Security Framework

Contact: Digital Security and Trust Security Governance

Changes Made to This Page (last update: 6/30/25)
DateUpdate
6/30/25
  • Added missing content to "Appendix B: Information Risk Management Program Documentation License (IRMPDL)"
6/25/25
  • Consolidated "Appendix A: Information Security and Risk Management Documentation" and "Appendix B: Information Risk Management Program Documentation License (IRMPDL)" from the ISPS, ISPCR, and IRMF web pages to the Security Framework web page
  • Content and formatting updates in preparation for the release of ISPCR v3.0

Ohio State Privacy and Security Governance team developed and maintains the Information Risk Management Program (IRMP), commonly referred to as the "Security Framework," to manage information security risk to Ohio State’s information systems and assets. Ohio State's IRMP was developed with three broad goals:

  1. Simplified design. Standards are often lengthy and complex. Ohio State’s security and privacy framework program defines 39 risk areas, grouped into seven business functions and two technical functions.
  2. Structured for business leaders, managers, and IT professionals. Information security and privacy standards are generally written for IT or risk management professionals. The program was written and organized for non-technical business managers with linkage to security controls, procedures, and job aids for IT professionals. Risks are categorized into nine different business functions that cross most organizations. A tenth category is "institutional data risk", which is separate as this risk crosses all business functions.
  3. The Information Risk Management Program is built on the premise that information security and information risk management is a university responsibility, not exclusively an IT responsibility.
List of the Nine Business Functions
  • management risk
  • legal risk
  • business (finance) risk
  • purchasing risk
  • human resources risk
  • facilities risk
  • information technology risk
  • privacy risk
  • industrial control systems risk

Supporting Documentation

The Ohio State University Information Risk Management Program documentation is licensed for use under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0). Refer to the Information Risk Management Program Documentation License for additional information (see “Appendix B: Information Risk Management Program Documentation License IRMPDL” at the bottom of this page).

The Information Risk Management Program (IRMP) regularly maintains and updates a series of information security and risk management resources to assist organizations in understanding the program and in implementing strategies to manage information risk. The IRMP is primarily based on the NIST SP 800-53 security standard. The Ohio State Privacy and Security Governance team maintains and updates the following documents as necessary:

  • Institutional Data Policy (IDP): The Institutional Data Policy outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. All institutional data is assigned one of four data classifications, and the university’s Information Security and Privacy Standard (ISPS) and Information Security and Privacy Control Requirements (ISPCR) define the security and privacy controls required to protect it.
     
  • Information Security and Privacy Standard (ISPS): The Information Security and Privacy Standard defines risk management objectives and specifies security controls that support Ohio State’s Information Technology Security and Privacy Policy (ITSPP). The ISPS is also linked to Ohio State’s Institutional Data Policy. The ISPS defines thirty-nine risk areas for the university. These risk areas are used to organize, measure, and manage information risk consistently across the university. Each risk area definition includes a risk management objective, as well as a list of security controls to be used to meet the stated objective. 
     
  • Information Security and Privacy Control Requirements (ISPCR): The Information Security Control Requirements provides detailed implementation specifications for the security controls defined in Ohio State's Information Security Standard (ISPS). The ISPCR is also linked to Ohio State’s Institutional Data Policy (IDP). The control requirements in the ISPCR are specified according to the level of institutional data being protected, as defined by the IDP. The ISPCR defines control requirements to ensure that organizations can implement the security controls from the ISPS consistently across the university. The control requirements are based on the four different levels of institutional data specified in the IDP. This makes it easier to understand the level of security required based upon the sensitivity of the data. The detailed control requirements specify minimum requirements for implementing each control requirement.
     
  • Information Risk Management Framework (IRMF): The Information Risk Management Framework cross-references or “maps” the security controls of Ohio State’s Information Security Standard (ISPS) and Information Security Control Requirements (ISPCR) to other security standards and regulations. As new information security standards or regulations are updated or created at the federal, state, industry, or global level, the IRMF will expand by adding additional appendices to document how the IRMP keeps Ohio State compliant with all relevant legislation and rules.
     
