The Ohio State University
www.osu.edu
  1. Help
  2. Campus map
  3. Find people
  4. Webmail

Ohio State University logo Office of the CIO CIO Annual Report
  1. Affiliations
  2. CIO Office
  3. CIO Stakeholders
  4. Governance
  5. IT Strategic Plan
  6. Initiatives
  7. OSU Academic Directory
  8. OSU Administration
  9. OSU IT Resources

  10. Additional Resources
  11. CIO Annual Report
  12. IT Facts at Ohio State
  13. Legislative Updates
  14. OSU IT Communications Plan


Office of Chief Information Officer
320 Baker Systems Engineering
1971 Neil Avenue
Columbus, OH 43210
Phone: (614) 292-6553
Fax: (614) 688-4226

Office of the CIO Annual Achievement Report

logo image Contents
- Message from the CIO
- Collaborations and More
- 2007 Achievements

- 2007 Annual Report (pdf)
- 2006 Annual Report (pdf)
- 2005 Annual Report (pdf)
 Supplemental Information
IT Strategic Plan 2008 (Refresh)
President Gee's Strategic Goals
Academic Plan
University System of Ohio
Who We Are (CIO Office)
OSU IT Poll Data
CIO CommunITy News
Faculty IT Resource Guide
Student IT Resource Guide

2007 Achievements

Cybersecurity Initiative
Part 1  Increase campus awareness of security issues, practices, professional ethics, and responsibility.
Part 2  Develop and implement campus cybersecurity and cyberresponsibility strategies and guidelines to secure the campus network and protect critical information technology resources, assets and processes.
Part 3  Better secure the central Ohio State University data network from both external and internal threats.

Since 2004

Launched the BuckeyeSecure initiative, encompassing identity management and SSN removal/remediation on centrally provided resources; changed reporting lines for network security staff and appointed a director of cybersecurity; hired a security outreach specialist; provided a staff member to Internet2 to develop Shibboleth and SAML; launched the Safe Computing web site; reallocated resources to start security training workshops; began offering security training for non-IT managers; held annual Cybersecurity Days on campus; conducted a Shredfest to securely destroy paper records and unusable hard drives; established federal HIPAA security regulation compliance; developed policies on credit card security compliance and wireless data networks; implemented anti-virus and anti-spam controls on the central e-mail servers; increased vulnerability scanning frequency on central servers; improved intrusion detection hardware and software at the border; and provided low-cost departmental firewalls and consulting.

Since 2007

  • Transitioned the BuckeyeSecure Program into a brand for the universityŐs information security activities, projects, and outreach.

  • Redesigned the BuckeyeSecure web site to serve as a central information security communication resource for both technical and non-technical users, integrating projects and technical web sites and the user-focused Safe Computing site.

  • Developed university policies on the disclosure or exposure of personal information, institutional data, and university computer security standards.

  • Established the Institutional Data Policy Implementation Project, a more broadly focused version of the SSN Privacy and Safeguarding Project. The project team developed a training module for institutional data users on the key elements, especially protecting restricted data and security best practices, and made it available through Carmen and the Medical Center CBL System. The team also created Institutional Data Policy training reports, available through eReports, so areas could track access and completion rates of their users.

  • Continued building an identity management infrastructure through the Identity Management Project after servicing the authentication needs of the Student Information System. The project split the original RFP into separate proposals for IDM software and services and set goals to establish enterprisewide authentication/authorization, role-based access controls, and improved self-service for digital identities.

  • Developed four University Computer Security Standards: the Minimum Computer Security Standard for individual users, plus three technical security standards covering web, database, and critical servers.

  • Established the Minimum Computer Security Standard Implementation Project to ensure that all computers and networks within each college and department achieve a minimum level of security to protect institutional data. The project team initiated a survey of departmental network administrators to inventory and assess the readiness of campus operating environments.

  • Established the Enterprise Firewall Project to protect central and distributed network assets and information, enable joint central and distributed administration, and make OIT-managed firewall services available to campus units that do not have staff dedicated or trained to provide network security.

  • Hired a data privacy administrator who is responsible for: monitoring privacy legislation and regulations; developing data privacy and protection policies and standards; providing guidance and consultation to departments in improving privacy throughout their business processes; and communicating and training faculty, staff, and students on best practices.

  • Became the first institution to implement Shibboleth authentication for access to off-campus resources, such as OhioLINK, the Ohio Library, and the Information Network. Standard Ohio State lastname.# and password authentication replaces an insecure mechanism that used private information, including SSN.

  • Upgraded off-campus access to OSU Libraries J-STOR electronic journal services using Shibboleth and InCommon federated technology to authenticate user access in a robust and secure manner.

  • Piloted a new, easy-to-use, secure method for providing temporary authenticated guest access to university resources including Carmen, central e-mail, and the wireless network.

  • Introduced improved password management for Ohio StateŐs wireless network, including self-service capabilities to activate and change passwords.

  • Began fully encrypting all enterprise server archive and backup data tapes sent off campus to secure storage, so that any sensitive data is automatically protected and any loss in transit or storage does not require notification under Ohio law.

  • Began encrypting all data tapes for open and Microsoft systems such as PeopleSoft, central e-mail, and Carmen. New hardware encrypts data at the tape head in the robotic library with no system software or performance penalty.

  • Eliminated the use of SSN as account identifiers for students, faculty, and staff with personal-use telecommunication services such as long distance, cellular, and cable TV.

  • Added new screening to the central e-mail system based on a constantly updated database of known spam sources maintained by the international Spamhaus Project for worldwide use by universities and other major Internet service providers. Checking incoming e-mail against the Spamhaus database has resulted in an immediate rejection rate of approximately 40 percent and has improved overall system efficiency and performance.

  • Increased education and outreach efforts through the new position of Information Security Outreach Specialist. The staff member presented papers at the CIC Tech Forum and the OSU Extension annual conference; held classes at the Digital Union; met with numerous campus organizations on security initiatives; and responds to faculty, staff, and administrative concerns about security threats and best practices.

  • Launched a campuswide campaign to raise security awareness that included a student-focused poster campaign and several faculty and staff publications addressing security practices and policy changes.

  • Implemented BuckeyePass, a two-factor authentication infrastructure for campus access to the Student Information System and Human Resources and Operational Data Store data systems.

  • Observed National Cybersecurity Day on campus with presentations on the Minimum Computer Security Standard and featured a representative from the Ohio Attorney GeneralŐs Office who spoke on Identity Theft and the State of Ohio Chief Privacy Officer who addressed the changing face of security in the digital age.

  • Pilot-tested a commercial intrusion protection device that monitors networks and related systems and blocks malicious activities and unwanted behavior.