Password

Securing Your Computer

Securing Your Computer

This section provides information about all the software and instruction necessary to comply with the Desktop and Portable Computer Standard. The software on this page is intended for use by students, faculty, and staff at RIT. Inexperienced/non-technical users may want to check out our Digital Self Defense 101 Workshop, which explains the dangers of the Internet and RIT security requirements in greater detail.

Note: You do not have to use the specific software listed on this page. However, you should meet the requirements of the Desktop and Portable Computer Standard for your computer

Anti-Virus

RIT has licensed McAfee VirusScan software (available on the ITS Security & Virus Protection website) for use by students, faculty, and staff on  personally-owned computers. RIT-owned Windows computers will receive McAfee HIPS (Host Intrusion Prevention Software).

It is not necessary to use this particular anti-virus; if you prefer, you may use any of the following products.

Product

License
Company

ClamAV (Linux)

Free for personal use

Open Source

ClamXAV2 (Mac)

Free for personal use

Open Source

Norton Anti-Virus

One year paid subscription

Symantec

Trend Micro Anti-Virus

One year paid subscription

Trend Micro

avast! Anti-Virus

Free for personal use

ALWIL Software

AVG Anti-Virus

Free for personal use

Grisoft

Anti-Spyware

This should already be built into current anti-virus software.  A separate program is not needed.

Firewalls

Windows 7, Vista, XP, and Mac OS X all come with built-in firewalls; Resnet provides instructions on how to configure these built-in firewalls. If you do not want to use this firewall, RIT recommends the basic ZoneAlarm free firewall for Windows users Other firewall options may be provided by your Internet Service Provider. 

Patching/Updating

Regardless of what operating system you run, it should be up-to-date on all security patches; the easiest way to do this is to turn on the automatic update feature. Learn how to enable automatic updates for Windows and keep your Mac up-to-date automatically

Users of other operating systems such as Linux, Unix, etc., are also required to keep their operating systems up-to-date on security patches.

Software Applications should also be kept up-to-date. This can usually be done from within the program itself or through the vendor's website; some programs have an automatic update feature. Use the links below to find updates for Microsoft, Apple, and Adobe software.

ISO-Approved Private Information Management Software

  • Identify Finder (Windows, Mac)
  • Cornell Spider (Linux only)

Security Standard: Account Management

Security Standard: Account Management

Scope

This standard applies to all RIT Information and Information Resources.  

 

Requirements for All Accounts

The following security controls are required to be implemented on all accounts:

1.      Account Authentication

1.1.   End user account authentication should use the enterprise identity and access management service when the system or application processes Private, Confidential, or Critical Process information. 

1.2.   The use of the enterprise authentication service by an application should be authorized by the Authentication Service Provider and the security reviewed by the Information Security Office.

1.3.   Password Management

1.3.1.   Access to passwords and their hashes should be restricted, Therefore, public terminals and kiosks should not cache user passwords/passphrases

1.3.2.   All password changes should be logged, but the password itself should not be logged.

2.      Account Authorization

2.1.   Account authorization should use the enterprise identity and access management service or role-based account authorization native to the application when the system or application processes Private, Confidential, or Critical Process information.

2.2.   Data Owners should authorize:

2.2.1.   A process for approving and documenting authorization. Authorization granted to an account should be commensurate with the level of identity validation performed

2.2.2.   The parties who may approve user access to roles

2.2.3.   Roles and their privileges following the security principles of Least Required Access and Segregation of Duties.

3.      Account Provisioning

3.1.   Account Establishment: Each account should be for the individual use of a specific person with an academic or business need for this access.

3.1.1.   Employees who have multiple roles with the University should have role-based access provided such that when one of the roles is changed, the access for that role can be changed without impacting the other role. In the event this cannot be achieved technically, then separate accounts are required to fulfill the requirements of each role. 

3.1.2.   Student employees should have separate accounts from their student accounts. The student accounts may not have student employee-related access. 

3.1.3.   Physical access granted by student IDs should have a termination date pre-populated at the time of hire.

3.2.   Account Duration: Accounts are valid when the individual account holder has authorized access to the account or until the account is suspended by the University.

3.3.   Authorized Administrators should

3.3.1.   Review approvals and provision account/access

3.3.2.   Track authorizations, including:

  • Date of authorization
  • Identification of individual approving access
  • Identification of the role assigned (where applicable) or description of the access privileges granted.  The access privileges granted should only be used to fulfill assigned job duties.
  • These authorizations should be retained in accordance with the Records Management Policy (C22.0).
     

