OSC is regularly externally audited for alignment with the NIST SP 800-53 and ISO27002 security standards. Details of this security framework are available here. OSC can also handle export controlled / ITAR projects for no additional costs, via oversight by the OSU Office of Research Compliance.
Specific Policy Documents:
OSC-1, OSC Data Lifecycle Management Policy - Data storage space is a limited resource, and in an effort to keep the resource available to the largest amount of active users, the following policy and accompanying procedures and resources have been developed to reduce system management overhead and the impact on other users of OSC systems.
OSC-2, OSC Media Inventory Management - The purpose of this policy and accompanying procedures and resources is to help ensure the protection of the media containing the data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use the data.
OSC-3, OSC Information Security Framework - This policy and its supporting sub-policies provide a foundation for the security of OSC information technology systems. The requirements put forth in this policy and its supporting sub-policies are designed to ensure that due diligence is exercised in the protection of information, systems and services. This policy describes fundamental practices of information security that are to be applied by OSC to ensure that protective measures are implemented and maintained.
OSC-4, OSC Malicious Code Security - This policy is to implement and operate a malicious code security program. The program should help to ensure that adequate protective measures are in place against introduction of malicious code into OSC information systems and that computer system users are able to maintain a high degree of malicious code awareness.
OSC-5, OSC Remote Access Security - This policy is to establish practices wherever a remote access capability is provided to OSC systems so that inherent vulnerabilities in such services may be compensated.
OSC-6, OSC Security Education and Awareness - This policy requires OSC to provide information technology security education and awareness to employees, contractors, temporary personnel and other agents of OSC who use and administer computer and telecommunications systems.
OSC-7, OSC Security Incident Response - This policy defines adequate security response for identified security incidents.
OSC-8, OSC Password PIN Security - We have implemented a new password change policy. This portion of our policies page is currently under construction. The Password PIN Security policy is dated, but established minimum requirements regarding the proper selection, use and management of passwords and personal identification numbers (PINs); references in this policy to passwords also apply to PINs, except where explicitly noted.
OSC-9, OSC Portable Security Computing - This policy addresses information technology (IT) security concerns with portable computing devices and provides direction for their use, management and control. This policy includes security concerns with the physical device itself, as well as its applications and data.
OSC-10, OSC Security Notifications - This OSC policy identifies the methods used to inform users of their duty, limitations on use, legal requirements and personal privacy expectations associated with the use of OSC and university computers, networks or telecommunications systems.
OSC-11, OSC User Management Policy - This policy establishes the information and qualifications required to establish an account to use OSC resources. This policy will also define the basic levels of support that users of OSC IT environments can expect.
OSC-12, OSC Intrusion Prevention and Detection - The purpose of this state policy is to establish an intrusion prevention and detection capability that is designed to prevent, monitor and identify system intrusions or misuse.
OSC-13, OSC IT Business Continuity Planning - This document provides guidance in the development and implementation of a comprehensive information technology business continuity plan that, in the event of a business disruption, will help enable the continuation of critical processes and the delivery of essential services at an acceptable level.
OSC-14, OSC Virtual Machine Lifecycle Management - Virtual Machines at OSC are a resource that must be maintained and protected. This document provides guidance in the hosting and maintaining of all systems and virtual environment infrastructure that require support from a limited resource. The following policy and accompanying procedures and resources have been developed to reduce system management overhead and the impact on other users of OSC systems.