Policy for System Asset Administration
Applies to: College of Engineering Faculty, Staff, Students, departments, centers, administrative units, affiliated entities, agents, suppliers/contractors, volunteers, and all others working with College of Engineering assets.
POLICY
All information and system assets of The Ohio State University (“University” or “OSU” in this document) are subject to the policies and control requirements of the University. All information and systems assets of The College of Engineering (“College” or “COE” in this document) at The Ohio State University are subject to the policies and control requirements of the College. Any information or system asset may also be subject to external control requirements if they are bound by contract or subject to regulation.
The College of Engineering provides Engineering Technology Services (ETS) as a management service for the system assets of the College and the information assets they contain. To provide this service, ETS provides a set of standardized offerings and controls to manage the assets. By default, all system assets in the College are managed under these standardized offerings. If there is a business need, the standard offering may be tailored to meet the needs of the asset. For those rare cases where the business needs of an asset are compromised by the ETS management service, it may be necessary for the asset to be self-managed by the asset’s custodian.
There are no “unmanaged” assets in the College.
By default, all computers and related assets owned and operated by the College are managed by Engineering Technology Services. The ETS service portal includes the ETS Service Catalog as well as related documentation and links to request help and services.
To effectively and efficiently manage the large number of College assets, ETS has a suite of standard offerings. These offerings are consistent with the policies, standards, and practices of the College and University. Specifically, they are designed to meet the Information Security Policy (ISP) and its affiliated standards and controls. ETS also manages to the requirements of 3rd party contracts, statutes, and regulations that may be attached to specific research projects.
Assets that are managed by ETS are referred to as “ETS-managed”.
There are two situations where an asset may be managed by the asset’s custodian (or their designee).
- If ETS management tools inhibit a specific business need of the researcher.
- If the asset itself has an attribute outside the scope of the suite of ETS service offerings.
Example 1: A researcher is performing kernel-level development on a Linux system. The management system utilized by ETS is incompatible with that level of system modification. Therefore, ETS management would prevent the research from being conducted.
Example 2: A researcher has a software application that requires an unsupported operating system such as Windows 7. The application cannot be updated and there is no suitable alternative. Since Windows 7 is end-of-life and no longer supported by Microsoft, it is not possible for ETS to manage the device in a way that is compliant with University policy.
Assets that are not managed by ETS are referred to as “self-managed”.
Self-managed assets are still subject to all security controls mandated by the College, University, and all applicable 3rd party contacts, statues, and regulations.
NOTE: Assets that are subject to a Technology Control Plan (TCP) by Export Control are not candidates for self-management.
Regardless the management state of an asset, it must be maintained in a state of compliance. ETS is fully responsible for ETS-managed assets. ETS and the asset custodian share responsibility for self-managed assets as follows.
Compliance requirements are based on the University’s Information Security Policy and related documents.
The Information Security Policy has a child document called the Information Security Standard (ISS). This standard applies to all University information and system assets. From the ISS, another document, titled ISS – Control Requirements (ISCR) was derived. These controls are detailed requirements for how assets are to be configured and maintained.
It is not possible to apply every control to every asset. For example, a control requires that all operating systems be supported by their vendor with current security patches. As noted above as an example of exception states, Microsoft does not support Windows 7, yet a Windows 7 operating system is required by a business need and cannot be met with an alternate solution. When there is a business need to deviate from the ISCR, it is necessary to implement a compensating control. The control must meet the intent of the original requirement and it must be formally documented.
If a compensating control cannot be actualized, then it is possible for the College to request an exception to the control. Each exception is applied to a specific asset and use case, and each exception request requires the approval of the head of the business unit or their designee. The Dean of the College of Engineering has designated the ETS director covering Risk and Compliance to accept this risk on their behalf. Once the exception is requested, it is reviewed by Digital Security and Trust (DST), the risk and compliance arm of the Office of Technology and Digital Innovation (OTDI). If approved, exceptions are valid for at most one year at which time a renewal may be requested.
ETS is responsible for all requirements, compensating controls, and exceptions for ETS-managed assets.
