Ohio State’s Enterprise Security group developed the Information Risk Management Program (IRMP), commonly referred to as the "Security Framework," to manage information security risk to Ohio State’s information systems and assets. The IRMP has produced a series of information security and risk management documents to assist organizations in understanding the program and in implementing strategies to manage information risk.
All university systems are required to comply with the control requirements in the Security Framework. If a system is unable to comply with a specific control requirement there the business unit must document the use case, business need, and file a security exception. Exceptions to the security framework must be reviewed by OIT and approved by management or leadership when appropriate.
Any submitted exceptions additional are subject to additional review by OSU Enterprise Security or Internal Audit.
Even in the case of an exception, there are steps that can be taken to reduce the risk to the business unit. Each security exception should have compensating controls or risk mitigations. These could be technical controls or policies that the unit agrees to follow. OIT can assist with recommendations and additional actions that may be taken to reduce security risk.