG will generally meet on a more regular basis.
- Special meetings: When and if necessary, special meetings of the RSTG may be called by the SAB, the university Chief Information Security Officer (CISO) or other designee in order to perform its responsibilities of reviewing and making process, technical, and control recommendations with respect to a new or particularly impacting research data security standard or regulation in a timely manner.
- Organization: The Director of Enterprise Security Risk Management, or a designee, will act as the facilitator of the RSTG (the “Facilitator”). The Facilitator will be responsible for scheduling, logistics, presiding over meetings and assigning an individual to act as secretary of a meeting.
- Quorum: At all meetings, the presence of one half of the total membership will constitute a quorum for the transaction of business, and the act of a majority of the members present at any meeting at which there is a quorum will be the act of the RSTG.
- Presence at Meeting: In-person participation is preferred. Members may send designees to act on their behalf if they are not able attend a meeting.
- Deliverables: Minutes, standards interpretations, technology and control implementation recommendations, and best practices will be documented and made available to the SAB for feedback and approval. At the direction of the SAB, the RSTG will share these deliverables with the university technical and research community for comment, feedback and information.
- Communication: The RSTG will establish a standard group email list and a shared location accessible by all RTSG and SAB members to store and collaborate on deliverables.
The RSTG will have the following objectives and responsibilities:
- Evaluate and discuss the data security regulations and standards that are contractually applicable to research at Ohio State per the direction of the SAB.
- Recommend and document an agreed-upon university interpretation regarding the implementation of processes, technology, controls and best practices that meet the following objectives:
- Can be applied to fulfill university compliance obligations with the regulations or standards.
- Reasonably protect the applicable research data and systems from unauthorized access or data exposure.
- Consider and review the difficulties and cost researchers or their supporting staff will encounter in the implementation of said recommendations in (2.) and propose, whenever possible, processes, technology, and solutions that are cost efficient, and as unobtrusive to research as possible while meeting the objectives in (2a) and (2b).
- Report status of deliverables to the SAB on a regular basis.