Security Standard: Solutions Life Cycle Management

Security Standard: Solutions Life Cycle Management



The standard applies to new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • host or provide access to Private or Confidential information
  • support a Critical Business Process



The following security controls are required to be implemented.

1.      Engagement

1.1.   Contact the Information Security Office prior to investigating, evaluating, selecting, or developing a new solution.

2.     Planning and Preliminary Risk Assessment

2.1.   The Information Security Office will determine applicable security requirements and provide a preliminary risk assessment.

3.     Business Contract Phase

3.1.   Any proposed contract will be reviewed and revised in accordance with procurement services procedures (http://finweb.rit.edu/purchasing/) under the direction of RIT Procurement Services.

4.      Development

4.1.   The solution owner will inform the Information Security Office of any changes to the security requirements during development.

4.2.   Solutions development, testing, and production should be performed in separate environments.

4.3.   Test data should not include Private or Confidential information unless the security controls in test and development are the same as those in production.

4.4.   The solution owner should identify solution administrators.

5.      Security Review

5.1.   The Information Security Office or its authorized representative will conduct a Security Review.

5.2.   The Information Security office will perform an appropriate vulnerability assessment and penetration test before solution implementation.

6.      Maintenance

6.1.   The solution owner is responsible for ensuring that the security impact of any change is evaluated and notify the Information Security Office accordingly if there is a potential increase in risk.

7.      Solutions Retirement/Disposal

7.1.   The solution owner will ensure that the solution is evaluated at an appropriate interval and retired if appropriate.

7.2.   The solution administrator should ensure that Information is retained in accordance with the Records Management Policy, and to accommodate future technology changes that may render the retrieval method obsolete.

7.3.   The solution administrator should ensure that Information is disposed of as required by the Information Access and Protection Standard.


Effective Date: January 23, 2015

Standard History: November 11, 2013

Exception Process

Exception Process and Compliance

Updated 6/11/14

Anyone not in compliance with an Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current Institute personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard.   The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard.  Exceptions should be approved and signed by the appropriate Information Trustee (VP, Dean, or CIO).  (An email endorsing the exception request is acceptable.)

An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation


Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP, Dean, or CIO).


If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.


Submit the Exception Request Form to the Information Security Office, infosec@rit.edu, ROS 10-A200.

Information Security at RIT

Information Security at RIT

Risk Management Framework

RIT has applied a risk management approach to information security.  In order to manage information security risks, RIT attempts to:

  • Assess risks to identify and prioritize the greatest information security risks
  • Prevent information losses through policies/standards/guidelines, technical controls and education/training/awareness.
  • In the event of a loss, RIT seeks to minimize that loss through incident response, business continuity, and disaster recovery. When it is unclear whether a loss has occurred, RIT will conduct a forensics investigation.
  • In the event of a loss, RIT seeks to protect the RIT community from harm through risk management and insurance practices.
  • RIT regularly evaluates  information security through information security reviews and audits.

Step 1: Risk Assessment

Risk assessment (step 1)

Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements.  In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.

Step 2: Loss Prevention

loss prevention (step 2)

Step 3: Loss Control

Loss Control is accomplished through initiatives in the following areas:

Step 4: Loss Financing

Loss Financing transfers risks to third parties through:

  • Contracts
  • Insurance
  • Self-Insurance

Step 5: Evaluation

Evaluation is provided through:

  • An exception process to manage Residual Risk
  • Metrics and reporting
  • Audit support

Structure and Resources

Distributed roles and responsibilities

  • Extended Team
  • PIMI Business and Technical Reps
  • System and application administrators
  • End users

Co-op Program

  • 2 engineering co-ops plus part time
  • 1 communications co-op
For more information, contact us at infosec@rit.edu
Subscribe to RSS - Risk