The custodian of a self-managed asset is responsible for all requirements of the ISCR. If a compensating control is desired, it must not be implemented prior to consultation with ETS Risk and Compliance so that it may be appropriately documented and processed. Exceptions must be submitted to ETS for processing and approval. There are many controls in the ISCR, and they are not always simple. ETS is available to consult should the custodian of the self-managed asset require assistance.
Every year, the University requires an assessment of compliance from its business units. Completing the ISS – Control Requirement Assessment (ISCR.a) is the responsibility of ETS, however it requires information from the custodians of the self-managed assets including their own assertion that they have maintained their asset in a compliant state. The custodians of self-managed assets must be able to provide or produce documentation on how each control is met for their device and they may be required to provide their own assertion of compliance to ETS.
The University conducts several internal audits. These audits target business units such as the College and include IT, financial, and research audits. ETS may be called upon to address any content of any audit that touches upon its function. By extension, custodians of self-managed assets may be called upon to answer any questions that may touch upon their assets.
IT audits usually happen every 3 years. They usually include questions regarding a subset of the ISCR. Detailed responses are required. Existing documentation is provided and usually a sampling of assets are checked to validate the response. Audit will evaluate the data and issue their findings. The College will then be provided a timeframe in which to address those findings. Once all findings are addressed to the satisfaction of Audit, the audit is closed.
Custodians of self-managed assets are required to participate in all audit-related activities as requested.
Most of the restricted research at OSU takes place within the College of Engineering. Much of that is governed by the Export Controls established by the Office of Research Export Control Program. These assets are often placed under a Technology Control Plan (TCP). The plan is signed by the PI and the ETS Director who is assigned to Risk and Compliance. The PI and ETS share responsibility for plan compliance per the TCP and thus a TCP asset cannot be self-managed as established by this policy.
OSU has additional regulating organizations that impact the governance of information and system assets. These include Business and Finance, Digital Accessibility, and Legal Affairs. This document does not address the requirements of those agencies, but it should be noted that ETS and the College are subject to their policies, standards, and practices.
Some of the research conducted by the College’s faculty and researchers is done in partnership with external agencies. These may be government or private sector based. The PI for any such project is responsible for the terms and conditions of those partnerships/grants/contracts.
By default, all system assets are managed by ETS. ETS is a limited resource and thus has a defined service offering.
Account Management Services: ETS provides directory services for ETS-managed endpoints via an active directory called “COEIT”. Connected to the central OSU Identity Management Service, accounts for all COE affiliated are automatically provisioned in COEIT and are added to groups based upon their affiliation, allowing users to access many resources based solely upon the unit(s) they represent. ETS is responsible for the full account life cycle on ETS-managed assets.
ETS also manages administrative accounts and their lifecycle. In some cases, a user may require admin privileges to an asset. ETS and OSU follow the principals of least privileges (POLP) and the separation of elevated privileges from normal accounts. POLP is required by ISCR DAT 2.2. In ETS it is applied by requiring all login sessions to run from a standard (non-privileged) account and only those specific process that require administrative privileges to run in an elevated state (Windows “run as” or Linux “sudo”). This limits the scope of access a compromised process may acquire.
Admin accounts may be requested on the ETS service portal.
Asset Management including Procurement: ETS manages the full lifecycle of ETS-managed assets. From procurement through decommissioning, the University requires specific controls on its inventory. There are compatibility requirements for all ETS services (such as having up to date TPM modules, “keep your hard drive” agreements, and active updates from vendors). All asset acquisitions must start with a service request submitted through the ETS service portal. Likewise, any time an asset is moved or decommissioned, a service request must be submitted prior to the action.
Client Services: ETS offers direct support for its customers via dedicated staff in its Client Services group. Client Services can be engaged online, on the phone, or in person. Contact details are provided on the ETS service portal.
