Information Security Governance
Ohio law gives responsibility for information security policies to the Office of Information Technology (OIT). The law, Ohio Revised Code 125.18, assigns specific information security duties to the Office of Information Security and Privacy under the state chief information security officer and the state chief privacy officer. These information security policies apply to most Ohio executive branch agencies and can serve as guidance to the independent agencies.
The DAS OIT has established the state’s information security framework in State of Ohio IT Standard ITS-SEC.02 Enterprise Security Controls Framework. The information security policies, standards, rules and guidance set the security requirements for state agencies.
Statewide Policies, Standards and Guidance Related to Information Security & Privacy
Use of Internet, E-mail and Other IT Resources (Policy IT-04)
Disposal, Servicing and Transfer of IT Equipment (Policy IT-05)
Website Standardization (Policy IT-08)
Data Classification (Policy IT-13)
Data Encryption and Securing Sensitive Data (Policy IT-14)
IT Security Awareness and Training (Policy IT-15)
Data Encryption and Cryptography (Standard ITS-SEC-01)
Enterprise Security Controls Framework (Standard ITS-SEC-02)
DAS Information Security & Privacy Policies, Standards, and Guidance
700-01 Information Technology Resource Usage
700-02 Information Technology System Access Requirements
DAS-ITS-2100-01-A Password Standard for Organizational Users
DAS-ITS-2100-01-B Password Standard for Non-Organizational Users
2100-03 System and Information Integrity
DAS-ITS-2100-03-A Security Vulnerability Remediation Standard
2100-05 Information Security and Privacy Awareness Training
2100-06 Wireless Local Area Network
2100-09 Configuration Management
DAS-ITS-2100-09-A Secure Configuration Standard
2100-10 Identification and Authentication
DAS OISP Approved Security Notification for IT Systems
2100-12 Audit and Accountability
DAS-ITS-2100-12-A Auditable Events Standard
DAS-ITS-2100-12-B Application Security Log Output Standard
2100-13 System and Services Acquisition Policy
2100-14 Multifactor Authentication Policy
2100-15 Physical and Environmental Protection Policy
2100-16 Contingency Planning Policy
2100-17 Media Protection Controls
2100-19 Security Assessment and Authorization
2100-21 System and Communications Protection Policy
DAS-ITS-2100-21-A Secure Active Content and Mobile Code Technology Standard
2100-22 Information Security Program Management Policy
2100-23 Security Planning Policy
DAS-ITS-2100-23-A Security Plan Standard
DAS System Security Plan Template
OEP-SEC-4001, Statewide Incident Response Reporting Procedure