Skip to main content
Back To Top Top Back To Top
This website publishes administrative rules on their effective dates, as designated by the adopting state agencies, colleges, and universities.

Chapter 3337-91 | Policies on University Credentials

 
 
 
Rule
Rule 3337-91-03 | Computer and network use.
 

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-003.html

(A) Purpose

The Ohio university information technology systems ("Ohio systems") incorporate all electronic communication, information systems and equipment used by the university. This acceptable usage policy ("AUP") sets forth the standards by which all users may use the shared campus-wide network ("Ohio network"). The term "users" is defined in policy 91.005 "Information security."

Ohio systems are provided to support the university and its primary objectives towards education, service, and research. Anything that jeopardizes the security, availability, or integrity is prohibited.

By using or accessing Ohio systems, users, agree to comply with the AUP, as well as all other applicable university policies, including all federal, state, and local laws and regulations. Only authorized users may access the Ohio systems, as well as any services interconnected with it.

(B) Scope

Users interacting with Ohio systems, data, identities, and accounts used to access Ohio systems, the Ohio network, and any university data.

(C) Policy

(1) Users may not impersonate another person, organization, or system, including university name, Ohio network names, or Ohio network address spaces.

(2) Users may not attempt to intercept, monitor, forge, alter or disrupt another users communications or information.

(3) Users may not infringe upon the privacy of others systems or data.

(4) Users may not read, copy, change, or delete another users data or communications without the prior express permission of the other user.

(5) Users may not use Ohio systems in any way that:

(a) Disrupts; impacts the security posture; or interferes with the legitimate use of any computer; the Ohio network or any network to which the university connects.

(b) Interferes with the functions of any system owned or managed by the university, or,

(c) Takes action that is likely to have such effects. Such conduct includes: hacking or spamming; placing of unlawful information on any computer system; transmitting data; or programs likely to result in the loss of an individuals work or result in system downtime; or any other use that causes congestion of any networks or interferes with the work of others.

(6) Users may not distribute or send unlawful communications of any kind. This provision applies to any electronic communication distributed or sent within the Ohio network or to other networks while using the Ohio network.

(7) Users may not attempt to bypass network security mechanisms, including those present on the Ohio network, without the prior express permission of the owner of that system. The unauthorized gathering of information regarding systems or devices on the Ohio network (i.e. network scanning) is also prohibited. Before running any type of network scan, and to obtain authorization, users should call the information security office ("ISO") for more information.

(8) Users may not engage in the unauthorized copying, distributing, altering or translating of copyrighted materials, software, music or other media without the express permission of the copyright holder or as otherwise allowed by law.

(9) Users may not extend or share with public or other users the Ohio network beyond what has been configured accordingly by the office of information technology ("OIT") and ISO. Users are not permitted to connect or change any network-related infrastructure, devices, or systems (e.g., switches, routers, wireless access points, VPNs, firewalls, virtual or bare-metal) to the Ohio network without advance notice and consultation with OIT and ISO.

(10) Users are responsible for maintaining and deploying minimum levels of security controls on any personal computer equipment connecting to the Ohio network, including but not limited to: antivirus software (with frequent updates), current system patches, and the usage of strong passwords to access these systems as defined in NIST series publications.

(11) Users may not use Ohio systems to violate any laws, regulations, or ordinances.

(D) Responsibilities

All users will be expected to:

(1) Behave responsibly and show respect to the Ohio network and other users at all times.

(2) Respect the integrity and the security of Ohio systems.

(3) Be considerate of the needs of other users by making every reasonable effort not to impede the ability of others to use the Ohio systems and show proper judgement regarding the consumption of shared resources.

(4) Respect the rights and property of others, including privacy, confidentiality, and intellectual property.

(5) Cooperate with the university to investigate potential unauthorized and/or illegal use of the Ohio network.

(6) Respect the security and integrity of Ohio systems and university data.

(E) Enforcement

Ohio users must report non-compliance with any paragraph of this policy to the ISO (security@ohio.edu).

Users who do not comply with this policy or related university information security standards may be denied access to information technology ("IT") resources, as well as be subjected to disciplinary action.

(F) Exceptions

All exceptions to this policy must be approved by the responsible business owner, and be formally documented. Policy exceptions will be reviewed and renewed on a periodic basis by ISO.

