Security Standard: Solutions Life Cycle Management

Security Standard: Solutions Life Cycle Management



The standard applies to new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • host or provide access to Private or Confidential information
  • support a Critical Business Process



The following security controls are required to be implemented.

1.      Engagement

1.1.   Contact the Information Security Office prior to investigating, evaluating, selecting, or developing a new solution.

2.     Planning and Preliminary Risk Assessment

2.1.   The Information Security Office will determine applicable security requirements and provide a preliminary risk assessment.

3.     Business Contract Phase

3.1.   Any proposed contract will be reviewed and revised in accordance with procurement services procedures ( under the direction of RIT Procurement Services.

4.      Development

4.1.   The solution owner will inform the Information Security Office of any changes to the security requirements during development.

4.2.   Solutions development, testing, and production should be performed in separate environments.

4.3.   Test data should not include Private or Confidential information unless the security controls in test and development are the same as those in production.

4.4.   The solution owner should identify solution administrators.

5.      Security Review

5.1.   The Information Security Office or its authorized representative will conduct a Security Review.

5.2.   The Information Security office will perform an appropriate vulnerability assessment and penetration test before solution implementation.

6.      Maintenance

6.1.   The solution owner is responsible for ensuring that the security impact of any change is evaluated and notify the Information Security Office accordingly if there is a potential increase in risk.

7.      Solutions Retirement/Disposal

7.1.   The solution owner will ensure that the solution is evaluated at an appropriate interval and retired if appropriate.

7.2.   The solution administrator should ensure that Information is retained in accordance with the Records Management Policy, and to accommodate future technology changes that may render the retrieval method obsolete.

7.3.   The solution administrator should ensure that Information is disposed of as required by the Information Access and Protection Standard.


Effective Date: January 23, 2015

Standard History: November 11, 2013

Web Security Standard

Web Security Standard

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.

Documented Standard

  • Current Web Security Standard (supersedes previous version, comply by 1/23/15)
  • 11/11/13 Web Standard PDF (effective through 1/22/15)
  • NOTE: As of 12/5/2014, SSL is no longer considered to be secure.

When am I required to follow the standard?

  • If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • If you have a web page at RIT, official or unofficial, and you use RIT authentication services.


  • Effective 2/13/15, the RIT Information Security Office no longer provides scanning services to support RIT web pages. Contact us for more information.


Updated 2/11/2015

Subscribe to RSS - Services