Critical

Security Standard: Solutions Life Cycle Management

Security Standard: Solutions Life Cycle Management

 

Scope

The standard applies to new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • host or provide access to Private or Confidential information
  • support a Critical Business Process

 

Requirements

The following security controls are required to be implemented.

1.      Engagement

1.1.   Contact the Information Security Office prior to investigating, evaluating, selecting, or developing a new solution.

2.     Planning and Preliminary Risk Assessment

2.1.   The Information Security Office will determine applicable security requirements and provide a preliminary risk assessment.

3.     Business Contract Phase

3.1.   Any proposed contract will be reviewed and revised in accordance with procurement services procedures (http://finweb.rit.edu/purchasing/) under the direction of RIT Procurement Services.

4.      Development

4.1.   The solution owner will inform the Information Security Office of any changes to the security requirements during development.

4.2.   Solutions development, testing, and production should be performed in separate environments.

4.3.   Test data should not include Private or Confidential information unless the security controls in test and development are the same as those in production.

4.4.   The solution owner should identify solution administrators.

5.      Security Review

5.1.   The Information Security Office or its authorized representative will conduct a Security Review.

5.2.   The Information Security office will perform an appropriate vulnerability assessment and penetration test before solution implementation.

6.      Maintenance

6.1.   The solution owner is responsible for ensuring that the security impact of any change is evaluated and notify the Information Security Office accordingly if there is a potential increase in risk.

7.      Solutions Retirement/Disposal

7.1.   The solution owner will ensure that the solution is evaluated at an appropriate interval and retired if appropriate.

7.2.   The solution administrator should ensure that Information is retained in accordance with the Records Management Policy, and to accommodate future technology changes that may render the retrieval method obsolete.

7.3.   The solution administrator should ensure that Information is disposed of as required by the Information Access and Protection Standard.

 

Effective Date: January 23, 2015

Standard History: November 11, 2013

Computer Incident Handling Standard

Computer Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Computer Incident Handling Standard

Who does the standard apply to?

  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.

What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information

What do I have to do?






Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators

Resources

 

Vulnerability Management Program at RIT

Vulnerability Management Program at RIT

In order to reduce information security risks, the RIT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. In addition, the ISO may scan as needed for vulnerabilities that are under attack.

What is RIT scanning for?

The vulnerability assessments will include scans of communication services, operating systems, and applications to identify high-risk system weaknesses that could be exploited by intruders. These exploits have the potential to compromise the confidentiality, integrity or availability of RIT information resources.

Which computers may be scanned?

All computers connected to the Institute campus network, including but not limited to those located in the residence halls as well as remote computers accessing the RIT network through VPN may be scanned. The Network Security Standard requires that any system connecting to the network must be scanned regularly for hosts that are vulnerable to remotely exploitable attacks.

What information is obtained and how will it be treated?

Vulnerability scanning will provide an inventory of vulnerabilities and their criticality. This information will be treated as RIT Confidential. The scans will not search the content of personal electronic files on the scanned computers. In addition, the scans should not cause network outages although systems administrators may see log entries of the scans reflected in their logs.

How will critical vulnerabilities be handled?

If critical vulnerabilities are identified, the ISO will work collaboratively with the responsible systems administrator or team to address the vulnerabilities. If the critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan to address them, the ISO will initiate a conversation between the systems administration team and the information steward of that organization. The ISO intends to work collaboratively with systems administration teams and their information stewards to improve the security posture of their organization.

Subscribe to RSS - Critical