Endpoint Management: ETS provides full management of the endpoint’s operating system including updates and patching. Patching is performed monthly during the ETS maintenance window. All assets are patched and may be rebooted at this time. If rebooting an asset would interrupt a long-running process, an exception from the patching cycle may be requested through the ETS service portal. A second request may be made if the process continues to run into a second maintenance window, but no asset can be left without patches for more than 90 days so a 3rd exception cannot be granted.
Note: ETS only supports a single operating system per asset. Dual-boot operating systems, or guest operating systems supported by virtualization software, cannot be managed in a fashion that guarantees compliance with University and College requirements. For this reason, multi-OS systems are unsupported.
Network Services: ETS provides wired network connectivity to all offices and labs in ETS-managed buildings (note that ETS does not manage the Pelotonia Research Center). Each connection in a room can be connected to one of several networks such as: trusted, untrusted, restricted, and printers. It can be connected to only one such network at a time.
Network services also provides a firewall for network access control to OSUNET and beyond, and a VPN for in-bound connectivity from those networks to ETS-managed assets.
Remote Access: Where required by a business purpose, ETS provides remote access. A VPN is provided as the entry for all such connections. The specifics of the VPN are detailed in an external document linked in the Supporting Documents and Additional Information section of this document. In addition to the VPN, connection tools are limited to an approved set. For access to a Windows asset, this is Remote Desktop Protocol, and for Linux-based assets, SSH. For remote windowing systems, OSU provides FastX for Linux assets. Note that TeamViewer and similar 3rd party tools that are well documented as having active security vulnerabilities, violate the University and College standards and practices and are not allowed.
Risk and Compliance Services: ETS is responsible for all risk and compliance issues on ETS-managed endpoints. In part, this includes:
- Data Loss Prevention
- Enhanced Endpoint Protection
- Intrusion Detection
- Intrusion Prevention
- Local Firewall
- Remote System Logging
- Vulnerability Management
Risk and Compliance coordinates all security incident responses, vulnerability management, endpoint protection operations, and compliance with the Colleges IT responses to the ISCR.a and Audit.
Server Hosting: ETS provides racked server hosting in several locations. Some locations include physical access for users who may need to touch their asset. Note that all servers with TCPs are located at the SOCC and only ETS staff have access to that facility. Further note that OSU Internal Audit determined in a past audit that all servers, as defined by the ISCR (by function rather than form factor), require secure housing. The College provides this housing in the ETS-managed data centers. There are several requirements for the physical attributes of an asset to be placed in an ETS-managed data center. These requirements are detailed in a separate document that is linked in the Supporting Documents and Additional Information section of this document.
Server Management: ETS and OTDI provide services that, if run on a College asset, might trigger the ISCR to reclassify an endpoint as a server. These include:
- License Servers
- Message (Email, Teams)
- Storage (OneDrive, ETS provided storage)
- Web Services of several varieties
The management burden on ISCR defined servers is greater than ISCR endpoints. Therefore, ETS does not support services on ETS-managed assets that are redundant to those provided elsewhere. Any person considering a “server” purchase, must consult with ETS to discuss existing offerings that may already address the business need.
Some ETS service offerings are restricted to ETS-managed assets including storage and directory services.
Note that the ISCR define a “server” based on the services that run upon the asset. Thus, a laptop that is serving files across the network would be considered a server for compliance purposes. An asset with a physical server format (rack mounted, etcetera) that is effectively used as a remote-access workstation without providing networked services, might be considered an endpoint.
Software Services: Third party software is supported to the point of installation and confirmation that the software “runs”. ETS does not provide support in the use of the software. Software license servers are also maintained for the College. New software requests can be made through the ETS service portal. For Windows systems, many packages are available through the native “Software Center” tool.
All software purchases and installations must start with a service request through the ETS service portal. In addition to ETS support, this engages the reviews of all contracts, terms and conditions, and related materials as required by OSU Business and Finance. It also engages an accessibility assessment as required by the OSU ADA Coordinator’s Office and for cloud subscription services, a security assessment.
By default, all system assets are managed by ETS. If an asset triggers an exception state as defined previously, ETS still provides a subset of services for that asset.
