Standard

Portable Media

Portable Media Security Standard

Portable media such as USB keys, flash memory, CDs/DVDs, etc. are a crucial part of daily business. However, portable media is easily lost or stolen and may cause a security breach.

Because portable media can be stolen or compromised easily, users should take precautions when using it to transfer or store Confidential information. We strongyly discourage placing Private Information on portable media.

 

Approved Portable Media (updated 6/20/2013)

When handling RIT Confidential information, you should use only portable media that provides an approved encryption level (the RIT Information Security Office requires 128-bit or 256-bit AES encryption).

USB Memory/flash drives

Recommended
  • IronKey
  • Stealth MXP™ (biometric capable)
  • Stealth MXP™ Passport
  • Apricorn Aegis Secure Key
  • Imation Defender F200 Biometric
Acceptable
  • Lexar JumpDrive Lightning
  • Lexar JumpDrive Secure 2 Plus
  • Kanguru Defender
  • Kanguru Defender Pro
  • Kanguru Defender 2000
  • Kanguru Bio AES
  • KanguruMicro Drive AES
  • Kingston Data Traveler BlackBox
  • Kingston Data Traveler Vault – Privacy Edition
  • McAfee Zero-footprint Bio FIPS
  • SanDisk Cruzer Enterprise
Secure Option for External Backups
  • MXI Outbacker MXP Bio (External HDD)
  • Apricorn Aegis Padlock Pro
Unacceptable

USB memory that doesn't include encryption

Encryption of CD’s, DVD’s, Removable Hard Drives, and Other Portable Media

Please contact Paul Lepkowski, RIT Security Engineer, for recommended encryption methods.

3rd Party Encryption Products

The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Confidential information when transferred or stored on portable media.

Media Disposal Recommendations

Media

Disposal Method

Paper

Use a shredder. Crosscut is preferred over a strip shredder.

CD, DVD, diskette, etc.

Use the media shredder (located at the ITS HelpDesk, 7B-1113).

Hard Drives

If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.

If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the ITS HelpDesk, 7B-1113).

Tapes

Use the degausser (located at the ITS HelpDesk, 7B-1113).

Other

Use an industry standard means of secure disposal.

 

Server Security Standard

Server Security Standard

The Server Standard provides requirements for server configuration and use at RIT.

A list of ISO-approved security assessment tools, HIPS programs, secure protocols, and a sample trespassing banner can be found in the Technical Resources

What does the standard apply to?

All servers (including production, training, test, and development) and the operating systems, applications, and databases as defined by this standard.

The standard does not apply to individual student-owned servers or faculty-assigned student servers for projects; however, administrators of these servers are encouraged to meet the Server Standard.

Recommended Strong Authentication Practices

The RIT Information Security Office recommends that all systems requiring strong authentication

  • comply with RIT's password and authentication standard (REQUIRED)
  • use a complex password of 12 or more characters. Fifteen or more characters are preferred.
  • use multi-factor authentication such as:
    • tokens
    • smart cards
    • soft tokens
    • certificate-based authentication (PKI)
    • one-time passwords (OTP)
    • challenge / response systems
    • biometrics

Approved Vulnerability Scanners

Nessus, Nexpose, and NMap are approved for scanning servers at RIT. For information on the scanning conducted by the RIT Information Security Office see the Vulnerability Management Program at RIT.

Approved Encryption Methods

See Encryption at RIT for approved encryption methods.

Server Security Standard

 

Network Security Standard

Network Security Standard

The Network Security Standard provides measures to prevent, detect, and correct network compromises. The standard is based on both new practices and best practices currently in use at RIT.

Please consult the checklist or the standard below for a complete list of requirements.

Who does it apply to?

All systems or network administrators managing devices that:

  • Connect to the centrally-managed Institute network infrastructure
  • Process Private or Confidential Information
 

Currently, personal network devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. However, the use of wireless routers is prohibited in residential areas on campus. The use of wired routers is still acceptable. Read and comply with the requirements in the Resnet guide to Using a Router on the RIT Network prior to using them.

See our Wireless Networking page for information on how to access wireless networks at RIT and how to set up and use a wireless network at home.

What do I need to do?

Use the Network Security Checklist to set up your networking device.

Network Security Standard

Network administrators should consult the Technical Resources pages for detailed information, including preferred and prohibited protocols, trespassing banners, etc.

 

Computer Incident Handling Standard

Computer Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Computer Incident Handling Standard

Who does the standard apply to?

  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.

What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information

What do I have to do?






Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators

Resources

 

Web Security Standard

Web Security Standard

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.

Documented Standard

When am I required to follow the standard?

  • If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • If you have a web page at RIT, official or unofficial, and you use RIT authentication services.

Scanning

  • The RIT Information Security Office provides scanning services to support RIT web pages. Contact Paul Lepkowski, RIT Security Engineer, for more information.

Resources

 

Pages

Subscribe to RSS - Standard