Organizing, Measuring, and Managing Information Risk at The Ohio State University

In 2013, the Enterprise Security team at OSU found itself in an unenviable position: its security program was narrowly focused on IT risk, not information risk; the program was not consistently implemented; and there were no metrics that documented how well information risk was being managed. In response, the team launched an ambitious new program to organize, measure, and manage information risk both for individual units and for the university as a whole. This session will discuss Ohio State's process for developing and implementing a successful, prioritized, flexible, and metrics-driven risk management program in a university environment.

OUTCOMES: Learn how to structure and organize information risk * Learn how to create an information risk survey for performing light-weight risk assessments * Learn how to create 3-year risk management strategies