The Ohio State University
www.osu.edu
  1. Help
  2. Campus map
  3. Find people
  4. Webmail

Ohio State University logo Office of the CIOCommunications
  1. Affiliations
  2. Governance
  3. IT Strategic Plan
  4. Initiatives
  5. OSU Academic Directory
  6. OSU Administration
  7. OSU IT Resources


Office of the Chief Information Officer
320 Baker Systems Engineering
1971 Neil Avenue
Columbus, OH 43210
Phone: (614) 292-6553
Fax: (614) 688-4226

Information Technology Strategic Plan

logo image

Related Links
Background
Communications
Current State
Future State
Gap Analysis
Annual Achievement Report
Academic Plan
Leadership Agenda

Contents
- IT Strategic Plan (pdf)
- Overview
- Message from the CIO
- Executive Summary
- Ohio State's Information Technology Vision
- What Ohio State Needs: Critical Success Factors
- Strategic Initiative: Cybersecurity
- Implementation
- Conclusion
- Appendix A: Project Participants
- Appendix B: The Planning Process
- Appendix C: Current State Analysis Details
- Appendix D: Current State and Academic Plan
- Appendix E: Technology Days Details
- Appendix F: Focus Group Discussion Details
- Appendix G: Future State Emerging Themes
- Appendix H: Gap Analysis Details
- Appendix I: Strategic Initiatives Details
- Appendix J: Strategic Initiatives Funding

Cybersecurity  Strategic Initiative

- Summary
- Full Description
- Benefits
- Proposed Leadership
- Metrics
- Estimated Investments/Potential Funding
- Recent Actions
- List of Strategic Initiatives

Summary
The university can improve cybersecurity on campus by increasing awareness within the community, developing and implementing security guidelines, and taking physical actions to secure the central data network against external and internal threats. We can heighten awareness in the campus community by redefining the role of the person in charge of cybersecurity so the position reports directly to the CIO and also serves as a liaison between nontechnical users-our vital first line of defense-and the technology experts. The director of network security would be responsible for raising the visibility and importance of network protection, starting with improving education on issues of computer security, privacy, professional ethics and information technology responsibility. Cybersecurity strategies entail implementing guidelines to provide the academic community with ubiquitous and pervasive access to the data network while protecting against problems such as viruses, spam and cyber-terrorism. Physically securing the central data network requires proactive and reactive steps and must be coordinated with business continuity efforts.

Full Description

Part 1 - Increase campus awareness of security issues, practices, professional ethics and responsibility.

Part 2 - Develop and implement campus Cybersecurity and Cyberresponsibility strategies and guidelines to secure the campus network and protect critical information technology resources, assets, and processes.

Part 3 - Better secure the central Ohio State University data network from both external and internal threats.

Community awareness starts with improved education of computer security, privacy, professional ethics and information technology responsibility. We can heighten awareness in the campus community by redefining the role of the person in charge of cybersecurity so the position reports directly to the CIO and also serves as a liaison between nontechnical usersÐour vital first line of defenseÐand the technology experts. The director of network security would be responsible for raising the visibility and importance of network protection, starting with improving education on issues of computer security, privacy, professional ethics and information technology responsibility. Better awareness enables all members of the campus community to better control their personal information protection and privacy, improve the universityÕs security, and protect individual and institutional liability. Consequently, the university must develop awareness and education materials to ensure that everyone understands both their rights and their responsibilities in cyberspace. The materials can be locally developed, such as the Safe Computing web site, and drawn from external sources, such as the CIC Security Working Group MIST project, to provide basic security information in a variety of formats: streaming media, videotape, web and print, and through instructor-led workshops, new student orientation and freshman experience courses.

The university must also develop and implement guidelines to provide the academic community with ubiquitous and pervasive access to the data network while protecting against problems such as viruses, spam and cyber-terrorism. A secure data network provides more assurances of protection of the universityÕs information technology assets and processes and supports the campus communityÕs privacy and productivity. The university must develop its guidelines in collaboration with other national and state higher education Cybersecurity efforts and also coordinate with its business continuity efforts. Using the universityÕs HIPAA security approach as a model, the Office of the Chief Information Officer can lead a campuswide group that will develop strategy, guidelines, and implementation plan with both broad campus input and external input and then oversee implementation and ongoing operation. The group will include information technology and physical security experts, auditors, and academic and administrative unit representatives.

Physically securing the central data network against external and internal threats requires proactive and reactive steps and must be coordinated with business continuity efforts. Proactive elements include more intense network scanning for vulnerable computers, more intense network monitoring for intruders and attacks, increasing firewalls, developing a rigorous, in-depth defense, and training local data network administrators. Reactive elements center around incident response and includes distributing information about new threats or vulnerabilities, analyzing compromised computers to determine what form of attack was used and working with system administrators to help them improve their security practices.

Definitive Cybersecurity policies and application leads to these outcomes: better security of data, systems and network privacy for college and departments; reduced probability that the campus network will be slowed or halted by an attack; reduced risk of data loss due to malicious attacks on servers; less system administrator time spent on rebuilding computers that have been attacked; no loss of network performance; increased likelihood of meeting regulatory requirements; increased compliance with research grant rules that stipulate proactive use of firewalls; establishment of best practices in secure system administration; departmental computing staff and the campus community become more knowledgeable about security issues and enjoy an enhanced sense of personal security; and protection of university image as a secure place.

Benefits

  • Better security of data, systems and network privacy for college and departments
  • Reduced probability that the campus network will be slowed or halted by an attack
  • Reduced risk of data loss due to malicious attacks on servers
  • Less system administrator time spent on rebuilding computers that have been attacked
  • Less loss of network performance and productivity
  • Increased compliance with research grant rules that stipulate proactive use of firewalls
  • Establishment of best practices in secure system administration
  • A campus community more knowledgeable about, and possessing an enhanced sense of personal security
  • Protection of the universityÕs image as a secure place

Proposed Leadership

  • Chief Information Officer
  • - Office of Information Technology
  • - Office of Technology Enhanced Learning and Research
  • Colleges and Regionals
  • Office of Business and Finance
  • Major Administrative Units
  • Departments
  • Undergraduate, Graduate and Professional Students Government Associations

Metrics

  • Decrease in the number of computers that have to be removed from the Internet due to break-ins
  • Increase in the number of departments with firewalls between their network and the campus backbone
  • Decrease in the number of security incidents reported
  • Security best practices documents for the most commonly used server software and operating systems
  • Training materials and an established training schedule to educate staff about securely administering computers that are attached to the campus network.

Estimated Investments/Potential Funding

  • $100,000 for one FTE in user education and training program: new and existing CIO funds
  • $100,000 (estimated) for materials and incentive program, depending on scope: new central funds
  • ParticipantsÕ time and support to develop strategy, guidelines, and plan plus $100,000 for one FTE for ongoing assessment, monitoring, external coordination and planning
  • $200,000 for two FTE staff: one in incident response, one in firewall installation and configuration
  • $25,000 for additional intrusion detection hardware and software

Recent Actions

  • CIO launched a safe computing web site (safecomputing.osu.edu) in 2003
  • CIO reallocated resources from IT Policy, Security Incident Response and Help Desk to Start security training workshops
  • CIO will internally reallocate $65,000 rate and $155,000 cash for an identity management project
  • CIO received $375,000 annual funding and $22,500 cash from FY04 Technology Tuition Funds for cybersecurity hardware, software and staff to implement virus and spam controls
  • Requested for FY05: $60,000 in cash for university federal HIPAA security regulation compliance

back to top