Site Menu
Recent News
The Compensating Controls & Exceptions Form is up
Here are the Compensating Controls & Exception process submision forms for the UCSS.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Security Boot Camp outline up for comment
The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here
Check the Blackhole List
To see the current Blackhole listing click here
Report an Incident
To report a security breach or other security incident send an email to Security@osu.edu
University Computer Security Standard Compensating Control Request FAQ
What is a Compensating Control?
What Information is Important in Requesting a Compensating Control?
Why fill out the Compensating Control Request Form
Do I need to submit a Compensating Control Request for each part of each standard for a single device or device type?
Do I need to submit Compensating Control Requests and Exception Requests for a device or device type separately?
Must I include a serial number in my request? What about multiple serial numbers for a class of devices?
Is There An Example of the Sort of Request You are Expecting University Units to Submit?
Return to the Compensating Control Request Page
Return to the Exception Request Page
Return to the Exception FAQ Page
Return to the University Computer Security Standards (UCSS) Page
What is a Compensating Control?
A Compensating Control (for the purpose of the university security standards) is a method by which units can protect devices that do not natively allow for compliance with the requirements of a security standard.
A few examples of situations requiring a compensating control are:
Why fill out the Compensating Control Request Form
The web form contains the questions that the CIO Security group uses to evaluate a request for a compensating control to the various University Computer Security Standards. In order to expedite the process of approval, staff is encouraged to read through these suggestions to help relay the most important information in their submission.
What Information is Important in Requesting a Compensating Control?
The key information a unit should provide when submitting a request for a compensating control are those facts or procedures that will allow the device to become compliant. If for example a device cannot host a firewall, then documenting how the unit intends to protect it from the threats a firewall covers is paramount to the request. Citing locally defined time frames and procedures will hasten the evaluation and approval process. Quantitative information goes a long way in helping the CIO Security Group determine if the threats have been properly identified and addressed by the requesting unit.
Important details when requesting a Compensating Control:
Do I need to submit a Compensating Control Request for each part of each standard for a single device or device type?
Compensating Control requests for a single device or device type can be grouped by standard. For instance if a device requires a compensating control for multiple elements of the MCSS you may put them together into a single request - noting of course which parts of the standard the request applies to.
The example below shows two elements of the MCSS being requested in a single Compensating Control Request.
Do I need to submit Compensating Control Requests and Exception Requests for a device or device type separately?
Compensating Control Requests and Exception requests should be submitted separately for each standard. The reason for this is that the consideration process for the two are different and the risk in allowing and approving exceptions is often greater. Exceptions are also an admission that a solution can not be implemented or does not exist for a standard element and implies greater risk.
As with multiple Compensating Control Requests for a device or device type, Exception requests can be grouped by standard to include multiple elements in a single request. i.e. I need a compensating request for the MCSS Firewall and Authorizations elements and an Exception for the Patching and Anti-Malware elements so I submit two requests - a single Compensating Control Request containing both elements and their solutions, and a single Exception request containing both elements and the justification/description of risk.
Must I include a serial number in my request? What about multiple serial numbers for a class of devices?
The serial number field is primarily included in the form for use by local units who wish to track the devices that have granted a Compensating Control. It is not used in considering the approval of the request. Multiple device serial numbers can be listed by it is not required when submitting a request for a class of devices.
Is There An Example of the Sort of Request You are Expecting University Units to Submit?
The details required by the CIO Security Group to make a determination will vary by case but here is an example of a well documented and written compensating control request to give you a basis of what sorts of details are needed to quickly approve the request (The below example is not a real example but is provided for illustrative purposes.):
Your Name: Brian Moeller
Your e-mail address: moe@net.ohio-state.edu
If phone contact is preferred, the phone number where you can be reached: 77136
University Department/College?: CIO Security Standard(MCSS,WSSS,DSSS,CCSS) and Element(when applicable) related to compensating control request: MCSS - Firewall, Access
Type of device involved in Compensating Control Request: Buffalo 890 Network Storage Device
Device Manufacturer: Buffalo Networks
Device Serial Number: 200710001
Description of proposed compensating control: The CIO Security group uses the Buffalo NAS to store forensic data used in security investigations. This is a stand alone Network device that runs a proprietary form of Linux and is available to users connected to the .49 IP range used by Network Security. The device does not support a host based firewall nor does it support anti-malware natively. Additionally the NAS is not configurable like a normal Linux so manufacturer patches are the only update and are not on a regular interval. The administration functions are password protected. The device is accessed through NFS and does allow anonymous access. Exception requests are forthcoming for the OS Update and Anti-malware requirements of the MCSS for this device.
Description of how proposed solution satisfies requirements of applicable standard or element using compensating control: Since the device does not support a native firewall we have set it behind an OSU Fire Marshall Firewall with default-block rules applied. Only those services necessary for access have been allowed. Since authentication is not configurable on the device and any NFS capable system on the same network can mount the device we have instituted ACLs on the .49 network that limit access tot he device to a fixed number of IP Addresses.
Description of how the proposed compensating control mitigates the risk of the standard or element: The OSU Fire Marshall 3.8 Firewall is configured with a default-block ruleset, disallowing any access to these hosts on the network where a host-based firewall cannot be installed. The ACLs also limit access to the device interface and will deny any unauthorized systems from connecting to the NFS share.