4.      Account Management and Maintenance

4.1.   Access Review:

4.1.1.   Managers are responsible for reviewing account and access privileges with the employee upon notification of job changes (e.g., termination, job changes). 

4.1.2.   Data owners of Private information identified by the ISO should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status.

4.2.   Account Change Communication: Managers are responsible for communicating to account administrators when an account or access privileges may require modification or deactivation.

4.3.   Account Modification: Upon notification, the account administrators will review account and access privileges with the data owner or designee. All changes to accounts and access privileges should be approved and formally documented.

4.4.   Account Deactivation: Upon notification, account administrators are responsible for the immediate deactivation of accounts and access privileges when continued access is no longer required (e.g., terminated).  All deactivation of accounts and access privileges should be formally documented. 

4.5.   Account Lockout /Reset

4.5.1.   Authentication systems should disable user accounts after a set number of failed logon attempts.

4.5.2.   Administrators should follow established procedures for re-enabling or resetting user accounts once they have been disabled or upon request by the user. They should verify user identity prior to re-enabling or resetting user accounts. These procedures should take into consideration the potential risk to determine if automated procedures and the lockout time duration are appropriate.

4.5.3.   Administrators may not use the University Identification Number as the sole verification for resetting passwords.

 

Requirements for Special Accounts

The following security controls are required to be implemented on special accounts:

5.      Provisioning Administrator and Service Accounts: Requirements for issuing Administrator and Service Accounts are the same as other accounts with the following additions and changes:

5.1.   Account Establishment

5.1.1.   Ownership of an administrator account or group should be assigned to an individual. 

5.1.2.   Service accounts should be assigned to a system or application and are not for individual use.  

5.2.   Account Usage: Administrator and Service Accounts are specifically for system or application use only and should not be used for any purpose other than the administration or operation of the system or application. However, service accounts should be assigned to an account administrator.

5.3.   Group Access: Administrator and Service Accounts may be shared by a limited group of individuals for the purpose of operation and administration of the application or system, and only where required by the system or application. (In these cases, when possible, access to system accounts should be by methods that allow the individual to authenticate using a username and password.)

5.4.   Default Administrative or Service Accounts: Accounts that are part of the default setup of a system (including, but not limited to configuration access, database accounts, etc.)  should be removed, disabled, or changed (in that order) whenever possible. 

5.5.   Service Accounts: Service accounts should be reassigned and passwords of the service accounts changed when the account administrator is no longer in that role.

6.      Sponsored Accounts: Requirements for sponsored accounts are the same as other accounts with the following additions and changes:

6.1.   All sponsored accounts (for those who do not receive an account based on their role at RIT) with access to RIT information resources should contain an expiration date of no more than one year or the work completion date, whichever occurs first. Only authorized RIT account holders can approve sponsored accounts.

6.2.   Upon termination of the Sponsor’s account, the Sponsored account should be transferred to another appropriate RIT account holder or be deactivated.

7.      Generic/Shared Accounts:  Requirements for Generic/Shared Accounts are the same as other accounts with the following additions and changes

7.1.   Each generic or shared account should have a designated owner who is responsible for the management of access to that account. The owner should log access to the generic or shared account.

7.2.   Shared Generic Accounts: Generic accounts may only be shared in those situations where a system (server), device (switches or routers) or application cannot support the use of individual accounts technically. 

 

Effective Date: January 23, 2015

Standard History: November 11, 2013

Requirements for Faculty/Staff

Faculty and Staff

Security Standards

Standard

When does it apply?

Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Computer Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard
If you have a web page at RIT, official or unofficial, and you:
  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.
Server Security Standard If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard
If you own or manage a device that:
  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:
  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery.  Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE The “in compliance by” date for this standard is January 23, 2016.
Authentication Service Provider Standard

If you are providing authentication services on network resources owned or leased by RIT.

NOTE The Authentication Service Provider Standard will retire on January 23, 2015 and be replaced by the Account Management Standard.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Safe Online Shopping & Banking

Safe Online Shopping & Banking

Use a Secure Computer

Make sure your computer meets the RIT Desktop & Portable Computer Standard before getting online. In addition to up-to-date anti-virus, make sure that your operating system and your web browser have the latest security patches installed.

