Password

Securing Your Computer

Securing Your Computer

This section provides information about all the software and instruction necessary to comply with the Desktop and Portable Computer Standard. The software on this page is intended for use by students, faculty, and staff at RIT. Inexperienced/non-technical users may want to check out our Digital Self Defense 101 Workshop, which explains the dangers of the Internet and RIT security requirements in greater detail.

Note: You do not have to use the specific software listed on this page. However, you should meet the requirements of the Desktop and Portable Computer Standard for your computer

Anti-Virus

RIT has licensed McAfee VirusScan software (available on the ITS Security & Virus Protection website) for use by students, faculty, and staff on  personally-owned computers. RIT-owned Windows computers will receive McAfee HIPS (Host Intrusion Prevention Software).

It is not necessary to use this particular anti-virus; if you prefer, you may use any of the following products.

Product

License
Company

ClamAV (Linux)

Free for personal use

Open Source

ClamXAV2 (Mac)

Free for personal use

Open Source

Norton Anti-Virus

One year paid subscription

Symantec

Trend Micro Anti-Virus

One year paid subscription

Trend Micro

avast! Anti-Virus

Free for personal use

ALWIL Software

AVG Anti-Virus

Free for personal use

Grisoft

Anti-Spyware

This should already be built into current anti-virus software.  A separate program is not needed.

Firewalls

Windows 7, Vista, XP, and Mac OS X all come with built-in firewalls; Resnet provides instructions on how to configure these built-in firewalls. If you do not want to use this firewall, RIT recommends the basic ZoneAlarm free firewall for Windows users Other firewall options may be provided by your Internet Service Provider. 

Patching/Updating

Regardless of what operating system you run, it should be up-to-date on all security patches; the easiest way to do this is to turn on the automatic update feature. Learn how to enable automatic updates for Windows and keep your Mac up-to-date automatically

Users of other operating systems such as Linux, Unix, etc., are also required to keep their operating systems up-to-date on security patches.

Software Applications should also be kept up-to-date. This can usually be done from within the program itself or through the vendor's website; some programs have an automatic update feature. Use the links below to find updates for Microsoft, Apple, and Adobe software.

ISO-Approved Private Information Management Software

  • Identify Finder (Windows, Mac)
  • Cornell Spider (Linux only)

No-Click November

No-Click November

It’s November again. Cyber Security Awareness month (October) just passed but that doesn’t mean that we don’t have to keep practicing all the online safety tips we learned; quite the opposite actually, now that we have gotten more informed about online security, we must implement those tips daily and share our knowledge with everyone that surrounds us.

This year is coming to an end, yet new security exploits show up every day to attack the cyberspace. Holidays are coming, and NOW is as good a time as ever to learn/review security tips regarding where we “click”. Even the most security savvy are prompt to distractedly click here or there and fall for a scam before even realizing it. During this month, we will be sharing tips through all of our social media gadgets, to properly prepare you to enter the Internet battlefield, a place full of web links, attachments, and tricky “click-here’s”.

The amount of people who go online everyday only gets bigger and bigger, and so does the time they stay online. Phishing attacks and identity theft attempts are a threat to us most of the time we are navigating through the cyberspace, which is why we should stay protected always, and since the internet is a shared resource, our duty is also to create awareness and make sure others stay secure as well.

From malicious links send through email, to suspicious attachments and even “x” (cancel) buttons in ads and popups, the possibility to fall for an attack is just one click away. And the best way to protect yourself is being vigilant where you navigate, and take every precaution possible.

This month we also have Computer Security Day (Nov. 30th). This is a great month to remind you to keep your computer and information safe. Learn how in our Securing Your Computer section.

