Compliance with Security Policies and Standards (ISO § 15.2.1)

Information Technology (IT) supports the University's business strategies, which are focused by the following Mission statements:

BGSU Mission Statement, Code of Ethics and Conduct
BGSU Core Values
CIO Mission Statement
Mission Statements for other BGSU departments

Information is vital for supporting the BGSU Mission; consequently the following policies are necessary for maintaining the confidentiality, integrity, and availability of information:

Privacy Statement
ITS Network & Computer Policies

Related Policies:

BGSU Policieshttp://www.bgsu.edu/offices/ohr/resources/page54588.html
Student Handbook

Security Requirements For Third Parties (ISO § 6.2)  

The security of the organization's information and information processing facilities should not be reduced by the introduction of external party products or services. (ISO § 6.2)  

If you participate in the negotiation or review of University contracts with third parties involving hardware, software, IT services, sensitive information, or access to IT facilities, you must ensure compliance with:

Information Technology Policy 

Contract Review and Authorization for Purchase of Goods and Services    - addresses ISO § 6.2.1 practices for Identification of risks related to external parties and ISO § 6.2.3 practices for  Addressing security in third party agreements.

Applicable Legislation   - assistance for agreements involving information regulated by the Gramm-Leach-Bliley Act, HIPAA Security Rule, Payment Card Industry Data Security Standards, etc, and for transaction processes such as electronic signatures.

Compliance With Legal Requirements (ISO § 15.1)  

Links to resources below are provided to assist BGSU students, faculty, and staff in assessing the impact of statutory and regulatory requirements on the University and their information.

Applicable Legislation (ISO § 15.1.1 )

Copyright (ISO § 15.1.2)

  Reviews of Security & Technical Compliance (ISO § 15.2)  

The security of information systems should be regularly reviewed to ensure compliance of systems with organizational security policies and standards.

When a network vulnerability assessment of a system is required, contact the  Technology Support Center  (x2-0999) and request the assistance of the ITS Information Security Office. Independent network vulnerability assessments are unauthorized, unless specific approval has been given in advance.

If not performed properly with appropriate coordination, such assessments could cause problems for the network or other systems, generate alerts on security equipment and personal firewalls, or result in accidental system penetration. This will result in a formal investigation. Some types of activity could appear to be a violation of Ohio Revised Code Title 29, Chapter 2913, § 2913.04(B), resulting in the involvement of law enforcement and the confiscation of equipment.

  Risk Management Guidance   

Mission, Policies, Procedures, and Regulations support risk management in the following ways:

1. Assessment & planning - provides standards against which existing practices can be compared to identify vulnerable areas needing improvement;
2. Implementation - with appropriate management attention and training, sets performance expectations for employees and enables self-monitoring;
3. Evaluation - provides standards for evaluating results;
4. Control - provides management or regulatory agencies with controls for taking corrective or punitive action.