Recommended

Requirements for Faculty/Staff

Faculty and Staff

Information Handling Quick Links

Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
E-mail at RIT Improve the security of your e-mail at RIT.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Requirements for Students

Requirements for Students

 

Standard

When does it apply?

Desktop and Portable Computer Standard

Always

Password Standard

Always

Signature Standard

Always - All authentic RIT communications should include an appropriate signature as per the standard. Make it a habit to check for an authentic signature when receiving messages from RIT.

Web Security Standard

If you have a web page at RIT, official or unofficial, and you:
  • Host or provide access to Confidential information. If you’re hosting or providing access to Private information, contact us at infosec@rit.edu immediately. Private or confidential information is defined in the Information Access and Protection Standard.
  • Use RIT authentication services

Computer Incident Handling Standard

If the affected computer or device:
  • Contains Private or Confidential information
  • Poses a threat to the Institute network

Network Security Standard

If you own or manage a device that:
  • Connects to the centrally-managed Institute network infrastructure
  • Processes Confidential information. If you’re providing access to Private information, contact us at infosec@rit.edu immediately.

Portable Media Standard

If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory.

Networking Devices

  • Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.

Safe Practices

  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.

Questions

If you have questions or feedback about specific information security requirements, please contact us.

Cloud Computing Best Practices

Cloud Computing Best Practices

We've provided some general information below about cloud computing. At RIT, information handling requirements (including the use of non-RIT servers for storage) are articulated in the Information Access and Protection Standard. Refer to the standard for more information about storage restrictions based on information classification.

There are certainly some benefits to cloud computing, but the practice of saving content on the Internet is facing more scrutiny than ever. While there is no silver bullet solution to securing your cloud service, understanding how you can protect yourself is the best way to keep your information private.

  • Keep up to date with the latest cloud security developments. Because cloud computing is constantly evolving and adapting to new security threats, you need to upgrade your security as often as possible. As this article states, “hackers target vulnerable operating systems that don't have properly applied patches.”
  • Add file caching capability to your computer. Consider local caching of your files on your computer as a backup for your cloud service. Cloud computing is perfect for sharing team files, but the network can go down and bring project progress to a standstill. Having your files to work off of, even if they aren’t perfectly synced, is an essential backup if you want to continue working. This is also convenient if you encounter a security breach, because it allows you to find any changes or deletions in your files.
  • Don’t just rely on cloud computing. If it’s not maintained by you, there is never a guarantee that your information will be there. When Megaupload was taken down by the FBI, many users found that they lost all of their own data as part of that effort to stop the distribution of copyrighted materials. Cloud Service Providers (CSPs) sometimes recommend that you store your data with several cloud services, which is more costly due to subscription costs and is less effective than hosting your own backup system. Most CSPs save your information in one place, so you would be buying multiple services that depend upon a single source.
  • Know which programs or services you use that are supported by cloud service providers. This allows you to keep better track of what information you could potentially lose or have stolen in the event of a CSP security breach. This knowledge can be critical to protecting your private information; if you’re not aware of what is available, you may become an unsuspecting victim.
  • Be aware that your system can easily be transferred to another server in the CSP’s network. Although this is a major advantage of cloud computing, if you deal with sensitive or classified information it is better at this point in cloud service development to work exclusively with more secure in-house systems.
  • Keep up to date on any infrastructure or policy changes for your CSP. Having a good relationship with your CSP is important, to ensure that you know when they change how they handle and secure your information. Although you may not be able to access security information in the same way you could on an internal system, understanding how your information is saved and monitored could quickly alert you to a problem.
  • Compare encryption standards between various CSP’s. Look for an Advanced Encryption Standard (AES) since it’s the best standard currently available to secure your data. An SAS 70 Type II datacenter is also widely acknowledged as a very secure physical housing of information. Having access to a CSP with both of these systems will help secure your information a bit better.

 

To learn more about cloud computing:

 

 

Encryption at RIT

Encryption at RIT

Several RIT Security Standards refer to ISO-approved encryption. ISO-approved encryption is divided into two categories: Preferred and Acceptable. Preferred encryption methods were chosen based on standard industry usage and their ability to support RIT business processes. RIT's current product is McAfee FDE.

Preferred Encryption

Purpose

Encryption Algorithms

RIT Security Standard

Comments

Network Connections (including web browsers)

Currently only SSL 3.0 and TLS 1.0 are supported at 128-bit and above.

Web, Network

 

Laptop/Desktop Encryption

AES 256-bit is recommended, although AES 128-bit or higher is adequate. 3DES has also been approved.

Desktop and Portable Computer

Centrally-managed whole disk encryption is required to meet the 2009 Desktop and Portable Computer standard.

Server

AES is recommended only at 256-bit. RC4 is currently supported until June 2009.

Server

 

Portable Media

AES 128-bit and above, 256-bit is recommended. 3DES and Twofish are adequate.

Portable Media

 

Public/Private Key Encryption and Signing

PGP 2048-bit or greater and RSA 1024-bit or greater.

   

Cryptographic Hashes/Checksums

SHA-2, RIPEMD-320, and the Tiger hash are all adequate for hash comparison.

 

SHA-1 and RIPEMD 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 or RIPEMD-320 is recommended.

Acceptable Encryption

Use of non-preferred encryption methods is discouraged. However, we recognize that there may be times when business or other requirements may be better served with an alternative algorithm. In those cases, developers should reference the Educause Encryption Strength Support Matrix. (This matrix and accompanying explanatory text was developed by Jim Moore, RIT Information Security Office.) Algorithms with a strength rating of High are acceptable for use at RIT. Use of algorithms with a strength rating of Low or Medium are not permitted.

Encryption Strength

Encryption strength is a relative concept. Both the algorithm used and the length of the key used to encrypt data determines the strength of encryption. Encryption services also perform various cryptographic functions beyond data encryption.

Key Management Requirements

Security of the key management process for encryption keys is especially important. Security of encrypted content (ciphertext) may be compared to a physical lock and key. The algorithm provides the lock. The encryption key unlocks the ciphertext. If the key is weak or compromised, the encryption can be broken. Key revocation provides a means to disallow or change a compromised key and "re-key" the lock.

Many encryption algorithms have the potential to lock access to data permanently if the key is lost. Key escrow provides a "copy" of the key to enable access to the data.

Centralized encryption/key management ensures that data will remain both encrypted and accessible. Non centralized or individual encryption without key escrow may disallow access to the encrypted RIT information if the key is lost. Use of non-centralized or individual encryption of RIT information assets would be allowed only through a granted exception and would require an ISO-reviewed key escrow and revocation process.

 

Pages

Subscribe to RSS - Recommended