IT Security Policies

December 30, 2009

Purpose

This document describes the key principles, policies and procedures designed to provide security for College of Engineering (“the College’) IT devices and the data that is stored on them, and to ensure compliance with overall university IT security policies. Changes to this document will be reviewed by the College's IT managers and the College Executive Committee. The current version of this document will be posted on the College's web site.

General

Reasonable efforts need to be made to allow faculty, staff and students to perform their normal work functions efficiently. IT staff will schedule administrative work on devices to try to minimize disruption to employee activities and not interfere with critical tasks being performed by the employee. Employees will make the devices they use available to IT staff within a reasonable time frame for audits and other work that may be required.

MCSS/Restricted Data

  1. Per the Minimum Computer Security Standards (MCSS), IT staff is responsible for ensuring required MCSS compliance and the implementation of controls to protect sensitive data on electronic devices in their units.
    The MCSS policy can be found at: buckeyesecure.osu.edu/Policy/UCSS
    The Institutional Data Policy (IDP), which defines restricted data at OSU, can be found at:cio.osu.edu/policies/institutional_data
  2. Laptops and desktops, except for desktops in student labs, must have their hard drives encrypted. Exceptions may be granted by units when no restricted data is stored or accessed by the device. It will be required that encryption exception request forms are read and signed by the employee(s) requesting the approval. Exceptions must be accompanied by the end user certification of their knowledge of OSU's restricted data policies, that there currently is no restricted data on the machine and no expectation that this will change in the foreseeable future, and that the end user will promptly notify the local IT staff upon any change to this expectation.
  3. Devices granted an encryption exception are subject to audit by IT staff for continued compliance with the basis for the exception. Any unencrypted devices that are found to store or access restricted data will be immediately encrypted by IT staff and will subject other unencrypted devices under the control of the user to immediate review.
  4. MCSS and encryption reporting will be submitted quarterly to the College Administration by the IT Manager of each unit. The format will be informed by requirements for the College's reporting to the Office of the CIO.

Administrative Privileges

  1. IT staff must have administrative privileges on all OSU-owned devices within their unit unless prohibited by contractual relationships. In cases where IT staff does not hold administrative privileges, the user responsible for the device must accept full responsibility for the MCSS and IDP.
  2. Shared administrative access on selected OSU-owned devices may be granted by units. The purpose of shared access is to enable users to download and install software of importance to their work function. This privilege is NOT to be used to counter MCSS and restricted data configuration of their machine, nor to circumvent the IT policies and practices of the unit, college or university. Requestors must certify their knowledge of the risks of having administrative privileges as published by the CIO's Office. Requests for shared administrative access that are denied at the unit level may be appealed to the College.
  3. Machines with shared administrative access or no IT staff access will be subject to more stringent auditing procedures than will machines for which only IT staff has administrative privileges. IT staff will schedule audits of devices for which they do not have sole administrative privileges to ensure that MCSS and restricted data policies are enforced. All such devices will be reviewed annually to determine if continuation of the current administrative access privileges is warranted.
  4. Administrative access privileges may be revoked by the unit if university, college or unit policies are violated.
  5. Each unit must have a Local Administrative Privileges Standard (LAPS) that is reviewed and approved by the College Administration. The LAPS must describe the procedure used in the unit for initiating and processing requests for administrative access.
  6. Each unit will have a yearly review of its LAPS policy. This will be conducted by each local computer committee or its equivalent. The results of that review will be reported to the College Administration so that any changes to the LAPS can be reviewed by the College.
  7. Appeals to the College regarding denial of administrative privilege requests or revocation of privileges due to policy violations will be heard by a committee that includes one or more representatives from the College Administration, one representative from the College's IT managers that is not from the unit from which the appeal originates, and one member of the faculty from the local computer committee of a unit other than that from which the appeal originates. Every effort will be made to respond to the appeal within 20 business days.