RIT

Server Security Standard

Server Security Standard

The Server Standard provides requirements for server configuration and use at RIT.

A list of ISO-approved security assessment tools, HIPS programs, secure protocols, and a sample trespassing banner can be found in the Technical Resources

What does the standard apply to?

All servers (including production, training, test, and development) and the operating systems, applications, and databases as defined by this standard.

The standard does not apply to individual student-owned servers or faculty-assigned student servers for projects; however, administrators of these servers are encouraged to meet the Server Standard.

Recommended Strong Authentication Practices

The RIT Information Security Office recommends that all systems requiring strong authentication

  • comply with RIT's password and authentication standard (REQUIRED)
  • use a complex password of 12 or more characters. Fifteen or more characters are preferred.
  • use multi-factor authentication such as:
    • tokens
    • smart cards
    • soft tokens
    • certificate-based authentication (PKI)
    • one-time passwords (OTP)
    • challenge / response systems
    • biometrics

Approved Vulnerability Scanners

Nessus, Nexpose, and NMap are approved for scanning servers at RIT. For information on the scanning conducted by the RIT Information Security Office see the Vulnerability Management Program at RIT.

Approved Encryption Methods

See Encryption at RIT for approved encryption methods.

Server Security Standard

 

Computer Incident Handling Standard

Computer Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Computer Incident Handling Standard

Who does the standard apply to?

  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.

What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information

What do I have to do?






Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators

Resources

 

Web Security Standard

Web Security Standard

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.

Documented Standard

When am I required to follow the standard?

  • If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • If you have a web page at RIT, official or unofficial, and you use RIT authentication services.

Scanning

  • The RIT Information Security Office provides scanning services to support RIT web pages. Contact Paul Lepkowski, RIT Security Engineer, for more information.

Resources

 

Pages

Subscribe to RSS - RIT