Search within:

Information Security Standards


The Information Security Office, in collaboration with the IT Security Governance Committee, develops standards for the protection of University data and systems. The standards set the minimum necessary controls, but do not relieve the university or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. Given that standards may address minimum controls based on data type, prior to implementing a standard, data owners must properly classify their data as outlined in the University's Data Classification policy.

Standards, both in final and draft state, are available to anyone with valid OHIO credentials. While draft standards may have slight changes once implemented in their final state, they still provide industry best practices for various facets of information handling. 

Exception Process

For those that feel that they cannot meet the obligations set forth in a given Ohio University Information Security Standard they must complete the Information Security Exception Request Form. Requests for exception from an Information Security Standard are reviewed by the Information Security Office and the associated risks with not meeting the standard are communicated back to the requestor and the appropriate individuals within the institution that have the authority to accept risk on behalf of the institution in accordance with Ohio University’s Information Security Risk Management Policy (91.006).

Additional Guidance

For those topics that are not explicitly referenced above, or for additional guidance, the NIST 800 Series Publications are to be used. The Information Security Office follows NIST as its framework for consultation provided to the University departments and within OIT for the prioritization of security controls.