Private Information Management Initiative -- Faculty and Staff Responsibilities
All RIT faculty and staff are expected to follow the Private Information Management Initiative (PIMI) remediation requirements below:
- Review paper files for Private information.
- Scan RIT computers with Identity Finder for Private information (if Identity Finder is not available, scanning with an alternative tool or reviewing the computer for Private Information is recommended). The Information Security Office will initiate scans of most computers monthly.
- Scan or review personal/home computers, portable devices, and media for Private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License).
- Inform your manager in writing if there is a compelling business reason for retaining private information. Promptly secure the information in compliance with the RIT Information Access and Protection Standard.
- Notify and receive approval from your PIMI Information Steward/Management Representative.
- If you're unable to remediate the information found within Identity Finder, please redact (securely erase or securely destroy) unnecessary private information.
- Complete the Digital Self Defense 103 (2009) Information Handling course. (Center for Professional Development, online) *Note: this requirement is waived if he or she does not handle RIT Private or Confidential information.
Additional Requirements for Department Managers
- Ensure faculty and staff have reviewed paper files and scanned or reviewed electronic files.
- Ensure faculty and staff have redacted, securely erased or securely destroyed unnecessary Private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License).
- Receive authorization to retain any Private information from the Divisional VP/Information Steward/Management Representative and the Information Security Office.
- Secure the remaining Private Information in compliance with the RIT Information Access and Protection Standard.
Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.
There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information.
Private Information and Mobile Device Use
We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.
To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest.
Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.
General Guidelines for Mobile Device Use at RIT
Understand your device
- Configure mobile devices securely. Depending on the specific device, you may be able to:
- Enable auto-lock. (This may correspond to your screen timeout setting).
- Enable password protection.
- Use a reasonably complex password where possible.
- Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
- Ensure that browser security settings are configured appropriately.
- Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
- Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
- Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
- Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
Use added features
- Keep your mobile device and applications on the device up to date. Use automatic update options if available.
- Even update the Google Play Store: http://www.cnet.com/how-to/force-the-play-store-app-to-update-on-android/
- Install an anti-virus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
- Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
- Never leave your mobile device unattended.
- Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
- Include contact information with the device:
- On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
- For improved performance and security, register your device and connect to the RIT WPA2 network where available.
Mobile Device Disposal
Use appropriate sanitation and disposal procedures for mobile devices. Some suggestions can be found from:
- The SANS Institute: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf
- The FTC: http://www.consumer.ftc.gov/articles/0200-disposing-your-mobile-device
Updated June 11, 2014
Why Have Document Destruction Activities?
Document Destruction Activities provide a focused opportunity for RIT faculty and staff to archive securely or dispose of paper records that contain private information. Private Information includes financial account numbers, social security numbers, driver’s license numbers and other information that can be used in identity theft. Participation in this activity will enable RIT to secure Private Information that could otherwise be used to facilitate identity theft. Document Destruction Activities are part of the RIT Private Information Management Initiative, but they are managed by your department. We encourage all departments to schedule Document Destruction Activities.
Why are Document Destruction Activities so important?
With its concentration of student records and private information, Higher Education is often targeted by attackers hoping to harvest private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) for use in identity theft. In addition, careless storage or loss of records often leads to data breaches that require compliance with various state and federal laws requiring notification of affected consumers. For example, DataLoss DB (http://datalossdb.org/) indicates that almost 25% of breaches have been due to the inadvertent loss of private information, in both paper file and digital formats.
Participation in Document Destruction Activities will reduce the likelihood for the RIT community to have their personal information fall victim to malicious attacks or loss. This activity will also provide an opportunity for faculty and staff to adhere to the RIT Records Management Policy (C22.0). Any questions regarding the appropriate retention period can be addressed to the RIT Office of Legal Affairs.
When are my Document Destruction Activities?
Contact your Private Information Management Initiative representative to find out what activities are being planned in your college or division for document destruction.
What do I need to do for my Document Destruction Activities?
It is important that you keep track of any documents that may leave another person susceptible to identity theft attacks. In preparation for your department’s Document Destruction Activities, please review the files in your office to ensure that you have not retained any private information (e.g. Social Security Number, Bank Account Number, Credit Card Number or Drivers License) that is not critical to your current work. Take this opportunity to review files and dispose of them in accordance with the RIT Records Management Policy (C22.0).
We encourage you to review your files now and dispose of those containing Private Information securely. Ensure that any RIT files in your home do not contain any private information.
How do I dispose of portable media and paper documents containing Private Information securely?
Visit our Information Disposal page for recommendations.
What if I have questions?
Contact your division or college's PIMI representative.