Information Security Standards
The Information Security Office, in collaboration with the IT Security Governance Committee, develops standards for the protection of University data and systems. The standards set the minimum necessary controls, but do not relieve the university or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract. Given that standards may address minimum controls based on data type, prior to implementing a standard, data owners must properly classify their data as outlined in the University's Data Classification policy.
Standards, both in final and draft state, are available to anyone with valid OHIO credentials. While draft standards may have slight changes once implemented in their final state, they still provide industry best practices for various facets of information handling.
- View Standards (Log in with your OHIO credentials)
For those topics that are not explicitly referenced above, or for additional guidance, the NIST 800 Series Publications are to be used. The Information Security Office follows NIST as its framework for consultation provided to the University departments and within OIT for the prioritization of security controls.