Asset Management including Procurement: ETS does not manage the full lifecycle of self-managed assets but it is responsible for coordinating inventory and related functions. Additionally, there are certain hardware requirements for self-managed machines (such as having up to date TPM modules, “keep your hard drive” agreements, and active updates from vendors). All asset acquisitions including those intended to be self-managed must start with a service request submitted through the ETS service portal. Likewise, any time an asset is moved or decommissioned, a service request must be submitted prior to the action.
Client Services: ETS offers limited support for self-managed assets via dedicated staff in its Client Services group. Client Services can be engaged online, on the phone, or in person. Contact details are provided on the ETS service portal.
Network Services: ETS provides wired network connectivity to all offices and labs in ETS-managed buildings (note that ETS does not manage the Pelotonia Research Center). Each connection in a room can be connected to one of several networks such as: trusted, untrusted, restricted, and printers. It can be connected to only one such network at a time.
Self-managed assets are placed on untrusted networks. There are two such networks. The first contains assets that do not require access from the outside world. The second contains assets that do require access from the outside world. An example of such an asset would be a research asset that runs a web service that is required for a business need and cannot be met with an existing ETS or University offering. External access to self-managed assets is restricted at the College’s border firewall. Only those ports that are required to support a specific business need are opened.
Note: Any asset found to be non-compliant may be removed from the network. Reasonable attempts will be made to contact the custodian or their designated admin, but some risk and compliance related issues require prompt responses. The mechanism for removing non-compliant assets from the network is to turn down the network port(s) to which it is connected. If the port is shared with other devices, this may remove those devices from the network at the same time. Service will be restored as soon as is reasonable after the risk and compliance related issue is addressed.
Remote Access: ETS provides remote access to those assets which require it for the business purpose. A VPN is provided as the entry for all such connections. The specifics of the VPN are detailed in an external document that is linked in the Supporting Documents and Additional Information section of this document. In addition to the VPN, connection tools are limited to an approved set. For access to a Windows system, this is Remote Desktop Protocol, and for Linux-based systems, SSH. For remote windowing systems, OSU provides FastX for Linux systems. Note that TeamViewer and similar 3rd party tools that are well documented as having active security vulnerabilities, violate the ISCR and are not allowed, even on self-managed assets. Self-managed assets must still be ISCR compliant.
Risk and Compliance Services: ETS is responsible for all reporting on risk and compliance issues on self-managed endpoints. ETS also acts as the interface between DST (Digital Security and Trust… the IT “security” segment of OTDI) and the asset custodian. Certain tools must be installed and/or configured on self-managed assets. In part, these include:
- Data Loss Prevention
- Enhanced Endpoint Protection
- Intrusion Detection
- Intrusion Prevention
- Remote System Logging
- Vulnerability Management
The specifics of the required tools are detailed in an external document linked in the Supporting Documents and Additional Information section of this document.
Risk and Compliance coordinates all security incident responses, vulnerability management operations, and compiles the Colleges IT responses to the ISCR.a and Audit.
Server Hosting: ETS provides racked server hosting in several locations. Some locations include physical access for users who may need to touch their asset. Note that all servers with a TCP are located at the SOCC and only ETS staff have access to that facility. Further note that OSU Internal Audit determined in a past audit that all servers, as defined by the ISCR (by function rather than form factor), require secure housing. The College provides this housing in the ETS-managed data centers. There are several requirements for the physical attributes of an asset to be placed in an ETS-managed data center. These requirements are detailed in a separate document that is linked in the Supporting Documents and Additional Information section of this document.
Self-managed servers are eligible for the server hosting service.
Server Functions: ETS and OTDI provide services that, if run on a self-managed asset, might trigger the ISCR to reclassify an endpoint as a server. These include:
- License Servers
- Message (Email, Teams)
- Storage (OneDrive, ETS provided storage)
- Web Services of several varieties
The management burden on ISCR defined servers is greater than ISCR endpoints and some of these services are restricted to designated service providers at the University. For example, no one may offer email services. Any person considering purchasing or configuring a “server,” must consult with ETS to discuss existing offerings that may already address the business need.