Tips to help you identify when not to click:

  • Don’t simply trust information from sources you don’t know. If you have to click a link, cut and paste the information into the browser to make sure it’s a legit site.
  • Make sure you know where short links are taking you to. A good way to find out is by copying and pasting them into a "link expander" such as KnowURL.com or LongURL.org
  • Before clicking on links on emails, especially if you don’t know the source, rest your mouse (without clicking) on the link and make sure the address is the same one typed in the email.
  • Try to always investigate the source of a link before clicking it. Don’t trust what comes to you from strangers.
  • Beware of scammers in popular websites. In some sites like Pinterest, you might click on someone’s board and realize that it takes you to a complete different address than what the pin was about. Be cautious when clicking on other people’s content.
  • Be careful with websites that demand you to download a video codec or software to view something. It will most likely lead you to download malware.
  • Read before you click. If you don’t find the terms and conditions worth reading, then don’t put your security at risk agreeing with them.
  • We recommend you enable site checking and add an anti-phishing toolbar to your browser. These last ones help detect and may block known phishing sites.
  • Just because a friend posts or "likes" a shared link it doesn’t mean that it is safe to access, hackers often disguise links as interesting content to get to you, but this malware will likely affect your computer or mobile device in many of harmful ways.
  • We often ignore pop ups reminding us to update our computer security software. In this case, DO click, as soon as you can. An important part of staying safe is keeping them up to date.

 

The online shopping boom aroused by Black Friday also makes this month appropriate to share security tips so you can protect yourself from false special sales and ads that try to trick you into believing that they are leading you to get a great deal. If it sounds too good to be true, it probably is. Listen to your instincts! 

Check our Online Shopping tips and follow us on all of our social media gadgets for daily tips and information.

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec 

Security Standard: Account Management

Security Standard: Account Management

Scope

This standard applies to all RIT Information and Information Resources.  

 

Requirements for All Accounts

The following security controls are required to be implemented on all accounts:

1.      Account Authentication

1.1.   End user account authentication should use the enterprise identity and access management service when the system or application processes Private, Confidential, or Critical Process information. 

1.2.   The use of the enterprise authentication service by an application should be authorized by the Authentication Service Provider and the security reviewed by the Information Security Office.

1.3.   Password Management

1.3.1.   Access to passwords and their hashes should be restricted, Therefore, public terminals and kiosks should not cache user passwords/passphrases

1.3.2.   All password changes should be logged, but the password itself should not be logged.

2.      Account Authorization

2.1.   Account authorization should use the enterprise identity and access management service or role-based account authorization native to the application when the system or application processes Private, Confidential, or Critical Process information.

2.2.   Data Owners should authorize:

2.2.1.   A process for approving and documenting authorization. Authorization granted to an account should be commensurate with the level of identity validation performed

2.2.2.   The parties who may approve user access to roles

2.2.3.   Roles and their privileges following the security principles of Least Required Access and Segregation of Duties.

3.      Account Provisioning

3.1.   Account Establishment: Each account should be for the individual use of a specific person with an academic or business need for this access.

3.1.1.   Employees who have multiple roles with the University should have role-based access provided such that when one of the roles is changed, the access for that role can be changed without impacting the other role. In the event this cannot be achieved technically, then separate accounts are required to fulfill the requirements of each role. 

3.1.2.   Student employees should have separate accounts from their student accounts. The student accounts may not have student employee-related access. 

3.1.3.   Physical access granted by student IDs should have a termination date pre-populated at the time of hire.

3.2.   Account Duration: Accounts are valid when the individual account holder has authorized access to the account or until the account is suspended by the University.

3.3.   Authorized Administrators should

3.3.1.   Review approvals and provision account/access

3.3.2.   Track authorizations, including:

  • Date of authorization
  • Identification of individual approving access
  • Identification of the role assigned (where applicable) or description of the access privileges granted.  The access privileges granted should only be used to fulfill assigned job duties.
  • These authorizations should be retained in accordance with the Records Management Policy (C22.0).
     

4.      Account Management and Maintenance

4.1.   Access Review:

4.1.1.   Managers are responsible for reviewing account and access privileges with the employee upon notification of job changes (e.g., termination, job changes). 

