Policy Number: C8.1


Policy Name: INFORMATION SECURITY POLICY


 

The information assets of Rochester Institute of Technology (“RIT”) must be available to the RIT community, protected commensurate with their value, and must be administered in conformance with federal and state law. Reasonable measures shall be taken to protect these assets against accidental or unauthorized access, disclosure, modification or destruction, as well as to reasonably assure the confidentiality, integrity, availability, authenticity of information. Reasonable measures shall also be taken to reasonably assure availability, integrity, and utility of information systems and the supporting infrastructure, in order to protect the productivity of members of the RIT community, in pursuit of the RIT mission.


Definitions:


Information Safeguards: Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information.


Information systems and supporting infrastructure: Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information.


Lifecycle Protection: Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle.


Controls depend on the system, its capabilities, and expected usage, as well as anticipated threats against the information.


Preventive controls include use of encryption, information integrity measures, security configuration, media reuse, use of antivirus, and physical protection.


Detective controls include network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs.


Corrective controls include recovery plans for handling isolated information safeguard failure incidents to business continuity plans.

 

Therefore, RIT will take reasonable steps to:

  1. Designate one or more individuals to identify and assess the risks to non-public or business-critical information within the university and establish an university-wide information security plan.

  2. Develop, publish, maintain, and enforce standards for lifecycle protection of RIT information systems and supporting infrastructure in the areas of networking, computing, storage, human or device/application authentication, human or device/application access control, incident response, applications or information portals, electronic messaging, and encryption.

  3. Develop, publish, maintain, and enforce standards for RIT workforce security related to the responsible use of information.

  4. Provide training to authorized university users in the responsible use of information, applications, information systems, networks, and computing devices.

  5. Develop, publish, maintain and enforce standards to guide RIT business associates and outsource partners in meeting RIT’s standards of lifecycle protection when handling RIT information or supporting RIT information systems and supporting infrastructure.

  6. Encourage the exchange of information security knowledge, including threats, risks, countermeasures, controls, and best practices both within and outside the university.

  7. Periodically evaluate the effectiveness of information security controls in technology and process.

 

Responsible Office: Global Risk Management

 

Effective Date: Approved May 17, 2006

 

Policy History:
Edited August 2010