Security

Desktop and Portable Computer Security Standard

Desktop and Portable Computer Standard

To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.

Desktop and Portable Computer Standard

What does it apply to?

  • All RIT-owned or leased computers.
  • Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.

The standard is not required for:

The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.  

  • Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
  • Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.
     

Storage of Private information is prohibited on these devices. 

What do I need to do?

 

Security Education, Training, & Awareness

Security Education, Training, & Awareness

Information security is a complex and constantly changing field that individuals at every level of the organization need to keep pace with in order to keep RIT information resources secure.  RIT offers the following education training and awareness programs to assist everyone from end user to system administrators to keep current with information security trends.

Academic Education

  • The GCCIS NSSA department provides a variety of information security courses at the graduate and undergraduate level.

Training

  • Orientation sessions: The ISO provides introductory information security training and materials at new student and new employee orientations. Check out the 2010 Fall New Student Orientation presentation delivered by E. Philip Saunders College of Business faculty member Neil Hair.
    Neil Hair presentation
  • Digital Self Defense training: Training specifically designed to help end users be secure. Visit the E-Learning Zone to view the current course schedule or take online training.
  • Custom training: The ISO will customize training based on a particular need.  Please contact Ben Woelk at fbwis@rit.edu

Awareness

  • Unfamiliar with information security? Our award-winning interactive website <NEED SWF>will help you learn the basics. You can also find links to videos and articles covering information security here.
  • The Information Security Office conducts a number of awareness campaigns throughout the year.
  • We communicate regularly through the RIT Message Center with Alerts and Advisories to make the RIT community aware of current threats and vulnerabilities.

Information Security Awareness Resources

  • Visit our Posters and Videos page for a selection of our current posters and to view student-produced videos from EDUCAUSE.
  • Visit the pages in our Keeping Safe section to learn how you can use the Internet safely and avoid online dangers such as phishing and identity theft.
  • Contact us at infosec@rit.edu for copies of our printed materials, including posters and brochures.

Threat Management

In order to reduce information security risks, the RIT Information Security Office (ISO) actively works to identify threat agents that are seeking to exploit vulnerabilities in the environment.   This  consist of scanning network traffic for threats.  For more information please contact the Information Security Officer.
Current Internet Threats

Vulnerability Management Program at RIT

Vulnerability Management Program at RIT

In order to reduce information security risks, the RIT Information Security Office (ISO) conducts periodic vulnerability assessments that consist of scanning computers campus-wide for high-risk exposures. In addition, the ISO may scan as needed for vulnerabilities that are under attack.

What is RIT scanning for?

The vulnerability assessments will include scans of communication services, operating systems, and applications to identify high-risk system weaknesses that could be exploited by intruders. These exploits have the potential to compromise the confidentiality, integrity or availability of RIT information resources.

Which computers may be scanned?

All computers connected to the Institute campus network, including but not limited to those located in the residence halls as well as remote computers accessing the RIT network through VPN may be scanned. The Network Security Standard requires that any system connecting to the network must be scanned regularly for hosts that are vulnerable to remotely exploitable attacks.

What information is obtained and how will it be treated?

Vulnerability scanning will provide an inventory of vulnerabilities and their criticality. This information will be treated as RIT Confidential. The scans will not search the content of personal electronic files on the scanned computers. In addition, the scans should not cause network outages although systems administrators may see log entries of the scans reflected in their logs.

How will critical vulnerabilities be handled?

If critical vulnerabilities are identified, the ISO will work collaboratively with the responsible systems administrator or team to address the vulnerabilities. If the critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan to address them, the ISO will initiate a conversation between the systems administration team and the information steward of that organization. The ISO intends to work collaboratively with systems administration teams and their information stewards to improve the security posture of their organization.

Information Security at RIT

Information Security at RIT

Risk Management Framework

RIT has applied a risk management approach to information security.  In order to manage information security risks, RIT attempts to:

  • Assess risks to identify and prioritize the greatest information security risks
  • Prevent information losses through policies/standards/guidelines, technical controls and education/training/awareness.
  • In the event of a loss, RIT seeks to minimize that loss through incident response, business continuity, and disaster recovery. When it is unclear whether a loss has occurred, RIT will conduct a forensics investigation.
  • In the event of a loss, RIT seeks to protect the RIT community from harm through risk management and insurance practices.
  • RIT regularly evaluates  information security through information security reviews and audits.

Step 1: Risk Assessment

Risk assessment (step 1)

Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements.  In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.

Step 2: Loss Prevention

loss prevention (step 2)

Step 3: Loss Control

Loss Control is accomplished through initiatives in the following areas:

Step 4: Loss Financing

Loss Financing transfers risks to third parties through:

  • Contracts
  • Insurance
  • Self-Insurance

Step 5: Evaluation

Evaluation is provided through:

  • An exception process to manage Residual Risk
  • Metrics and reporting
  • Audit support

Structure and Resources

Distributed roles and responsibilities

  • Extended Team
  • PIMI Business and Technical Reps
  • System and application administrators
  • End users

Co-op Program

  • 2 engineering co-ops plus part time
  • 1 communications co-op
 
For more information, contact us at infosec@rit.edu

Pages

Subscribe to RSS - Security