203: Information Systems – Baseline Standards of Care
Information Security Policies & Procedures Manual
Section 200: Information Systems Security
The purpose of this policy is to define the baseline standards of care based on the designated classification of Information Systems.
Standards of Care
The following standards apply to people and machines that have access to and/or process information according to its classification as Protected, Sensitive, or Unrestricted. Specific additional handling requirements above the baseline may in fact be required by the Records Custodian to ensure compliance with law, policy, or contractual obligation. These baseline standards are set as a minimum; adoption of stricter security practices is encouraged where practicable.
- 203-01 Baseline Standards for Protected Information
- 203-02 Baseline Standards for Sensitive Information
- 203-03 Baseline Standards for Unrestricted Information
- 203-04 Mobile Computing
All computer systems (workstations and servers) which store or process Protected Information shall have restricted access to only authorized personnel; fully patched operating systems and applications; current anti-virus software with current virus definitions; and if attached to the network will be in a secured zone protected by appropriate firewall rules. Workstations used by authorized personnel with direct write access to Protected Information will also be configured to automatically apply patches and current anti-virus definitions and will not be accessed via a local system administrator or domain administrator account on the local machine for day-to-day activities.
All personnel granted direct access to Protected Information should be instructed on the proper use and handling of this information and are subject to OSU Policies regarding security sensitive personnel. Under no circumstances should Protected Information be disclosed to anyone outside OSU without authorization from the appropriate supervisory personnel.
All computer systems which store or process Sensitive Information should have restricted access granted only to authorized personnel affiliated with OSU, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions. Any such computer system is also subject to Network Services’ network security policy.
All personnel granted access to sensitive information should not disclose this information to parties outside of OSU without authorization by appropriate supervisory personnel.
All computer systems which store or process Unrestricted Information will have write access restricted only to authorized personnel to ensure that information presented is not edited without appropriate authorization. Any such computer system is also subject to Network Services’ network security policy and should have fully patched operating systems and applications, and current antivirus software with current virus definitions.
All mobile computer systems or portable storage media, which store Protected Information, shall be encrypted with at least the 256-bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in 203-01. Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with OSU ISM 601-03.