Web Content Viewer

Information Security Governance

Ohio law gives responsibility for information security policies to the Office of Information Technology (OIT). The law, Ohio Revised Code 125.18, assigns specific information security duties to the Office of Information Security and Privacy under the state chief information security officer and the state chief privacy officer. These information security policies apply to most Ohio executive branch agencies and can serve as guidance to the independent agencies.

The DAS OIT has established the state’s information security framework in State of Ohio IT Standard ITS-SEC.02 Enterprise Security Controls Framework. The information security policies, standards, rules and guidance set the security requirements for state agencies. 

Statewide Policies, Standards and Guidance Related to Information Security & Privacy 

Use of Internet, E-mail and Other IT Resources (Policy IT-04) 

Disposal, Servicing and Transfer of IT Equipment (Policy IT-05) 

Website Standardization (Policy IT-08) 

Data Classification (Policy IT-13) 

Data Classification Worksheet 

Data Classification Slides 

Data Encryption and Securing Sensitive Data (Policy IT-14) 

IT Security Awareness and Training (Policy IT-15) 

Data Encryption and Cryptography (Standard ITS-SEC-01)

Enterprise Security Controls Framework (Standard ITS-SEC-02)

DAS Information Security & Privacy Policies, Standards, and Guidance 

100-11 Protecting Privacy 

700-01 Information Technology Resource Usage 

700-02 Information Technology System Access Requirements 

700-03 Encrypted USB Standard

2100-01 Password Policy 

      DAS-ITS-2100-01-A Password Standard for Organizational Users 

      DAS-ITS-2100-01-B Password Standard for Non-Organizational Users 

2100-02 Mobile Computing 

2100-03 System and Information Integrity 

       DAS-ITS-2100-03-A Security Vulnerability Remediation Standard 

2100-04 Data Classification 

2100-05 Information Security and Privacy Awareness Training 

2100-06 Wireless Local Area Network 

2100-07 Incident Response 

2100-08 Risk Assessment 

2100-09 Configuration Management 

      DAS-ITS-2100-09-A Secure Configuration Standard 

2100-10 Identification and Authentication 

2100-11 Access Controls 

      DAS OISP Approved Security Notification for IT Systems 

2100-12 Audit and Accountability 

      DAS-ITS-2100-12-A  Auditable Events Standard 

      DAS-ITS-2100-12-B Application Security Log Output Standard 

2100-13 System and Services Acquisition Policy 

2100-14 Multifactor Authentication Policy 

2100-15 Physical and Environmental Protection Policy 

2100-16 Contingency Planning Policy 

2100-17 Media Protection Controls 

2100-18 System Maintenance 

2100-19 Security Assessment and Authorization 

2100-20 Identity Proofing 

2100-21 System and Communications Protection Policy 

      DAS-ITS-2100-21-A Secure Active Content and Mobile Code Technology Standard 

2100-22 Information Security Program Management Policy 

2100-23 Security Planning Policy 

        DAS-ITS-2100-23-A Security Plan Standard  

        DAS System Security Plan Template 

OEP-SEC-4001, Statewide Incident Response Reporting Procedure