No-Click November

No-Click November

It’s November again. Cyber Security Awareness month (October) just passed but that doesn’t mean that we don’t have to keep practicing all the online safety tips we learned; quite the opposite actually, now that we have gotten more informed about online security, we must implement those tips daily and share our knowledge with everyone that surrounds us.

This year is coming to an end, yet new security exploits show up every day to attack the cyberspace. Holidays are coming, and NOW is as good a time as ever to learn/review security tips regarding where we “click”. Even the most security savvy are prompt to distractedly click here or there and fall for a scam before even realizing it. During this month, we will be sharing tips through all of our social media gadgets, to properly prepare you to enter the Internet battlefield, a place full of web links, attachments, and tricky “click-here’s”.

The amount of people who go online everyday only gets bigger and bigger, and so does the time they stay online. Phishing attacks and identity theft attempts are a threat to us most of the time we are navigating through the cyberspace, which is why we should stay protected always, and since the internet is a shared resource, our duty is also to create awareness and make sure others stay secure as well.

From malicious links send through email, to suspicious attachments and even “x” (cancel) buttons in ads and popups, the possibility to fall for an attack is just one click away. And the best way to protect yourself is being vigilant where you navigate, and take every precaution possible.

This month we also have Computer Security Day (Nov. 30th). This is a great month to remind you to keep your computer and information safe. Learn how in our Securing Your Computer section.

Tips to help you identify when not to click:

  • Don’t simply trust information from sources you don’t know. If you have to click a link, cut and paste the information into the browser to make sure it’s a legit site.
  • Make sure you know where short links are taking you to. A good way to find out is by copying and pasting them into a "link expander" such as or
  • Before clicking on links on emails, especially if you don’t know the source, rest your mouse (without clicking) on the link and make sure the address is the same one typed in the email.
  • Try to always investigate the source of a link before clicking it. Don’t trust what comes to you from strangers.
  • Beware of scammers in popular websites. In some sites like Pinterest, you might click on someone’s board and realize that it takes you to a complete different address than what the pin was about. Be cautious when clicking on other people’s content.
  • Be careful with websites that demand you to download a video codec or software to view something. It will most likely lead you to download malware.
  • Read before you click. If you don’t find the terms and conditions worth reading, then don’t put your security at risk agreeing with them.
  • We recommend you enable site checking and add an anti-phishing toolbar to your browser. These last ones help detect and may block known phishing sites.
  • Just because a friend posts or "likes" a shared link it doesn’t mean that it is safe to access, hackers often disguise links as interesting content to get to you, but this malware will likely affect your computer or mobile device in many of harmful ways.
  • We often ignore pop ups reminding us to update our computer security software. In this case, DO click, as soon as you can. An important part of staying safe is keeping them up to date.


The online shopping boom aroused by Black Friday also makes this month appropriate to share security tips so you can protect yourself from false special sales and ads that try to trick you into believing that they are leading you to get a great deal. If it sounds too good to be true, it probably is. Listen to your instincts! 

Check our Online Shopping tips and follow us on all of our social media gadgets for daily tips and information.

Facebook: RIT Information Security / Twitter: @RIT_InfoSec / Google+: RIT Information Security Pinterest: RIT InfoSec Instagram: @RIT_infosec 

Security Standard: Account Management

Security Standard: Account Management


This standard applies to all RIT Information and Information Resources.  


Requirements for All Accounts

The following security controls are required to be implemented on all accounts:

1.      Account Authentication

1.1.   End user account authentication should use the enterprise identity and access management service when the system or application processes Private, Confidential, or Critical Process information. 

1.2.   The use of the enterprise authentication service by an application should be authorized by the Authentication Service Provider and the security reviewed by the Information Security Office.

1.3.   Password Management

1.3.1.   Access to passwords and their hashes should be restricted, Therefore, public terminals and kiosks should not cache user passwords/passphrases

1.3.2.   All password changes should be logged, but the password itself should not be logged.

2.      Account Authorization

2.1.   Account authorization should use the enterprise identity and access management service or role-based account authorization native to the application when the system or application processes Private, Confidential, or Critical Process information.

2.2.   Data Owners should authorize:

2.2.1.   A process for approving and documenting authorization. Authorization granted to an account should be commensurate with the level of identity validation performed

2.2.2.   The parties who may approve user access to roles

2.2.3.   Roles and their privileges following the security principles of Least Required Access and Segregation of Duties.

3.      Account Provisioning

3.1.   Account Establishment: Each account should be for the individual use of a specific person with an academic or business need for this access.

