Guide

Plain English Guide to the Information Security Policy

Plain English Guide to the Information Security Policy 

RIT has issued an Information Security Policy. The Policy provides the strategic direction needed to implement appropriate information safeguards for RIT information and the Institute network. This Plain English Guide provides explanation and illustration of the Policy and is provided as an aid to help you understand and implement the requirements of the Policy. The Policy itself is authoritative. The policy is effective immediately.

Why did RIT issue the policy?

The Policy authorizes RIT to take reasonable measures to protect RIT information and computing assets in an age that is both reliant on electronic media and characterized by increasing Internet-borne threats. These measures apply to RIT information and the technology infrastructure.

In recent years, state and federal legislation have mandated specific protections for different types of information, including educational records (FERPA), financial customer information (Gramm-Leach-Bliley Act), health information (HIPAA), and private information (NYS Information Security Breach and Notification Act).

Why is the information lifecycle important?

The information lifecycle concept and its associated stages (creation, storage, transfer, and destruction) provide a useful framework for information handling. For example, during the creation stage, the creator of the information determines who should have access to the information and how that access is to be granted. During the destruction stage, "out-of-date" information or information used only occasionally may be without appropriate protection and be at greater risk.

What are the roles of Safeguards and Controls?

Most of the legislation above requires affected organizations to explain how they know people don’t have unauthorized access to information. Controls provide the best way of ensuring information protection. Controls can be process based (administrative controls), or technology based (technical controls). Controls focus on one or more of the following: problem prevention, problem detection, or problem correction.

How has RIT implemented this policy?

RIT has implemented the Information Security Policy by conducting risk assessments, issuing and enforcing standards, raising awareness of threats, recognizing best practices, and maintaining relationships with a number of security-focused external entities for benchmarking and sharing of resources.

More specifically,

  • RIT has designated specific individuals, including the RIT Information Security Officer, to identify and assess the risks to non-public or business-critical information within the Institute and establish an Institute-wide information security plan
  • The RIT Information Security Office creates and maintains standards to protect RIT information systems and its supporting infrastructure, ensure workforce information security, and guide RIT business associates and outsource partners. The creation of these standards is mandated by policy and is in response to the risks that the Institute faces. They are Institute-wide standards, created with representation from across RIT. See our Policies and Standards page for the list of current standards and information about how standards are developed.
  • The RIT Information Security Office provides awareness and training workshops, including its Digital Self Defense classes to help RIT users in the responsible use of information, applications, information systems, networks, and computing devices.
  • The RIT Information Security Office encourages the exchange of information security knowledge through ongoing engagements with security-focused groups, such as Educause, the New York State Cyber-Security Critical Infrastructure Coordination group, InfraGard, and others.
  • RIT periodically evaluates the effectiveness of information security controls in technology and process through risk assessments.

 

To whom does the policy apply?

The policy applies to the entire RIT community, including RIT employees, student employees, volunteers, and external business associates. Standards articulate how you follow the policy. Each standard has a different scope and may apply to different parts of or activities engaged in by the RIT population.

What do I have to do?

You need to follow all Information Security Policy requirements as articulated in the standards. See our Policies and Standards page for a current list of standards.

Where do I go for more information?

Read the policy and its associated standards. Contact the RIT Information Security at infosec@rit.edu if you have more questions.

 

Network Security Standard

Network Security Standard

The Network Security Standard provides measures to prevent, detect, and correct network compromises. The standard is based on both new practices and best practices currently in use at RIT.

Please consult the checklist or the standard below for a complete list of requirements.

Who does it apply to?

All systems or network administrators managing devices that:

  • Connect to the centrally-managed Institute network infrastructure
  • Process Private or Confidential Information
 

Currently, personal network devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. However, the use of wireless routers is prohibited in residential areas on campus. The use of wired routers is still acceptable. Read and comply with the requirements in the Resnet guide to Using a Router on the RIT Network prior to using them.

See our Wireless Networking page for information on how to access wireless networks at RIT and how to set up and use a wireless network at home.

What do I need to do?

Use the Network Security Checklist to set up your networking device.

Network Security Standard

Network administrators should consult the Technical Resources pages for detailed information, including preferred and prohibited protocols, trespassing banners, etc.

 

Digital Self Defense Training

Digital Self Defense Training

DSD LogoThe Information Security Office provides Digital Self Defense training courses scheduled through the Center for Professional Development or by request. The program is divided into three courses: Introduction, Desktop Security Tools, and Information Handling. See below for more information about specific courses.

DSD 101 Introduction to Digital Self Defense

In this day of rapidly increasing Internet threats you need a leg up, a way to protect yourself and your loved ones (and your computer) against all of those people on the Internet who are out to get you.

We feel your pain and we've got the answer!

We're currently reworking the Intro to Digital Self Defense course and will announce the new course availability in fall 2013.

DSD 102 Desktop Security Tools

DSD 102 is currently not available.

DSD 103 Information Handling

RIT employees handle or are exposed to Private and Confidential information every week. It is important to use appropriate and secure information handling practices to protect these types of information. Inadvertent loss or disclosure of Private information may result in a Notification event under the NYS Information Security Breach and Notification Act.

Course Objectives

Attendees of the Digital Self Defense (DSD) 103 – Information Handling course will learn new and improve existing information handling skills. Specifically, the course explains the different classes of information at RIT, how these types of information should be treated, and the correct means of storage, transfer, and destruction to be used. Completion of the course should provide the user with the necessary knowledge to be in compliance with the Information Access & Protection (IAP) Standard.

DSD 103 Online Course

DSD 103 Information Handling is now available as a self-paced online class through the RIT E-Learning Zone.

  1. Access DSD 103 Information Handling Web-based training on the RIT E-Learning Zone
  2. Login with your RIT credentials
  3. Open the course.
  4. Click the blue triangle to launch the course. (You may want to perform a Browser Check to ensure your computer is configured correctly.)
  5. Take the course and complete the post-course assessment.

 

Subscribe to RSS - Guide