information assets of Rochester Institute of Technology
("RIT") must be available to the RIT community, protected
commensurate with their value, and must be administered
in conformance with federal and state law. Reasonable
measures shall be taken to protect these assets against
accidental or unauthorized access, disclosure, modification
or destruction, as well as to reasonably assure the
confidentiality, integrity, availability, authenticity
of information Reasonable measures shall also be taken
to reasonably assure availability, integrity, and utility
of information systems and the supporting infrastructure,
in order to protect the productivity of members of the
RIT community, in pursuit of the RIT mission.
Safeguards : Administrative,
technical, and physical controls that support the confidentiality,
integrity, availability, and authenticity of information.
systems and supporting infrastructure :
Information in its analog and digital forms and the
software, network, computers, tokens, and storage devices
that support the use of information.
Protection : Information
systems and supporting infrastructure have a lifecycle
that begins with evaluation and selection, and advances
through planning, development/acquisition, and operations
through to disposal or retirement. Information safeguards
are needed at all phases of the lifecycle.
depend on the system,
its capabilities, and expected usage, as well as anticipated
threats against the information.
controls include use of encryption, information
integrity measures, security configuration, media
reuse, use of antivirus, and physical protection
controls include network and information
access monitoring, and intrusion detection (host based
or network based), manual or automated review of security
controls include recovery plans from handling
isolated information safeguard failure incidents to
business continuity plans.
RIT will take reasonable steps to:
one or more individuals to identify and assess the
risks to non-public or business-critical information
within the Institute and establish an Institute-wide
information security plan.
publish, maintain, and enforce standards for lifecycle
protection of RIT information systems and supporting
infrastructure in the areas of networking, computing,
storage, human or device/application authentication,
human or device/application access control, incident
response, applications or information portals, electronic
messaging, and encryption.
publish, maintain, and enforce standards for RIT workforce
security related to the responsible use of information.
training to authorized Institute users in the responsible
use of information, applications, information systems,
networks, and computing devices.
publish, maintain and enforce standards to guide RIT
business associates and outsource partners in meeting
RIT's standards of lifecycle protection when handling
RIT information or supporting RIT information systems
and supporting infrastructure.
the exchange of information security knowledge, including
threats, risks, countermeasures, controls, and best
practices both within and outside the Institute.
evaluate the effectiveness of information security
controls in technology and process.
May 17, 2006