3.1.1.   Employees who have multiple roles with the University should have role-based access provided such that when one of the roles is changed, the access for that role can be changed without impacting the other role. In the event this cannot be achieved technically, then separate accounts are required to fulfill the requirements of each role. 

3.1.2.   Student employees should have separate accounts from their student accounts. The student accounts may not have student employee-related access. 

3.1.3.   Physical access granted by student IDs should have a termination date pre-populated at the time of hire.

3.2.   Account Duration: Accounts are valid when the individual account holder has authorized access to the account or until the account is suspended by the University.

3.3.   Authorized Administrators should

3.3.1.   Review approvals and provision account/access

3.3.2.   Track authorizations, including:

  • Date of authorization
  • Identification of individual approving access
  • Identification of the role assigned (where applicable) or description of the access privileges granted.  The access privileges granted should only be used to fulfill assigned job duties.
  • These authorizations should be retained in accordance with the Records Management Policy (C22.0).

4.      Account Management and Maintenance

4.1.   Access Review:

4.1.1.   Managers are responsible for reviewing account and access privileges with the employee upon notification of job changes (e.g., termination, job changes). 

4.1.2.   Data owners of Private information identified by the ISO should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status.

4.2.   Account Change Communication: Managers are responsible for communicating to account administrators when an account or access privileges may require modification or deactivation.

4.3.   Account Modification: Upon notification, the account administrators will review account and access privileges with the data owner or designee. All changes to accounts and access privileges should be approved and formally documented.

4.4.   Account Deactivation: Upon notification, account administrators are responsible for the immediate deactivation of accounts and access privileges when continued access is no longer required (e.g., terminated).  All deactivation of accounts and access privileges should be formally documented. 

4.5.   Account Lockout /Reset

4.5.1.   Authentication systems should disable user accounts after a set number of failed logon attempts.

4.5.2.   Administrators should follow established procedures for re-enabling or resetting user accounts once they have been disabled or upon request by the user. They should verify user identity prior to re-enabling or resetting user accounts. These procedures should take into consideration the potential risk to determine if automated procedures and the lockout time duration are appropriate.

4.5.3.   Administrators may not use the University Identification Number as the sole verification for resetting passwords.


Requirements for Special Accounts

The following security controls are required to be implemented on special accounts:

5.      Provisioning Administrator and Service Accounts: Requirements for issuing Administrator and Service Accounts are the same as other accounts with the following additions and changes:

5.1.   Account Establishment

5.1.1.   Ownership of an administrator account or group should be assigned to an individual. 

5.1.2.   Service accounts should be assigned to a system or application and are not for individual use.  

5.2.   Account Usage: Administrator and Service Accounts are specifically for system or application use only and should not be used for any purpose other than the administration or operation of the system or application. However, service accounts should be assigned to an account administrator.

5.3.   Group Access: Administrator and Service Accounts may be shared by a limited group of individuals for the purpose of operation and administration of the application or system, and only where required by the system or application. (In these cases, when possible, access to system accounts should be by methods that allow the individual to authenticate using a username and password.)

5.4.   Default Administrative or Service Accounts: Accounts that are part of the default setup of a system (including, but not limited to configuration access, database accounts, etc.)  should be removed, disabled, or changed (in that order) whenever possible. 

5.5.   Service Accounts: Service accounts should be reassigned and passwords of the service accounts changed when the account administrator is no longer in that role.

6.      Sponsored Accounts: Requirements for sponsored accounts are the same as other accounts with the following additions and changes:

6.1.   All sponsored accounts (for those who do not receive an account based on their role at RIT) with access to RIT information resources should contain an expiration date of no more than one year or the work completion date, whichever occurs first. Only authorized RIT account holders can approve sponsored accounts.

6.2.   Upon termination of the Sponsor’s account, the Sponsored account should be transferred to another appropriate RIT account holder or be deactivated.

7.      Generic/Shared Accounts:  Requirements for Generic/Shared Accounts are the same as other accounts with the following additions and changes

7.1.   Each generic or shared account should have a designated owner who is responsible for the management of access to that account. The owner should log access to the generic or shared account.

7.2.   Shared Generic Accounts: Generic accounts may only be shared in those situations where a system (server), device (switches or routers) or application cannot support the use of individual accounts technically. 


Effective Date: January 23, 2015

Standard History: November 11, 2013

Requirements for Faculty/Staff

Requirements for Faculty and Staff

Security Standards


When does it apply?

Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Computer Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard
If you have a web page at RIT, official or unofficial, and you:

  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.
Server Security Standard If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard
If you own or manage a device that:

  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery.  Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE The “in compliance by” date for this standard is January 23, 2016.

Authentication Service Provider Standard

If you are providing authentication services on network resources owned or leased by RIT.

NOTE The Authentication Service Provider Standard was retired on January 23, 2015 and replaced by the Account Management Standard.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.


If you have questions or feedback about specific information security requirements, please contact us.

Safe Online Shopping & Banking

Safe Online Shopping & Banking

Use a Secure Computer

Make sure your computer meets the RIT Desktop & Portable Computer Standard before getting online. In addition to up-to-date anti-virus, make sure that your operating system and your web browser have the latest security patches installed.

Don't use public computers to send private information over the Internet. You cannot be sure what security measures are in place and other people may have altered settings or installed malware without your knowledge.

Research the Company/Website

Investigate any bank or retailer you are considering using. How trustworthy are they?

Use the FDIC Bank Find page to make sure the bank is insured by the FDIC.

Check the company's privacy policy. Some companies may sell your e-mail address and/or other contact information to third parties, leading to more spam in your inbox (if there is no privacy policy, you're better off avoiding that site).

Plug the website name into a search engine. What kinds of consumer reviews are returned?

If you're shopping at an auction site, check out the seller's feedback. Have other people had good experiences with them? What forms of payment will they accept?

Research the Product/Service

Learn more about the product or service you are considering. Are you getting exactly what you want? Look for fine print-are there hidden fees or terms?

Are the prices too good to be true? Insane deals are sometimes used to disguise malicious links. They may also be an indication that the product is actually a counterfeit.

What is the seller's return/exchange policy? Do they cover damaged goods?

What is the bank's policy on fraud? How much protection do they offer? Will they reimburse fraudulent transactions?

What about shipping costs? Is there a minimum purchase amount? Tip: If you're making several purchases, try to combine them on the same order when possible. Not only does it reduce the number of transactions you have to make, but you might save a bundle on shipping costs too!

Use Strong Passwords

Use a strong, unique password or pass phrase where allowed. Most online banks (and some retail websites) offer an additional layer of security such as:

Using an on-screen keyboard to enter in passwords (this protects against keyloggers).

Requiring an additional password or personal identification number.

Requiring you to answer a challenge-response question each time you login (e.g., what is your grandmother's maiden name?).

Smart cards or tokens that generate a single-use password (meaning you cannot access your account without this physical device).

Select an online banking service that uses one of the above methods or some other type of additional security protection.

Make Sure the Website Uses Encryption

When you're ready to submit your information, look for the following indicators that the website is secure:

The address bar should begin with either shttp or https (not just "http") and there must be a padlock in your web browser (the location varies by browser, it usually appears in the address bar or the status bar at the bottom).

Never submit your login information by e-mail. Scammers go to great lengths to make e-mails appear genuine, but no legitimate bank or retailer will ever ask you to submit private information by e-mail.

Use a Secure Payment Method

When shopping through an online retailer or through an auction site, make sure you use a secure payment method.

Credit cards are one of the safer options. Federal law limits your liability in the event of credit card fraud to only $50. MasterCard and Visa also offer zero liability for most debit card transactions as well.

See if your bank or credit card issuer offers one-time use or "virtual" card numbers. These are card numbers that you can sign up for and activate for a limited time period. They still link to your regular card/account, however the number is completely different. This means your active account number doesn't have to be transmitted over the Internet at all.

Never give out a bank account number to anyone, and be wary of anyone who insists upon cash or wire transfer only.

Monitor Your Accounts

Keep track of all your purchases/account history from start to finish and beyond.

Print out all your orders and receipts, as well as e-mail confirmations and product descriptions. If possible, request that your bank mail you a monthly account statement and compare it to your online statements.

Follow up your purchases by closely watching your bank account and/or credit card statements to monitor for any unauthorized transactions.

You may also want to check your credit report annually (check for free at

Problems and Complaints

Online Banking Complaints

There are several different organizations that regulate financial institutions in the United States. The links below provide additional information on safe online banking as well as instructions for filing a complaint:

FDIC - Safe Internet Banking

U.S. Securities and Exchange Commission - Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information

New York Fed - Tips for Safe Banking Over the Internet

Online Shopping Complaints

If you think you have been a victim of online shopping fraud and/or cannot resolve a problem with the seller, contact the following agencies:

Better Business Bureau

Additional Links

Online Shopping Tips

Online Banking

FDIC Bank Find:


Subscribe to RSS - Password