Request an exception:

(1) Complete initial exception request form, policy exception template, and risk acceptance form. (https:www.ohio.edu/oit/security)

(G) Governance

This policy will be reviewed by the ISO and other key stakeholders in the security of university assets and data, to ensure continued compliance, as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

(H) Authority

Policy 91.005 "Information security"

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-003.html

Supplemental Information

Authorized By: 3337.01
Amplifies: 3337.01
Rule 3337-91-04 | University credentials.
 

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-004.html

(A) Overview

Credentials issued at Ohio university are for the sole purpose of accessing university resources. They are often the first line of attack, and the last line of defense, in the protection of these resources. Because of this, they must be used with care, and adequately protected. This policy outlines those protections that must be observed by individuals, technical staff, and systems using credentials at the university and recommendations for their protection.

(B) Individuals

An individual to whom credentials have been issued has certain responsibilities in the care of those credentials. The following behaviors should be observed to reduce the risk of compromise to your credentials.

(1) Keep your credentials, secret questions, and their answers private and known only to you.

(2) Use unique credentials (username and password combination) for Ohio university that are different from any other service or website.

(3) Your credentials are for your personal authentication to university resources, and should not be used as a means to provision services to other users.

(4) If you suspect that your credentials have been compromised, change your credentials and questions immediately and inform the information security office by e-mail to security@ohio.edu.

(C) Credentials

Credentials exist to ensure that the individual gaining access to university resources through an account is the same individual to whom the access was given. The university acknowledges that not all accounts carry the same level of risk. Therefore the level of rigor and complexity requirements that are applied to ensuring the security of the credentials will be in line with the risk which a compromise of that account would present to the university or its community.

The university data stewards (see part (D) of policy 93.001) will review these complexity requirements on an annual basis. Any changes that need to take place between reviews will be identified by the university information security officer, and presented to the university data stewards for approval. Actual authentication complexity requirements will be captured in the "Authentication Credentials Complexity Standard," which strives to relate the strength of the credential with the risk that a compromise of that account would present to the university.

(D) Information system owners

It is the owner or manager of information services' responsibility to ensure that they comply with this policy and its associated complexity requirements. The recommended method is integrating with OIT authentication services and appropriately mapping individuals' accounts to the correct risk levels. Prior to integrating with OIT authentication services, permission must be obtained from the university information security officer and the chief information officer or their delegates. If a separate user credential is issued, the service owner must instruct their users to use different credentials than are used with their OhioID.

(E) Authentication servers

University authentication services are limited to those run and maintained by the office of information technology. It is the responsibility of the chief information officer or appointed delegate to ensure that the following are adhered to by all systems that perform authentication functions.

(1) Only those systems that are required and approved by the chief information officer or appointed delegate may store passwords in any form. Those that store these passwords must store them in a cryptographically secure format.

(2) Authentication systems must encrypt password at all times during transmission.

(3) Authentication systems must be housed in the university datacenter or another approved location. Authentication systems must be administered by OIT.

(4) Authentication systems must be hardened in accordance with NIST 800-123.

(5) Administrators accessing authentication systems must use an approved multi-factor authentication to access.

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-004.html

Supplemental Information

Authorized By: 111.15
Amplifies: 111.15
Rule 3337-91-05 | Information security.
 

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-005

(A) Purpose

This policy provides a framework to continuously protect and secure Ohio universitys data and information resources and comply with and maintain legal and contractual requirements.

(B) Scope

Ohio university organizational units operating technology resources are responsible for ensuring that the set of components for collecting, creating, storing, processing, and distributing information, typically including hardware and software, system users, and the data itself: ("OHIO systems") are managed securely. Users ("users") are defined as faculty; staff; student employees; third party agents, and any other authorized university affiliates accessing sensitive data.

Unauthorized use or disclosure of data protected by laws or contractual obligations could cause damages to the university, members of the university community, as well as subject the university to penalties in the form of fines or government sanctions. Examples of such laws or contractual obligations are The Health Insurance Portability and Accountability Act (HIPAA) and payment card industry data security standard (PCI-DSS). To properly manage these risks, users must ensure their electronic devices and any other resources which create, collect, store, transmit, or process information meet minimum information security standards.

