This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk. It contains definitions for different types of university data, guidelines for accessing and responsibly using that data, and instructions about what to do in the case of a data compromise. In order to protect university data, the policy establishes a framework to allow the university to comply with all federal and state laws, regulations, and policies pertaining to data management, classification and incident response.
This policy exists because of the critical role that data plays in the 21st century university. Much of the data that the university owns is protected by law; It is vital that OSU manage the data in a way that maximizes utility while minimizing risk.
This policy applies to all university units, employees, students, visitors, contractors, and affiliates, and anyone who produces, manages or accesses university data.
All university data carries one of three classifications that dictate access and use. These are Unrestricted, Sensitive and Confidential. Each classification has its own set of instructions and requirements for the access, use, and care of the information.
The President of the university has ultimate oversight responsibility and authority over institutional provisions for data management, classification, and incident response.
The Provost is the Data Trustee for the university, and, as delegated by the President, has the authority for all decisions regarding data usage and classification for university business. The Provost approves information management and security policies proposed by the Vice Provost for Information Services (VPIS).
The Vice Provost for Information Services (VPIS) is responsible for developing institutional policies and instituting programs to ensure the security, integrity, and availability of the university’s information systems and assets. The VPIS reports to the Provost on such matters.
The Chief Information Security Officer (CISO) serves as Director of the Office of Information Security and is responsible for:
The Data Governance Council, appointed by the Provost and advisory to the VPIS, reviews and recommends policy and procedure for managing the data of the university. Where information is shared amongst systems, the Data Governance Council will recommend processes to the VPIS.
Deans, Vice Presidents, Vice Provosts and Department Heads are responsible for:
Data systems administrators are responsible for ensuring that:
Data stewards are responsible for:
All members of the OSU community, including employees, students, and business partners, must: