Uniform Information Security Governance Structure

2.26

Information Security Governance (“Governance”) for all institutions governed by the Board shall be unified, strategic, and measurable, to prevent vulnerabilities or accepted risks at a single entity from compromising information security of another entity or across the OSU/A&M System.

1. A governing body (“Governing Body”) is designated for all institutions governed by the Board, consisting of:
  1. Chief Information Officer-Oklahoma State University
  2. Chief Information Officer-Agricultural & Mechanical Colleges
  3. Oklahoma State University Information Security Officer and Director of Information Technology Security
  4. Oklahoma State University Information Technology Compliance Manager
  5. Oklahoma State University -Center for Health Sciences, Associate Vice President for Information Technology
  6. Oklahoma State University Assistant Director of Research Security
  7. Oklahoma State University Chair, Long-Range Planning & Information Technology Committee
2. The Governing Body is responsible for developing and implementing an Information Security Program Plan (the “ISPP”) which sets strategic measures to protect the confidentiality, integrity, and availability of each OSU/A&M institution’s information assets.
  1. The ISPP will include an overview of requirements for facilitating Governance across the OSU/A&M System and describe the controls in place or planned for meeting those requirements.
  2. Appendices to the ISPP will outline institution-specific control goals and objectives, and reference supporting work documents outlining work to be accomplished, such as risk assessments, establishment or improvement of controls and mitigation efforts.
  3. The Governing Body is responsible for disseminating the ISPP, obtaining input from the OSU/A&M institution presidents or their designees, and promoting compliance across the OSU/A&M System.
  4. The ISPP will be reviewed by the Governing Body for efficacy and meeting security objectives on an annual basis, and be updated as needed.
  5. Security objectives of the ISPP will address, but will not be limited to:
    1. Potential security control gaps
    2. Industry best practices
    3. Regulatory compliance
    4. Risk assessment and mitigation activities
  6. Annual goal setting will align with the institutional budgetary process to ensure appropriate funding for Governance matters
3. The Governing Body is responsible for facilitating data governance for all institutions governed by the Board. Data governance efforts will provide effective management and securing of data, including personally identifiable information (PII), in accordance with the ISPP.
4. The Governing Body is authorized to take action toward the identification and remediation of system-wide and institution-specific information security risks. In response to identified risks, the Governing Body is authorized to prescribe both centralized and institution-specific Governance measures, including, but not limited to:
  1. Ensuring an adequate number of personnel are available and trained on risk assessment practices
  2. Establishing centralized policies, procedures, and standards
  3. Perform risk assessments at the system or institution level
  4. Perform ISPP compliance assurance assessments at the system or institution level
5. The Governing Body will provide oversight for Governance work progress, promote information security support and awareness training, and provide timely reports of the status of institution-specific Governance needs to executive management, including, but not limited to, the presidents of each OSU/A&M institution.

The President of each institution governed by the Board or his/her designee shall be responsible for aligning their institutional budget to ensure adequate funding for Governance needs in accordance with the ISPP and/or recommendations of the Governing Body and preparing and presenting institution-specific Governance matters for Board approval.

Approved Date:
June 18, 2021