Policy Number: C8.1
Policy Name: INFORMATION SECURITY POLICY
The information assets of Rochester Institute of Technology (“RIT”) must be available to the RIT community, protected commensurate with their value, and must be administered in conformance with federal and state law. Reasonable measures shall be taken to protect these assets against accidental or unauthorized access, disclosure, modification or destruction, as well as to reasonably assure the confidentiality, integrity, availability, authenticity of information. Reasonable measures shall also be taken to reasonably assure availability, integrity, and utility of information systems and the supporting infrastructure, in order to protect the productivity of members of the RIT community, in pursuit of the RIT mission.
Information Safeguards: Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information.
Information systems and supporting infrastructure: Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information.
Lifecycle Protection: Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle.
Controls depend on the system, its capabilities, and expected usage, as well as anticipated threats against the information.
Preventive controls include use of encryption, information integrity measures, security configuration, media reuse, use of antivirus, and physical protection.
Detective controls include network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs.
Corrective controls include recovery plans for handling isolated information safeguard failure incidents to business continuity plans.
Therefore, RIT will take reasonable steps to:
Responsible Office: Global Risk Management
Effective Date: Approved May 17, 2006
Edited August 2010