Policies & Rules of the Office of Information Security

Security Rules of the Office of Information Security

The Office of Information Security utilizes six primary security rules in order to effectively create a safe, respectful, and ethical online environment. 

Vulnerability Management Rule

Ensures the assessment of university IT systems in order to determine security vulnerabilities in need of fixing. An essential process for the better protection of university systems and data. This rule applies to all academic, research, and administrative departments and offices at all University locations; all University faculty, staff, students, visitors, contractors and affiliates; and all resources, systems, infrastructure, devices, facilities and applications in the University’s computing portfolio, whether located on University property or accessed remotely.

Full Vulnerability Management Rule 

Appropriate Use for System Administrators Rule

System Administrators manage, configure, monitor and access University Information Resources. This high level of access is a position of trust within the University. Individuals who are granted elevated access are personally responsible for their actions. This Rule establishes Acceptable Use for System Administrators for Oregon State University. This rule establishes requirements for System Administrators to ensure that their elevated level of access is performed in a professional and ethical manner.

Full Acceptable Use Rule

Log Management Rule

Governs the University's current log collection, analysis, and retention methods. Ensuring that all processes involving log management satisfy ethical, contractual, and risk-based requirements. This rule applies to any University department or individual that uses or operates IT resources that support official University business.

Full Log Management Rule

Remote Access Rule

Defines how Oregon State University controls remote access to University information systems, networks, and resources in order to prevent unauthorized use and to ensure proper use. This rule applies to all users associated with Oregon State University who need to access University resources from the internet.

Full Remote Access Rule

Password Management Rule

Outlines the principles and practices of operation for the University’s password authentication services. This rule applies to all individuals who use or operate any University system or resource that requires password authentication

Full Password Management Rule Password Matrix

UIT Email Security Rule

Outlines the principles and practices of operation for the University’s Email Services. This rule applies to any University department or individual that uses or operates an Email Service that supports official University business.

Full Email Security Rule

digital Identity and access Rule

This Rule defines the University’s approach to the establishment of a single digital identity that supports various roles and diverse relationships with the University in order to provide for the protection of systems and data as well as the Oregon State University community.

Full Digital and Access Rule

Third-Party Vendor Information Security Risk Management Rule

This rule provides the OSU Community guidance and process on gaining approval of third party systems that process OSU information.  This rule applies to all external vendor systems that process OSU information.

Full Third-Party Vendor Risk Policy

 University Administered Security Policies

To protect data and assure that information technology at OSU is available and secure, the university has developed policies in four key areas:

  • Data Management & Classification & Incident Response
  • Acceptable Use of University Information
  • Data Access & Governance
  • University Network Administration



Each of these policies is designed to serve the university's interests by balancing the need to protect our data and infrastructure with the recognition of the critical role that technology plays in the achievement of the university's strategic goals. The Vice Provost for University Information and Technology is the policy officer for technology and data policies at OSU.

University Data Management, Classification and Incident Response

This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk.

Acceptable Use of University Information

This policy explains how we share OSU-specific information, and the obligations held by individuals with this information to use and secure it appropriately.

Data Access and Governance

In aligning with the priorities established for Oregon State University, the mission of the Data Governance Program is to allow for and facilitate campus-wide data-driven decision making.

University Network Administration

The integrity and availability of the Oregon State University network is critical to the continued operation of the university. This policy regulates the use of the wired and Wi-Fi networks used to access the university network.