Note that the ISCR defines a “server” based on the services that run upon the asset. Thus, a laptop that is serving files across the network would be considered a server for compliance purposes. An asset with a physical server format (rack mounted, etcetera) that is effectively used as a remote-access workstation without providing networked services, might be considered an endpoint.
Software Services: ETS does not provide direct software support on self-managed assets, however software license servers are also maintained for the College. New software requests can be made through the ETS service portal.
All software purchases must start with a service request. In addition to ETS support, this engages the review of all contracts, terms and conditions, and related materials as required by OSU Business and Finance. It also engages an accessibility assessment as required by the OSU ADA Coordinator’s Office.
ETS does not offer these services to self-managed assets:
- Account Management
- Endpoint Management
When an asset is designated as self-managed, the asset custodian, usually the faculty member or researcher who designated the funds used by the University to purchase the device, assumes responsibility for all the following:
- All policies, standards, and practices of The Ohio State University
- All policies, standards, and practices of The College of Engineering
- All external control requirements, including but possibly not limited to:
- Government statues and regulations
- Contractual requirements
The assumed responsibility includes having a full understanding of all such requirements and implementing them as practiced at the University and the College; working with ETS to establish a compensating control; or working with ETS to request an exception.
Links are provided in the Supporting Documents and Additional Information section of this document for some of the more common policies and documents.
For all self-managed assets, the custodian shall do the following:
Assertion of Compliance: Every year, the College is required to submit the ISCR.a, an assessment of compliance with the ISCR. ETS submits the ISCR.a on behalf of the College and answers for all ETS-managed assets. The custodian of each self-managed asset must answer for each of their individual assets. Designated administrators may not substitute for custodians on this assertion. ETS will solicit these assertions through email to the asset custodian’s OSU email address. It will provide that year’s assessment criteria and a required submission date that the data may be included in the College’s ISCR.a response. ETS will remove any self-managed system from the network if an ISCR.a assertion has not been submitted by the required date.
In addition to the annual assertion of compliance, an “Initial Assertion of Compliance” is required for all self-managed devices. This document is linked in the Supporting Documents and Additional Information section of this document.
Designated Admin: The custodian is ultimately responsible for the asset but may designate an administrator for the asset. The designated admin does not replace the custodian as the responsible party but can perform the following duties. If there is no designated admin, then the duties remain the responsibility of the asset custodian.
- ETS Liaison – ETS staff will need someone to contact regarding the asset. Email and phone numbers must be provided. The designated admin is expected to respond to all ETS communications no later than the next business day. Often these contacts relate to risk and compliance issues and a timely response is necessary. If the issue constitutes a threat to other assets, it will be isolated from the network until the issue is resolved.
- Ensure compliance – The designated admin is responsible for compliance including, but not limited to, the ISCR.
- Receive and respond to vulnerability reports, performing corrective actions as directed – ETS and DST have several automated scanning systems and related detection systems. These systems generate vulnerability reports which are provided to ETS staff. When ETS staff identify an issue with a self-managed asset, this vulnerability will be shared with the designated admin. Most issues have a 30-day remediation window. Issues not resolved within their remediation window may trigger additional actions by ETS including the possibility of having the asset isolated from the network.
If the designated admin changes, the asset custodian is responsible for informing ETS of the change.
Access to the self-managed asset: ETS and OSU have a set of risk and compliance tools that are run on or against all endpoints at the University. Assets that are self-managed may still need to provide access for these tools. Some examples of the tools used are EEP (Enhanced Endpoint Protection, what would have formerly been referred to as anti-virus or anti-malware), DLP (Data Loss Prevention), IDP (Intrusion Detection/Prevention), Vulnerability Management, and SIEM (Security Information and Event Management). The specifics on the tools and how they are integrated into self-managed assets is detailed in a document linked in the Supporting Documents and Additional Information section of this document.
A self-managed asset must be compliant with the policies, standards, practices, statutes, and regulations applicable as listed above plus any that may not be listed. This is the responsibility of the asset’s custodian. The following is a set of clarifications on a subset of these compliance requirements.
