Site Menu
Recent News
The Compensating Controls & Exceptions Form is up
Here are the Compensating Controls & Exception process submision forms for the UCSS.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Security Boot Camp outline up for comment
The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here
Check the Blackhole List
To see the current Blackhole listing click here
Report an Incident
To report a security breach or other security incident send an email to Security@osu.edu
University Computer Security Standards (UCSS) Compensating Controls & Exceptions
This page contains the compensating controls submission form as well as the list of approved general compensating controls and exceptions under the University Computer Security Standards (UCSS).
Introduction
Process for Requesting and Approving Compensating Controls
Requesting Blanket Compensating Controls or Exceptions
Circulation of Approved Controls
Internal Request Process Example
University Computer Security Standards Compensating Control FAQ Web Page
University Computer Security Standards Exception FAQ Web Page
Form for Requesting a Compensating Control
Form for Requesting an Exception
List of Blanket UCSS Compensating Controls and Exceptions by Device
List of Approved UCSS Compensating Controls and Exceptions by Device
Introduction
In some cases it may not be possible to bring a device into compliance with one or more elements of the Minimum Computer Security Standard. In such cases operating units and their information technology staff must adopt one or more appropriate compensating controls: alternative approaches that mitigate the risk or risks that the MCSS element is designed to address.
In rare cases an exception may be made if a device cannot be brought into compliance with one or more of the MCSS elements and the element(s) cannot be addressed via a compensating control or controls.
Process for Requesting and Approving Compensating Controls
Units must request compensating controls using the attached compensating controls web form. All compensating controls must be reviewed and approved by the CIO Security Group. The operating unit must retain the approved compensating control documentation for audit so long as the device is in operation. The CIO Security group may at any time audit devices for which compensation controls have been approved to assure their continuing compliance with the compensating control.
Exceptions must also be documented using the attached exceptions web form, and must be reviewed and approved by the CIO Security group. The operating unit must retain the approved exception documentation for audit so long as the device is in operation. The CIO Security group may at any time audit devices for which exceptions have been approved to assure that an exception is still merited.
Requests for Blanket Compensating Controls or Exemptions
When a number of devices would require the same compensating controls or exceptions, a single CC&E request may be filed for the entire class of such devices. Such a blanket request can be filed for entire units, or may be filed for sub-units (e.g. individual labs) if the cause of the request is localized.
There may be instances in which the blanket would be applicable on a university–wide basis. In these cases, a request should be sent to the CIO Security Group asking to discuss the possibility of a universal blanket control or exemption at an open forum such as SECWOG.
The university has established some blanket guidance on some device classes including firewalls, switches and printers. Units are encouraged to read these blanket descriptions and apply them accordingly to devices in their environment to which they apply.
These blanket directives can be found here.
Circulation of Approved Controls
When compensating controls or exceptions are approved, they will be posted on the CIO Security group’s section of the BuckeyeSecure website so that other units can benefit from them. Redactions to remove unit identifying information or restricted information can be requested; requests not to post a unit’s information are discouraged.
The list of currently approved compensating controls and exceptions can be found on this web page.
Internal Request Process Example
[Please note – this fictional example is for illustrative purposes only. The exact process that a unit chooses to follow is strictly up to the unit.]
All compensating control requests originating in this Department must go through the following departmental review process before being submitted to the CIO Security group:
- The proposed compensating control request must be reviewed by the IT staff member who has been designated by the department chair to review such requests.
- If the IT staff member concurs in the request, he or she will submit it to the department chair.
- If the department chair supports the request, she will instruct the appropriate IT staff member to
4.If the CIO Security group approves the request, the appropriate IT staff member will add the approval documentation to the other documentation of this request.
Submit a Compensating Control request
Please use the form below to request a compensating control consideration. Be sure you include as much data as possible to assist in the decision making process including contact information, which standard you are requesting the control under and all device or network specific data. We will respond to your inquiry as soon as possible.
