Access

Account Management Standard

Account Management Standard

The Account Management Standard provides requirements around creating and maintaining user and special accounts. The primary audience for the standard is account administrators. However, there are reporting requirements pertaining to personnel and roles and responsibility changes for managers as well.

Documented Standard

Current Account Management Standard (comply by 1/23/15)

Who does the standard apply to?

  • IT personnel who support account creation and maintenance for RIT information resources.
  • Managers reporting changes in access privileges/job changes of employees.

Key Concepts

  • Requires appropriate controls to ensure that users prove their identity and only have access to the resources to which they are authorized.
  • Provides requirements for managing and maintaining accounts accessing RIT information resources.
  • Provides requirements for special account types.

Resources

Updated 12/5/14

Information Access & Protection Standard

Information Access & Protection Standard

The Information Access & Protection (IAP) Standard provides requirements for the proper handling of information at RIT.

Information Classifications

The standard classifies information into four categories: Private, Confidential, Internal, and Public.

Private information

Private information is information that is confidential and which could be used for identity theft. Private information also has additional requirements associated with its protection (e.g., state and federal mandates). Examples include:

  • Social Security Numbers (SSNs) or other national identification numbers
  • Driver’s license numbers
  • Financial account information (bank account numbers, checks, credit or debit card numbers), etc.

Confidential information

Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:

  • Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
  • Employee and student health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
  • Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)

Internal information

Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Examples include online building floor plans, specific library collections, etc.

Public information

Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.

Who do the requirements apply to?

This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.

What are RIT Information Resources?

RIT Information Resources include but are not limited to:

  • RIT-owned or leased transmission lines, networks, wireless networks, servers, exchanges, Internet connections, terminals, applications, and computers
  • Information owned by RIT or used by RIT under license or contract, in any form, including but not limited to:
    • Electronic media
    • Portable media
    • Electronic hardware
    • Software
    • Network communications devices
    • Paper
  • Personal computers, servers, wireless networks, mobile devices, and other devices not owned by RIT but intentionally connected to RIT Information Resources.

What do I have to do?

Everyone who accesses RIT Information Resources should know and understand the four classes of information at RIT and appropriate handling practices for each class. Specific roles and responsibilities are detailed in the Information Access and Protection Standard.

Information Access & Protection Standard

 

Desktop and Portable Computer Security Standard

Desktop and Portable Computer Standard

To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.

Desktop and Portable Computer Standard

What does it apply to?

  • All RIT-owned or leased computers.
  • Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.

The standard is not required for:

The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.  

  • Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
  • Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.
     

Storage of Private information is prohibited on these devices. 

What do I need to do?

 

Subscribe to RSS - Access