COMPLIANCE
ISCR: All University assets, including those that are self-managed, must be compliant with all ISCR IT controls. Some details that may assist with compliance:
- ISCR is a living document – The ISCR is updated frequently. It is the responsibility of the asset custodian or their designated admin to keep current with all updates and adapt their compliance as required by the current set of controls.
- ISCR controls change based upon the S-level (security level) and C-level (criticality level) of the information and system assets. Knowing these levels is required to know which controls are applicable to a given asset. The IRMF Glossary is a useful job aid for evaluating these factors.
- Endpoint vs Server – The ISCR define any device that provides data or services to another asset as a server. Some examples include traditional file servers, print servers and directory servers. Note: an asset that might otherwise be classified as an endpoint would be classified as a server through the simple act of sharing local files or attached printers to another device across the network. The ISCR section that applies to servers is generally more stringent than that which applies to an endpoint. A server is defined by its networked services rather than its physical form factor.
- Account Management including Administrative Rights and Password Standards and Rotations: All assets require access control. Per the ISCR this is generally accomplished with passwords. All accounts must have a unique password that meets the standards of the ISCR including length, complexity, and maximum life span. This is a manual process on self-managed assets. The mechanism selected must be documented and followed. Note: accounts and passwords are not shareable assets. There are specific instances where a “shared account” may seem necessary. Before implementing a shared account, the asset custodian or their designated admin must contact ETS to discuss the circumstances to see if there is another mechanism that accomplishes the business task. If it is determined that a shared account is required, it must be documented.
- In some cases, a user may require admin privileges to an asset. Engineering and OSU follow the principals of least privileges (POLP) and the separation of elevated privileges from normal accounts. POLP is required by ISCR DAT 2.2. At OSU it is applied by requiring all login sessions to run from a standard (non-privileged) account and only those specific process that require administrative privileges to run in an elevated state (Windows “run as” or Linux “sudo”). This limits the scope of access a compromised process may acquire.
- Supported Assets and Configurations – The ISCR has an entire section on requirements for client systems and another for server systems. Highlighted details:
- Assets must be configured to provide only the essential capabilities necessary to support the business purpose of the asset.
- Assets must have current, vendor-supported operating systems, software, and firmware. All security related patches must be applied, and other patches generally should be applied.
- Once updates are no longer available, there may be compensating controls possible to allow an asset to remain in service if there is a business need that cannot be met otherwise. The asset custodian must engage ETS to discuss and design appropriate controls and register all required exceptions with the University. Otherwise, the asset must be retired.
- Assets must log specific actions as detailed in the ISCR. These logs must be forwarded to the centralized logging system.
- Host-based Firewall – The ISCR requires defense in depth. A border firewall is complemented by a required local, host-based firewall. This firewall must be configured default-deny and only those services as are specifically required by the asset allowed access to the network.
- Remote Access – The ISCR has specific requirements for remote access to assets. Remote connections must be encrypted using a VPN and use specific software. ETS provides a VPN service which must be used for all remote connections. Allowed protocols include SSH and RDP. For Linux-based windowed environments, the university provides FastX. Most other remote connectivity software is not allowed. This specifically includes TeamViewer which has been repeatedly shown to be an active security risk. Should RDP and FastX not meet a business need, the asset custodian or designated admin must engage ETS to discuss the need and how it might be met in a compliant manner before an alternate connection mechanism is utilized.
- Vulnerability Management – The ISCR requires that vulnerabilities be identified and managed. Some management tools are maintained by ETS and DST and can be applied to self-managed assets. Some of these are specifically required and are detailed in a document linked into the Supporting Documents and Additional Information section of this document.
Note: the ISCR apply to all equipment regardless of network connection. If an asset is attached to an ETS-managed network, an OTDI-managed network, EDUROAM, OSUWireless, or no network at all, the ISCR still apply. Changing network connections may be part of a compensating control or exception, but all such deviations from the control requirements must be documented and registered.