Don't use public computers to send private information over the Internet. You cannot be sure what security measures are in place and other people may have altered settings or installed malware without your knowledge.

Research the Company/Website

Investigate any bank or retailer you are considering using. How trustworthy are they?

Use the FDIC Bank Find page to make sure the bank is insured by the FDIC.

Check the company's privacy policy. Some companies may sell your e-mail address and/or other contact information to third parties, leading to more spam in your inbox (if there is no privacy policy, you're better off avoiding that site).

Plug the website name into a search engine. What kinds of consumer reviews are returned?

If you're shopping at an auction site, check out the seller's feedback. Have other people had good experiences with them? What forms of payment will they accept?

Research the Product/Service

Learn more about the product or service you are considering. Are you getting exactly what you want? Look for fine print-are there hidden fees or terms?

Are the prices too good to be true? Insane deals are sometimes used to disguise malicious links. They may also be an indication that the product is actually a counterfeit.

What is the seller's return/exchange policy? Do they cover damaged goods?

What is the bank's policy on fraud? How much protection do they offer? Will they reimburse fraudulent transactions?

What about shipping costs? Is there a minimum purchase amount? Tip: If you're making several purchases, try to combine them on the same order when possible. Not only does it reduce the number of transactions you have to make, but you might save a bundle on shipping costs too!

Use Strong Passwords

Use a strong, unique password or pass phrase where allowed. Most online banks (and some retail websites) offer an additional layer of security such as:

Using an on-screen keyboard to enter in passwords (this protects against keyloggers).

Requiring an additional password or personal identification number.

Requiring you to answer a challenge-response question each time you login (e.g., what is your grandmother's maiden name?).

Smart cards or tokens that generate a single-use password (meaning you cannot access your account without this physical device).

Select an online banking service that uses one of the above methods or some other type of additional security protection.

Make Sure the Website Uses Encryption

When you're ready to submit your information, look for the following indicators that the website is secure:

The address bar should begin with either shttp or https (not just "http") and there must be a padlock in your web browser (the location varies by browser, it usually appears in the address bar or the status bar at the bottom).

Never submit your login information by e-mail. Scammers go to great lengths to make e-mails appear genuine, but no legitimate bank or retailer will ever ask you to submit private information by e-mail.

Use a Secure Payment Method

When shopping through an online retailer or through an auction site, make sure you use a secure payment method.

Credit cards are one of the safer options. Federal law limits your liability in the event of credit card fraud to only $50. MasterCard and Visa also offer zero liability for most debit card transactions as well.

See if your bank or credit card issuer offers one-time use or "virtual" card numbers. These are card numbers that you can sign up for and activate for a limited time period. They still link to your regular card/account, however the number is completely different. This means your active account number doesn't have to be transmitted over the Internet at all.

Never give out a bank account number to anyone, and be wary of anyone who insists upon cash or wire transfer only.

Monitor Your Accounts

Keep track of all your purchases/account history from start to finish and beyond.

Print out all your orders and receipts, as well as e-mail confirmations and product descriptions. If possible, request that your bank mail you a monthly account statement and compare it to your online statements.

Follow up your purchases by closely watching your bank account and/or credit card statements to monitor for any unauthorized transactions.

You may also want to check your credit report annually (check for free at www.annualcreditreport.com).

Problems and Complaints

Online Banking Complaints

There are several different organizations that regulate financial institutions in the United States. The links below provide additional information on safe online banking as well as instructions for filing a complaint:

FDIC - Safe Internet Banking
http://www.fdic.gov/bank/individual/online/safe.html

U.S. Securities and Exchange Commission - Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information
http://www.sec.gov/investor/pubs/onlinebrokerage.htm

New York Fed - Tips for Safe Banking Over the Internet
http://www.newyorkfed.org/education/addpub/safeinternet.pdf

Online Shopping Complaints

If you think you have been a victim of online shopping fraud and/or cannot resolve a problem with the seller, contact the following agencies:

Better Business Bureau
https://odr.bbb.org/odrweb/public/GetStarted.aspx

Additional Links

Online Shopping Tips

http://www.dhses.ny.gov/ocs/

http://www.consumer.ftc.gov/blog/happy-holiday-shopping

http://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/online-shopping

http://www.safeshopping.org

Online Banking

FDIC Bank Find:
http://www2.fdic.gov/idasp/main_bankfind.asp

 

Pages

Subscribe to RSS - Password