4.1.2.   Data owners of Private information identified by the ISO should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status.

4.2.   Account Change Communication: Managers are responsible for communicating to account administrators when an account or access privileges may require modification or deactivation.

4.3.   Account Modification: Upon notification, the account administrators will review account and access privileges with the data owner or designee. All changes to accounts and access privileges should be approved and formally documented.

4.4.   Account Deactivation: Upon notification, account administrators are responsible for the immediate deactivation of accounts and access privileges when continued access is no longer required (e.g., terminated).  All deactivation of accounts and access privileges should be formally documented. 

4.5.   Account Lockout /Reset

4.5.1.   Authentication systems should disable user accounts after a set number of failed logon attempts.

4.5.2.   Administrators should follow established procedures for re-enabling or resetting user accounts once they have been disabled or upon request by the user. They should verify user identity prior to re-enabling or resetting user accounts. These procedures should take into consideration the potential risk to determine if automated procedures and the lockout time duration are appropriate.

4.5.3.   Administrators may not use the University Identification Number as the sole verification for resetting passwords.

 

Requirements for Special Accounts

The following security controls are required to be implemented on special accounts:

5.      Provisioning Administrator and Service Accounts: Requirements for issuing Administrator and Service Accounts are the same as other accounts with the following additions and changes:

5.1.   Account Establishment

5.1.1.   Ownership of an administrator account or group should be assigned to an individual. 

5.1.2.   Service accounts should be assigned to a system or application and are not for individual use.  

5.2.   Account Usage: Administrator and Service Accounts are specifically for system or application use only and should not be used for any purpose other than the administration or operation of the system or application. However, service accounts should be assigned to an account administrator.

5.3.   Group Access: Administrator and Service Accounts may be shared by a limited group of individuals for the purpose of operation and administration of the application or system, and only where required by the system or application. (In these cases, when possible, access to system accounts should be by methods that allow the individual to authenticate using a username and password.)

5.4.   Default Administrative or Service Accounts: Accounts that are part of the default setup of a system (including, but not limited to configuration access, database accounts, etc.)  should be removed, disabled, or changed (in that order) whenever possible. 

5.5.   Service Accounts: Service accounts should be reassigned and passwords of the service accounts changed when the account administrator is no longer in that role.

6.      Sponsored Accounts: Requirements for sponsored accounts are the same as other accounts with the following additions and changes:

6.1.   All sponsored accounts (for those who do not receive an account based on their role at RIT) with access to RIT information resources should contain an expiration date of no more than one year or the work completion date, whichever occurs first. Only authorized RIT account holders can approve sponsored accounts.

6.2.   Upon termination of the Sponsor’s account, the Sponsored account should be transferred to another appropriate RIT account holder or be deactivated.

7.      Generic/Shared Accounts:  Requirements for Generic/Shared Accounts are the same as other accounts with the following additions and changes

7.1.   Each generic or shared account should have a designated owner who is responsible for the management of access to that account. The owner should log access to the generic or shared account.

7.2.   Shared Generic Accounts: Generic accounts may only be shared in those situations where a system (server), device (switches or routers) or application cannot support the use of individual accounts technically. 

 

Effective Date: January 23, 2015

Standard History: November 11, 2013

Requirements for Faculty/Staff

Requirements for Faculty and Staff

Security Standards

Standard

When does it apply?

Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Computer Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard
If you have a web page at RIT, official or unofficial, and you:
  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.
Server Security Standard If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard
If you own or manage a device that:
  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:
  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery.  Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE The “in compliance by” date for this standard is January 23, 2016.
Authentication Service Provider Standard

If you are providing authentication services on network resources owned or leased by RIT.

NOTE The Authentication Service Provider Standard will retire on January 23, 2015 and be replaced by the Account Management Standard.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Pages

Subscribe to RSS - Password