  • Information Security Processes: Information Security Processes instruct users so they can meet specific controls within the Information Security and Privacy Control Requirements (ISPCR). Following these best practices ensures a systematic approach to meet data protection and regulatory compliance requirements for the university.
     
  • Cyber And Privacy Legal Review: Ohio State must adhere with legal requirements as outlined in the ISPCR. To enable the university to meet this requirement, DST created a summary of state, federal, and international laws as well as industry standards.
     
  • Framework Glossary: The framework glossary contains the definitions of terms found in the Information Security and Privacy Standard (ISPS), the Information Risk Management Framework (IRMF), and the Information Security and Privacy Control Requirements (ISPCR).
     
  • Job Aids: Job Aids provide assistance to those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control, and to the people who access these systems.
     
  • University-Approved Lists: University-Approved Lists provide assistance to those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control and to the people who access these systems.
Appendix A: Information Security and Risk Management Documentation
Ohio State Information Security and Risk Management Documentation Pyramid


Ohio State’s Digital Security and Trust team developed the Information Risk Management Program (IRMP) to manage information security risk to Ohio State’s information systems and assets. The IRMP has produced a series of information security and risk management documents to assist organizations in understanding the program and implementing strategies to manage information risk. This appendix describes the purpose of and relationships between the various information security and risk management documents.

Ohio State’s Information Technology Security Policy (ITSP) establishes high-level information security requirements. The ITSP provides the mandate for the IRMP at Ohio State. It establishes the overall intent of the university to support and promote information security in all its practices. Additionally, the ITSP specifically delegates to the Office of the Chief Information Officer the responsibility to create new policies, standards, guidelines, requirements, and practices to support the intent of the policy and ensure information security.

The IRMP is also closely tied to Ohio State’s Institutional Data Policy (IDP). The IDP defines different types of institutional data at Ohio State as well as high-level management and access requirements.

The Information Security and Privacy Standard (this document) defines thirty-nine risk areas for the university. Each risk area includes a security objective, as well as a list of security controls to be used to meet the stated objective. These risk areas are used to organize, measure, and manage risk levels consistently across the university. The ISPS takes its mandate from the ITSP and is tightly aligned with the IDP.

The Information Security and Privacy Control Requirements (ISPCR) provides detailed implementation guidance for each security control specified in the ISPS. The ISPCR could be interpreted as a more detailed version of the ISPS. As such, a coding scheme makes it easy to cross-reference between the two documents. To better guide implementation efforts, the detailed control requirements in the ISPCR are specified according to the level of institutional data being protected, as defined by the IDP.

The Information Risk Management Framework (IRMF) cross-references or maps the ISPS security controls and ISPCR control requirements to other security standards and regulations. As new information security and privacy regulations are created at the federal, state, or industry level, the IRMF will be expanded with additional appendices to document how the IRMP keeps Ohio State compliant with all relevant legislation and rules. The IRMF employs the same coding scheme throughout the ISPS and ISPCR.

Appendix B: Information Risk Management Program Documentation License (IRMPDL)

Issued: June 1, 2017
Updated: June 30, 2025

Ohio State’s Digital Security and Trust team developed the Information Risk Management Program (IRMP) to manage information security risk to the university’s information systems and assets. The IRMP has produced a series of information security and risk management documents to assist organizations in understanding the program and implementing strategies to manage information risk. This Documentation License describes the terms of use for organizations who use the program documents.

This Documentation License applies to the following program documents:

  • Information Security and Privacy Standard (ISPS)
  • Information Security and Privacy Control Requirements (ISPCR)
  • Information Risk Management Framework (IRMF)  
  • Information Risk Areas (IRA)
  • Information Risk Metrics (IRM)
  • Security and Privacy Controls Assessment (SPCA)
  • Job Aids

The Ohio State University Information Risk Management Program documentation is licensed for use under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

Information Risk Management Program Documentation License Logo

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) 
Note: this is a human-readable summary of (and not a substitute for) the license.

You are free to:

  • share: copy and redistribute the material in any medium or format; and
  • adapt: remix, transform, and build upon the material.

The licensor cannot revoke these freedoms as long as you follow the license terms.

Under the following terms:

  • attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use;
  • noncommercial: you may not use the material for commercial purposes; and
  • share alike: if you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.

No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

Notices:

You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.

No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material.