Information

Security Education, Training, & Awareness

Security Education, Training, & Awareness

Information security is a complex and constantly changing field that individuals at every level of the organization need to keep pace with in order to keep RIT information resources secure.  RIT offers the following education training and awareness programs to assist everyone from end user to system administrators to keep current with information security trends.

Academic Education

  • The GCCIS NSSA department provides a variety of information security courses at the graduate and undergraduate level.

Training

  • Orientation sessions: The ISO provides introductory information security training and materials at new student and new employee orientations. Check out the 2010 Fall New Student Orientation presentation delivered by E. Philip Saunders College of Business faculty member Neil Hair.
    Neil Hair presentation
  • Digital Self Defense training: Training specifically designed to help end users be secure. Visit the E-Learning Zone to view the current course schedule or take online training.
  • Custom training: The ISO will customize training based on a particular need.  Please contact Ben Woelk at fbwis@rit.edu

Awareness

  • Unfamiliar with information security? Our award-winning interactive website <NEED SWF>will help you learn the basics. You can also find links to videos and articles covering information security here.
  • The Information Security Office conducts a number of awareness campaigns throughout the year.
  • We communicate regularly through the RIT Message Center with Alerts and Advisories to make the RIT community aware of current threats and vulnerabilities.

Information Security Awareness Resources

  • Visit our Posters and Videos page for a selection of our current posters and to view student-produced videos from EDUCAUSE.
  • Visit the pages in our Keeping Safe section to learn how you can use the Internet safely and avoid online dangers such as phishing and identity theft.
  • Contact us at infosec@rit.edu for copies of our printed materials, including posters and brochures.

Threat Management

In order to reduce information security risks, the RIT Information Security Office (ISO) actively works to identify threat agents that are seeking to exploit vulnerabilities in the environment.   This  consist of scanning network traffic for threats.  For more information please contact the Information Security Officer.
Current Internet Threats

Vulnerability Management Program at RIT

Vulnerability Management Program at RIT

In order to reduce information security risks, the RIT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. In addition, the ISO may scan as needed for vulnerabilities that are under attack.

What is RIT scanning for?

The vulnerability assessments will include scans of communication services, operating systems, and applications to identify high-risk system weaknesses that could be exploited by intruders. These exploits have the potential to compromise the confidentiality, integrity or availability of RIT information resources.

Which computers may be scanned?

All computers connected to the Institute campus network, including but not limited to those located in the residence halls as well as remote computers accessing the RIT network through VPN may be scanned. The Network Security Standard requires that any system connecting to the network must be scanned regularly for hosts that are vulnerable to remotely exploitable attacks.

What information is obtained and how will it be treated?

Vulnerability scanning will provide an inventory of vulnerabilities and their criticality. This information will be treated as RIT Confidential. The scans will not search the content of personal electronic files on the scanned computers. In addition, the scans should not cause network outages although systems administrators may see log entries of the scans reflected in their logs.

How will critical vulnerabilities be handled?

If critical vulnerabilities are identified, the ISO will work collaboratively with the responsible systems administrator or team to address the vulnerabilities. If the critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan to address them, the ISO will initiate a conversation between the systems administration team and the information steward of that organization. The ISO intends to work collaboratively with systems administration teams and their information stewards to improve the security posture of their organization.

PIMI Overview

Private Information Management Initiative (PIMI) Overview

The Private Information Management Initiative seeks to identify and reduce the amount of Private Information found on RIT computers and storage devices. Private information is information that is typically used to conduct identity theft and may include Social Security Numbers (SSNs), credit card numbers, driver’s license numbers, bank account information, etc.

Reducing the amount of Private Information (PI) will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws. 

Goals

  1. Increase awareness of the importance of safeguarding all private information, not just SSNs
  2. Increase awareness of the existing RIT policies that address private information
  3. Increase sense of individual accountability and responsibility in the area of policy compliance surrounding private information and a related understanding of the consequences for noncompliance
  4. Effective destruction of non-approved and unnecessarily retained private information (paper and electronic forms) from business units and employee offices
  5. Integration of the Records Management Policy into everyday employee activities

Representation

The RIT Information Security Office is leading this initiative with the assistance of project team representatives from each college and division. The representatives include:

  • An Information Steward/Management Representative who will receive reports detailing the location of Private information and will lead remediation efforts of Private information found in electronic and paper forms.
  • A Technical Representative who will assist in inventorying computers assigned to the respective college or division and will assist the Information Steward/Management Representative in remediation efforts.
  • Current list of representatives

What to Expect

The RIT Information Security Office is working with various RIT organizations to identify the location of SSNs and other Private Information by providing a software tool (Identity Finder) that will scan computers and attached drives to determine if they contain Private information. When Identity Finder finds suspected Private information, it provides a report to the computer user and the RIT Information Security Office. The software also provides the computer user with tools to erase (shred) the information securely or to remove (scrub) the private information from the files.

Scans will be initiated by the Identity Finder server in the Information Security Office. Computer users may also initiate an on-demand scan at their convenience. Identity Finder is licensed for use on RIT-owned computers and is currently available for Windows and Macs.

For More Information

For more information, contact your PIMI representative.

Ben Woelk
PIMI Project Manager
585.475.4122
ben.woelk@rit.edu

Links:

 

Information Security at RIT

Information Security at RIT

Risk Management Framework

RIT has applied a risk management approach to information security.  In order to manage information security risks, RIT attempts to:

  • Assess risks to identify and prioritize the greatest information security risks
  • Prevent information losses through policies/standards/guidelines, technical controls and education/training/awareness.
  • In the event of a loss, RIT seeks to minimize that loss through incident response, business continuity, and disaster recovery. When it is unclear whether a loss has occurred, RIT will conduct a forensics investigation.
  • In the event of a loss, RIT seeks to protect the RIT community from harm through risk management and insurance practices.
  • RIT regularly evaluates  information security through information security reviews and audits.

Step 1: Risk Assessment

Risk assessment (step 1)

Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements.  In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.

Step 2: Loss Prevention

loss prevention (step 2)

Step 3: Loss Control

Loss Control is accomplished through initiatives in the following areas:

Step 4: Loss Financing

Loss Financing transfers risks to third parties through:

  • Contracts
  • Insurance
  • Self-Insurance

Step 5: Evaluation

Evaluation is provided through:

  • An exception process to manage Residual Risk
  • Metrics and reporting
  • Audit support

Structure and Resources

Distributed roles and responsibilities

  • Extended Team
  • PIMI Business and Technical Reps
  • System and application administrators
  • End users

Co-op Program

  • 2 engineering co-ops plus part time
  • 1 communications co-op
 
For more information, contact us at infosec@rit.edu
 

Pages

Subscribe to RSS - Information