Information Security Manual
Section 200: Information Systems Security
Effective: 01/11/2010

Purpose

The purpose of this section is to define in general terms what is meant by Information Systems Security and to set forth the University’s commitment to create and maintain an Information Security Program.

Scope

Information Systems are composed of three major components: data, applications, and infrastructure systems.  All three must be addressed in order to ensure overall security of these assets.

Information Security Program

OSU hereby establishes an Information Security Program by adopting and documenting within this Information Security Manual, policies, procedures, security controls, and standards which govern Information Systems including data, applications, and infrastructure systems as those assets are classified according to their relative sensitivity and criticality.  This program should ensure that fundamental security principles, such as those embodied in the ISO 27000 series standards or those generally incorporated into the COBIT framework, are established and maintained.

The foundation of this Information Security Program will be the established information classification system and baseline standards of care established in this manual; however, for these to be effective all three aspects of information systems must be addressed.  This is not just about data, it is also about how data are stored and processed.