The information security office ("ISO") will advise and consult key stakeholders involved with the protection of data and assets on critical risk issues, and recommend remediation actions to support the information security risk management program ("ISRMP") as defined in policy 91.006 "Information security risk management." Ohio system and data owners will be responsible for ensuring that mission critical Ohio systems being maintained by them are adequately assessed for risk and that any identified risks are accepted, mitigated, or transferred.

(C) Policy

ISO will consult with stakeholders to define the information security standards which help support and maintain an adequate information security posture. The information assurance and privacy advisory group will approve new standards under the supervision of the information technology partnership group. Each standard identifies controls required for the data or IT resource, and assigns appropriate security risk levels.

The information security standards apply to all IT data resources owned, leased, operated, provided by, or otherwise connected to university resources. This includes, physical assets such as computers, workstations, external drives, mobile phones, wireless devices, operating systems, software, and applications (free or contracted by the university).

Users are required to apply the appropriate controls to the data and IT resource(s) following this process.

Data owners are responsible for identifying the security level for the data and IT resource following the process in policy 93.001 "Data classification". The ISO will provide advice and consultation to assist in compliance. Data owners are responsible for applying the appropriate controls from the information security standards, to the data and IT resource based on the security level. The security level defines the minimum requirements that must be followed by each classification, however, units may require additional controls beyond this policy, as no policy can require controls less than those indicated in this policy.

(D) Enforcement

Ohio users must report non-compliance with any part of this policy to the ISO (security@ohio.edu).

Users who do not comply with this policy or related information security standards may be denied access to information technology ("IT") resources, as well as be subjected to disciplinary action up to and including termination.

(E) Exceptions

All exceptions to this policy must be formally documented with the ISO prior to approval by the president or delegate. Policy exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

"Complete Initial Exception Request Form, Policy Exception Template, and Risk Acceptance Form. (https://www.ohio.edu/oit/security)"

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-005

Supplemental Information

Authorized By: 3337.01
Amplifies: 3337.01
Rule 3337-91-06 | Information security risk management.
 

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-006

(A) Purpose

The information security risk management program ("ISRMP") is the formal process to manage information security risks to Ohio university ("Ohio") to ensure the confidentiality, integrity and availability of university data and information systems ("Ohio systems"), as outlined in the policy 93.001 "Data classification." The ISRMP serves a strategic role in addressing the constantly evolving information security threat landscape by aligning our information technology practice with the universitys risk tolerance.

(B) Scope

This policy applies to all data created, collected, stored, processed or transmitted by the university and Ohio systems.

(C) Policy

(1) Ohio systems will be assessed for any risks or threats to the integrity, availability and confidentiality of data prior to significant changes to Ohio systems, in accordance with the university information security officer role as outlined in policy 93.001 "Data classification."

(2) Assessments will be performed periodically for Ohio systems that store, process or transmit sensitive data.

(3) Risks identified from an assessment will be mitigated, transferred or accepted by the responsible business owner as described in policy 93.001 "Data classification."

(4) Residual risks will only be accepted by those person(s) with the appropriate level of authority, based on the level of risk determined by the information security office ("ISO"). Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.

Risk Level Risk Acceptance
HighPresident or delegate
MediumDeans and adminidtrative officers
LowBusiness owner

(5) Each mission critical Ohio system will have a system security plan, prepared using input from risk, security and vulnerability assessments, by the responsible business owner.

(D) Responsibilities

(1) The ISO will provide assessments of risks and recommendations to remediate discrepancies found according to industry specific frameworks, methodologies, or business best practices.

(2) Business owners will be responsible for ensuring that mission critical Ohio systems being maintained by them are adequately assessed for risk, and that any identified risks are accepted, mitigated, or transferred.

(E) Enforcement

Users, as defined in policy 91.005 "Information security," will report any non-compliance with any part of this policy to the ISO (security@ohio.edu).

Users who do not comply with this policy or related information security standards may be denied access to information technology ("IT") resources, as well as be subjected to disciplinary action, up to and including termination.

(F) Exceptions

As defined in policy 91.005 "Information security."

(G) Authority

Policy 91.005 "Information security."

The version of this rule that includes live links to associated resources is online at

https://www.ohio.edu/policy/91-006.

Supplemental Information

Authorized By: 3337.01
Amplifies: 3337.01