Incident Response: ETS has a Self-managed Asset Incident Response Plan that must be followed by all asset custodians, designated admins, and users.
Multi-OS Systems (Virtual and Dual-boot): Multi-OS systems are prohibited on COE system assets regardless of management state. These systems pose significant risks to data integrity, system stability, and cybersecurity. Such configurations increase the attack surface, making system assets more vulnerable to malware, data breaches, and unauthorized access. ETS has a support model for Docker-based containerization and OSU offers a container-based service offering. A service request can be submitted to the ETS service portal to initiate a discussion on how these service can alleviate the perceived need for a multi-OS system.
Software Licensing and Digital Accessibility: Even on self-managed assets, all software purchases and installations must start with a service request through the ETS service portal. In addition to ETS license server support, this engages the reviews of all contracts, terms and conditions, and related materials as required by OSU Business and Finance. It also engages an accessibility assessment as required by OSU ADA Coordinator’s Office. This includes “free” software and any installers that utilize “click-through” licensing. The University does not extend the right to agree to contract terms, even those from simple software installs, to University personnel outside the central administrative offices.
3rd Party Hosted and Cloud-based Assets: ETS does not manage assets hosted outside the College. Most use cases fall under “cloud” scenarios. Any person engaging a cloud service must first confirm that the service has been approved for their specific use case. An entry found on the Cloud Assessment Registry does not mean that the service is available for all use cases. If the service does not appear on the registry, or if it is not known if the existing registry entry applies to the current use case, an assessment request must be made with a service request through the ETS service portal. After the service is approved, it must still be utilized in a way that is compliant with all applicable policies, standards, practices and so on.
User Education: It is the responsibility of the self-managed asset’s custodian to ensure that users of their asset are aware of their responsibilities toward the compliant use of the asset.
All network equipment attached to the ETS-managed network must be managed by ETS. No self-managed network devices are permitted. This includes but is not limited to routers, switches, bridges, bastion hosts (aka jump hosts), firewalls, and VPN.
The purpose of ETS is to enable the business functions of the College in a compliant manner. Should a section of this policy conflict with the required business functions of a person/project within the College, an exception to this policy or its contents can be requested through the ETS service portal.
|
Term |
Definition |
|---|---|
|
Business need |
An item or ability required to perform a business task |
|
Business purpose |
The goals and missions of The College of Engineering and The Ohio State University |
|
Business task/function |
An action or activity conducted in support of a business purpose. |
|
COE |
College of Engineering |
|
COEIT |
Refers to both:
Often used to reference the totality of the COE compute environment. |
|
Compensating Control |
A measure enacted to meet the intent of an ISCR when there is a technical requirement that prevents application of the original control |
|
Custodian |
The person designated as responsible for a system asset. This is often the PI or faculty person who approved the use of University funds to purchase, or otherwise acquired, the asset. |
|
DST |
Digital Security and Trust – the IT “security” segment of OTDI. |
|
Endpoint |
A system asset that is directly touched and/or used by a user. These are systems with full operating systems such as Windows, Linux, and MacOS. They include laptops, desktops, workstations, tablets and ETS-managed virtual systems. Endpoints do not include printers, network devices, or instrumentation. |
|
ETS |
Engineering Technology Services – The IT Service Staff of COE |
|
ETS-managed |
System asset managed by ETS |
|
Export Control |
Refers to both:
|
|
Information asset |
A definable piece of information recognized as having value to the University |
|
ISCR |
