Private

Mobile Devices

Mobile Devices

Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.

There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information. 

Private Information and Mobile Device Use

We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.

To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest. 

Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.

General Guidelines for Mobile Device Use at RIT

Understand your device

  1. Configure mobile devices securely. Depending on the specific device, you may be able to:
    1. Enable auto-lock. (This may correspond to your screen timeout setting).
    2. Enable password protection.
      1. Use a reasonably complex password where possible.
      2. Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
    3. Ensure that browser security settings are configured appropriately.
    4. Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
  2. Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  3. Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
  4. Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.

Use added features

  1. Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  2. Install an anti-virus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  3. Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.

General tips                

  1. Never leave your mobile device unattended.
  2. Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
  3. Include contact information with the device:
    1. On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
  4. For improved performance and security, register your device and connect to the RIT WPA2 network where available.

Mobile Device Disposal

Use appropriate sanitation and disposal procedures for mobile devices.  Some suggestions can be found from:

 

Computer Incident Handling Standard

Computer Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Computer Incident Handling Standard

Who does the standard apply to?

  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.

What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information

What do I have to do?






Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators

Resources

 

Information Access & Protection Standard

Information Access & Protection Standard

The Information Access & Protection (IAP) Standard provides requirements for the proper handling of information at RIT.

Information Classifications

The standard classifies information into four categories: Private, Confidential, Internal, and Public.

Private information

Private information is information that is confidential and which could be used for identity theft. Private information also has additional requirements associated with its protection (e.g., state and federal mandates). Examples include:

  • Social Security Numbers (SSNs) or other national identification numbers
  • Driver’s license numbers
  • Financial account information (bank account numbers, checks, credit or debit card numbers), etc.

Confidential information

Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:

  • Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
  • Employee and student health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
  • Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)

Internal information

Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Examples include online building floor plans, specific library collections, etc.

Public information

Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.

Who do the requirements apply to?

This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.

What are RIT Information Resources?

RIT Information Resources include but are not limited to:

  • RIT-owned or leased transmission lines, networks, wireless networks, servers, exchanges, Internet connections, terminals, applications, and computers
  • Information owned by RIT or used by RIT under license or contract, in any form, including but not limited to:
    • Electronic media
    • Portable media
    • Electronic hardware
    • Software
    • Network communications devices
    • Paper
  • Personal computers, servers, wireless networks, mobile devices, and other devices not owned by RIT but intentionally connected to RIT Information Resources.

What do I have to do?

Everyone who accesses RIT Information Resources should know and understand the four classes of information at RIT and appropriate handling practices for each class. Specific roles and responsibilities are detailed in the Information Access and Protection Standard.

Information Access & Protection Standard

 

PIMI Overview

Private Information Management Initiative (PIMI) Overview

The Private Information Management Initiative seeks to identify and reduce the amount of Private Information found on RIT computers and storage devices. Private information is information that is typically used to conduct identity theft and may include Social Security Numbers (SSNs), credit card numbers, driver’s license numbers, bank account information, etc.

Reducing the amount of Private Information (PI) will help safeguard the RIT community against identity theft and will help RIT comply with relevant state and federal laws. 

Goals

  1. Increase awareness of the importance of safeguarding all private information, not just SSNs
  2. Increase awareness of the existing RIT policies that address private information
  3. Increase sense of individual accountability and responsibility in the area of policy compliance surrounding private information and a related understanding of the consequences for noncompliance
  4. Effective destruction of non-approved and unnecessarily retained private information (paper and electronic forms) from business units and employee offices
  5. Integration of the Records Management Policy into everyday employee activities

Representation

The RIT Information Security Office is leading this initiative with the assistance of project team representatives from each college and division. The representatives include:

  • An Information Steward/Management Representative who will receive reports detailing the location of Private information and will lead remediation efforts of Private information found in electronic and paper forms.
  • A Technical Representative who will assist in inventorying computers assigned to the respective college or division and will assist the Information Steward/Management Representative in remediation efforts.
  • Current list of representatives

What to Expect

The RIT Information Security Office is working with various RIT organizations to identify the location of SSNs and other Private Information by providing a software tool (Identity Finder) that will scan computers and attached drives to determine if they contain Private information. When Identity Finder finds suspected Private information, it provides a report to the computer user and the RIT Information Security Office. The software also provides the computer user with tools to erase (shred) the information securely or to remove (scrub) the private information from the files.

Scans will be initiated by the Identity Finder server in the Information Security Office. Computer users may also initiate an on-demand scan at their convenience. Identity Finder is licensed for use on RIT-owned computers and is currently available for Windows and Macs.

For More Information

For more information, contact your PIMI representative.

Ben Woelk
PIMI Project Manager
585.475.4122
ben.woelk@rit.edu

Links:

 

Document Destruction

Document Destruction

Updated June 11, 2014

Why Have Document Destruction Activities?

Document Destruction Activities provide a focused opportunity for RIT faculty and staff to archive securely or dispose of paper records that contain private information. Private Information includes financial account numbers, social security numbers, driver’s license numbers and other information that can be used in identity theft. Participation in this activity will enable RIT to secure Private Information that could otherwise be used to facilitate identity theft. Document Destruction Activities are part of the RIT Private Information Management Initiative, but they are managed by your department.  We encourage all departments to schedule Document Destruction Activities.

Why are Document Destruction Activities so important?

With its concentration of student records and private information, Higher Education is often targeted by attackers hoping to harvest private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) for use in identity theft.  In addition, careless storage or loss of records often leads to data breaches that require compliance with various state and federal laws requiring notification of affected consumers. For example, DataLoss DB (http://datalossdb.org/) indicates that almost 25% of breaches have been due to the inadvertent loss of private information, in both paper file and digital formats.  

Participation in Document Destruction Activities will reduce the likelihood for the RIT community to have their personal information fall victim to malicious attacks or loss. This activity will also provide an opportunity for faculty and staff to adhere to the RIT Records Management Policy (C22.0).  Any questions regarding the appropriate retention period can be addressed to the RIT Office of Legal Affairs.

When are my Document Destruction Activities?

Contact your Private Information Management Initiative representative to find out what activities are being planned in your college or division for document destruction.

What do I need to do for my Document Destruction Activities?

It is important that you keep track of any documents that may leave another person susceptible to identity theft attacks.  In preparation for your department’s Document Destruction Activities, please review the files in your office to ensure that you have not retained any private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) that is not critical to your current work. Take this opportunity to review files and dispose of them in accordance with the RIT Records Management Policy (C22.0).

We encourage you to review your files now and dispose of those containing Private Information securely. Ensure that any RIT files in your home do not contain any private information.

How do I dispose of portable media and paper documents containing Private Information securely?

Visit our Information Disposal page for recommendations.

What if I have questions?

Contact your division or college's PIMI representative

Pages

Subscribe to RSS - Private