Office of Information Security

The Office of Information Security is your contact for questions about OSU's Information Security Policies and Procedures. Our mission is to raise OSU's standards and practices for secure computing.

To do this, the OIS coordinates with academic and administrative units to develop policy, benchmark and assess our level of risk, and educate and inform our community on best practices.

Security Policy

OSU's IT security policy is currently undergoing a scheduled review process. The policy is published to oregonstate.edu/fa/manuals/is and recent updates to the policy include:

Our Third Party Service Guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

Security Awareness

  • OSU Computer Helpdocs provides general information on protecting your computer from malware and malicious intrusions.
  • Be Aware is a student-focused site which presents effective ways to respond to security threats.

Reporting Security Issues

If you are the victim of a security-related issue such as a phishing scam or spam attack:

Security Awareness Training

The Office of Information Security provides security training for departments on campus that deal with Protected and Sensitive Information, including Personally Identifiable Information (PII). To learn more about this training, please contact Dave Nevin, Chief Information Security Officer.

Resources for IT Professionals

The Office of Information Security is here to assist you in your efforts to keep your network resources protected. We offer Risk Assessment and Forensics services as well as vulnerability scanning. To learn more about the resources available for IT Professionals, please contact Rich Giesege, Senior Security Analyst.

Contact the Office of Information Security

If you are the victim of a security-related issue such as a phishing scam or spam attack, students should contact the OSU Computer Helpdesk and employees should contact their IT support staff.

Third Party Service Guide

There are a variety of distributed computing offerings on the Internet that offer good value and ease of use for those without the available resources and staffing to run their own systems. Commonly referred to as "cloud" computing, services such as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), Software as a Service (SaaS) and off-site storage and backup services have become an important part of the Internet. Other service offerings marketed for widespread use by individuals, such as Dropbox, Cloud Drive, and iCloud offer similar abilities.

OSU doesn't discourage the use of these tools, but it has established policy to assist in compliance with the many laws and regulations we face. This guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

How To Use This Guide

  1. First, become familiar with OSU's Information Systems - Data Classification and Stewardship Policy and with the specific data elements for Protected and Sensitive Information listed in Appendix A.
  2. Next, determine whether the information you wish to use on a Third Party Service is included in Appendix A.
    • If the information you wish to use on a Third Party Service is not included in Appendix A, and there are no contractual obligations preventing you from storing it outside of OSU-maintained systems, that information is classified as Unrestricted; there are no restrictions from storing it in any third-party service. We would encourage you to use caution when selecting a third-party service provider, and to avoid those without an established reputation for good, secure service.
    • If the information does include any of the data elements listed in Appendix A, please contact the Office of Information Security to see if a review of the service is required. In most cases, the completion of a Security Questionnaire by the vendor will be required as part of this review.

Note that data elements listed as Protected in Appendix A have the highest restrictions. Third Party Services should be avoided for these data elements if at all possible. Please contact the Office of Information Security for assistance.