Information Security Manual
Section 500: Security Operations
Effective: 01/11/2010

Purpose

The purpose of this section is to articulate how OSU will conduct risk assessment by first proactive and then reactive means.

Procedure

The proactive component of risk assessment will be the actual categorization of Information Systems and specifically the identification of Protected Information Assets.  As discussed in section 200 of this manual, Protected Information Assets will be those assets which the university has an obligation to protect and will be identified by the appropriate Records Custodian and will have handling instructions/baseline security measures defined.  This will ensure that critical elements are identified and appropriate security measures defined to protect them.

The reactive component of risk assessment will be a periodic review of information security incidents.  The Chief Information Security Officer will periodically review the tracked information security incidents and will identify problem areas to be addressed in an Annual Information Security report to the Chief Information Officer.