C8.1
RIT INFORMATION SECURITY POLICY
The information assets of Rochester Institute of Technology (“RIT”) must be
available to the RIT community, protected commensurate with their value, and
must be administered in conformance with federal and state law. Reasonable measures
shall be taken to protect these assets against accidental or unauthorized access,
disclosure, modification or destruction, as well as to reasonably assure the
confidentiality, integrity, availability, authenticity of information Reasonable
measures shall also be taken to reasonably assure availability, integrity, and
utility of information systems and the supporting infrastructure, in order to
protect the productivity of members of the RIT community, in pursuit of the
RIT mission.
Definitions:
Information Safeguards: Administrative, technical, and physical
controls that support the confidentiality, integrity, availability, and authenticity
of information.
Information systems and supporting infrastructure: Information
in its analog and digital forms and the software, network, computers, tokens,
and storage devices that support the use of information.
Lifecycle Protection: Information systems and supporting infrastructure
have a lifecycle that begins with evaluation and selection, and advances through
planning, development/ acquisition, and operations through to disposal or retirement.
Information safeguards are needed at all phases of the lifecycle.
Controls depend on the system, its capabilities, and expected usage, as well
as anticipated threats against the information.
Preventive controls include use of encryption, information
integrity measures, security configuration, media reuse, use of antivirus, and
physical protection.
Detective controls include network and information access monitoring,
and intrusion detection (host based or network based), manual or automated review
of security logs.
Corrective controls include recovery plans for handling isolated
information safeguard failure incidents to business continuity plans.
Therefore, RIT will take reasonable steps to:
Designate one or more individuals to identify and assess the risks to non-public
or business-critical information within the Institute and establish an Institute-wide
information security plan.
Develop, publish, maintain, and enforce standards for lifecycle protection
of RIT information systems and supporting infrastructure in the areas of networking,
computing, storage, human or device/application authentication, human or device/application
access control, incident response, applications or information portals, electronic
messaging, and encryption.
Develop, publish, maintain, and enforce standards for RIT workforce security
related to the responsible use of information.
Provide training to authorized Institute users in the responsible use of information,
applications, information systems, networks, and computing devices.
Develop, publish, maintain and enforce standards to guide RIT business associates
and outsource partners in meeting RIT’s standards of lifecycle protection when
handling RIT information or supporting RIT information systems and supporting
infrastructure.
Encourage the exchange of information security knowledge, including threats,
risks, countermeasures, controls, and best practices both within and outside
the Institute.
Periodically evaluate the effectiveness of information security controls in
technology and process.
Approved May 17, 2006