College/Unit Information Security Coordinators

The Ohio State IT Security Policy specifies the requirement for establishing security representatives from colleges, units, and campuses. The security representative, known as the Information Security Coordinator serves as the unit liaison with Enterprise Security for security-related matters and activities, and is responsible for the execution of Security activities in the College or Unit.

Responsibilities

  • Primary point of contact for the implementation of the security framework in their unit
  • Attends monthly Information Security Coordinator meetings
  • Provides input and feedback on current and future security standards and initiatives
  • Ensures the review of internal processes, standards, guidelines, requirements, and practices
  • Coordinates unit-level efforts on regulatory compliance, including completion of annual surveys, assessments and Security strategies
  • Identifies unit security training needs and works with the unit training coordinator to ensure completion of training requirements
  • Facilitates the protection of institutional data collected in accordance with policies
  • Facilitates remediation, recovery, and reporting of  proven or suspected exposure or disclosure of protected information between unit and Enterprise Security
  • Ensures the organization has defined and staffed a privacy role, if required
  • Ensures communication of security information and reporting to the unit
  • Represents their unit during security process & product evaluations
  • Assists Enterprise Security’s development and delivery of security job aids and training documents
  • Facilitates the completion of internal infrastructure, systems and third party risk assessments as required by the security framework
  • Ensures Business Continuity and Disaster Recovery plans are created and tested
  • Facilitates reporting of security metrics to Enterprise Security
  • Coordinators in units covered by HIPAA regulations are the designated HIPAA Security Officer unless otherwise designated by unit leadership

Security Coordinator Skill & Training Requirements

Security Coordinators should meet the following requirements to best represent the Ohio State security practice and their unit:

  • Must hold a position within the unit empowered to address security-related issues and concerns
  • Must complete the Ohio State Institutional Data Policy Training
  • Completion of Risk Assessment Training, delivered by Enterprise Security
  • Must be able to commit a minimum of 24 hours a month to the Security Coordinator role
  • Should complete formal security training, including SANS security management courses.  Minimally, 6 hours (full day)  of information security training per year.
  • Should have technical IT security experience
  • Should be familiar with unit IT practices

Units are asked to appoint Security Coordinators as a college and administrative office job duty. Replacement of the Security Coordinator appointed by the unit Leaders should be timely and gaps introduced by personnel changes should be kept to a minimum to ensure the unit is adequately represented in security conversations at all times.

Monthly Information Security Coordinator Meeting

Meetings are held regularly in room 285 of the Student Academic Services (SAS) Building, 281 W Lane Avenue. To be added to the attendee list and receive meeting invitations, please send a request to OSU-SecCoordAdmin@osu.edu.

List of Current Coordinators


SCHEDULE: 2020 ISSA Delayed Until 2021

The Ohio State University developed the Information Security Self-Assessment (ISSA) to provide an in-depth assessment of both the level of compliance with Ohio State’s Information Security Standards and the level of effectiveness of the security controls that organizations have implemented. Considering the lasting impact of adjustments we have made to limit the spread of Coronavirus (COVID-19), this year the Office of the Chief Information Officer and the Office of University Compliance and Integrity have decided to defer the completion of the upcoming Information Security Self-Assessment (ISSA) from June 30, 2020 to June 30, 2021. Below is the schedule for this change.

Schedule for 2020 ISSA Delay

Target DateActivity (Responsible Unit)Description
April 7

Suspension of FY20 ISSA

(Security Governance) 

ISSA for FY20 will be de-activated and Security Coordinators will be unable to upload additional evidence.
June 30

Publish Best-in-Class ISSA Evidence 

(Security Governance)  

Best-in-Class examples help Security Coordinators develop and enhance documentation used for ISSA evidence.
July 1
ISCR v2.1 released
 
(Security Governance) 
Minor updates and changes to the ISCR. 
Aug.1
 
ISSA v2.1* released

(Security Governance) 

All ISSA questions will be updated and revised, with a focus on fewer overall questions. 
Sept. 30

Update RMS 

(Security Coordinators) 

Security Coordinators will provide updated RMS based on ISSA v2.1. 
Fall 2020

Enable ISSA Monthly Reporting* 

(Security Governance) 

Security Coordinators can publish a monthly ISSA status report with scoring. 
Fall 2020

Exception Process* 

(Security Governance) 

Create a consistent exception process to document and grant exceptions to the ISCR. 

*Security Coordinators with interest and capacity are invited to join working groups to guide and test the activity. 

Analysis underway for ISCR Version 3 

Target DateActivity (Responsible Unit)Description
TBD

800-171 Assessment 

(Security Governance) 

The Research Security Governance Board requested an analysis of the ISCR and NIST Standard 800-171. Timelines for updating the ISCR and ISSA will be discussed and communicated at a later date..  

TBD

Modern Authentication (800-63) 

(Security Governance) 

Updates to IT5 based on NIST 800-63 guidance for authentication.  Timelines for updating the ISCR and ISSA will be discussed and communicated at a later date.

TBD

Develop Testing and Monitoring Process 

(Security Governance) 
Security Governance will define a process to assess the evidence provided in the ISSA and conduct testing and monitoring.