Information Security Control Requirements – the technical requirements of the ISS |
|
ISCR.a |
Information Security Control Requirements Assessment – a document signed annual by senior College leadership attesting compliance with the ISCR |
|
ISP |
Information Security Policy – the formal policy governing all information and system assets owned and operation by OSU |
|
ISS |
Information Security Standard – the formal standard supporting the ISP |
|
NIST |
National Institute of Standards and Technology, U.S. Department of Commerce |
|
OR |
|
|
OSR |
|
|
OSU |
|
|
OTDI |
Office of Technology and Digital Innovation (OTDI) |
|
Personal use |
An action or activity that does not directly support a business purpose |
|
PI |
Primary Investigator – the person responsible for one a research project |
|
Self-managed |
System assets that are not managed by ETS |
|
Servers |
The ISCR define any device that provides data or services to another system as a server. Some examples include traditional file servers, print servers and directory servers. Note: a system that might otherwise be classified as an endpoint would be classified as a server through the simple act of sharing local files or attached printers to another device across the network. Thus the definition of server versus endpoint is directly tied to how the device is configured and interacts with other devices rather than by its physical form factor. |
|
System asset |
Information technology software and/or hardware used in conjunction with information assets to fulfill University needs. This includes telecommunications and mobile computer systems. |
|
TCP |
Technology Control Plan – a formal set of requirements for some research projects. Defined in conjunction with ETS, the PI, and the OSR. |
|
“Trusted” and “Untrusted” |
In this document, “trusted” and “untrusted” are used in their IT context. Per the ISCR definition, any [asset] not managed by the organization is “untrusted”. ETS may also refer to the networks that contain untrusted assets as an “untrusted network”. While these networks are managed by the organization, they are referenced as such based upon the assets attached to them. |
|
Unmanaged |
All COE system assets must be managed by either ETS or the asset’s custodian, therefore there are no assets recognized as unmanaged in ETS |
|
User |
A person who uses an asset. |
|
Agency |
Document |
|---|---|
|
ETS |
ETS Portal including Help Desk, Current Information, Service Catalog, and Knowledge Base |
| ETS | Hardware Requirements - DRAFT |
|
ETS |
List of ETS supportable hardware vendors <Document Pending> |
|
ETS |
Risk and Compliance: Required Access and Tools for Self-managed Assets < DOCUMENT PENDING > |
|
ETS |
Self-managed Asset: Incident Response Plan < DOCUMENT PENDING > |
|
ETS |
Self-managed Asset: Initial Assertion of Compliance (Sample) |
|
ETS |
Server Hosting < DOCUMENT PENDING > |
| ETS | Supported Operating Systems |
|
ETS |
System Asset Purchasing Process < DOCUMENT PENDING > |
|
ETS |
VPN and Remote Access to Self-Managed Assets < DOCUMENT PENDING > |
|
OSU |
|
|
OSU – OR |
|
|
OSU – OR |
|
|
OSU – OR |
|
|
OSU – OTDI |
|
|
OSU – OTDI |
OTDI Cybersecurity Resources |
|
OSU – OTDI |
Information Risk Management Framework (IRMF) |
|
OSU – OTDI |
|
|
OSU – OTDI |
Information Risk Management Program (IRMP) |
|
OSU – OTDI |
Information Security Control Requirements (ISCR) |
| OSU – OTDI | Information Security Control Requirements Assessment (ISCR.a) |
|
OSU – OTDI |
Information Security Policy (ISP) |
|
OSU – OTDI |
Information Security Standard (ISS) |
|
OSU – OTDI |
Institutional Data Policy (IDP) |
|
OSU – OTDI |
|
|
OSU – OTDI |
|
|
NIST |
|
|
NIST |
Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) |
|
NIST |
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) |
|
NIST |
Zero Trust Architecture (NIST SP 800-207) |
| Version | Date | Change Notes |
|---|---|---|
| 1.0 | 2023.09.14 | Replaces the Policy for Computer Systems Management |
| 1.1 | PENDING |
Added links to external supplemental materials. |
Contact Us
Phone: (614) 688-2828
Email: etshelp@osu.edu
Virtual Helpdesk:
ets.osu.edu/vhd (opens Zoom)
Virtual Helpdesk Hours:
M-F 9:00 A.M.-12:00 P.M.
M-F 1:00 P.M.-4:00 P.M.
Service Desk Locations:
Business Hours:
M-F 8:00 A.M.-5:00 P.M.
View My Tickets & Requests:
https://go.osu.edu/etsportal (external site)
Not seeing what you want on this page?
Try our I Want To... list.