• Sentinel
  • Quarter Mile
  • Eastman Bldg
  • Tiger Statue
  • Infinity Quad
  • Students

C08.1 Information Security Policy

I. Introduction

The information assets of Rochester Institute of Technology (“RIT”) must be available to the RIT community, protected commensurate with their value, and must be administered in conformance with policy, regulation, and applicable law. The increasing pace of change and complexity require the maintenance of reasonable measures to protect these assets against accidental or unauthorized access, disclosure, modification or destruction, as well as to reasonably assure the confidentiality, integrity, availability, and authenticity of information. Reasonable measures shall also be taken to reasonably assure availability, integrity, and utility of information systems and the supporting infrastructure, in order to protect the productivity of members of the RIT community, in pursuit of the RIT vision and mission.

In order to foster research and academic collaboration, additional requirements governing information handling for research are located on the Research Computing Website.

II. Definitions

  1. Information Assets: University data, systems, hardware, software, and devices.

  2. Information Safeguards: Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information.

  3. Information systems and supporting infrastructure: Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information.

  4. Lifecycle Protection: Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle.

Controls depend on the system, its capabilities, and expected usage, as well as anticipated threats against the information.

  1. Security Controls:

    1. Preventive - include use of encryption, information integrity measures, security configuration, media reuse, use of antivirus, and physical protection.

    2. Detective - include network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs.

    3. Corrective - include containment and recovery plans for handling information safeguard failure incidents to business continuity plans.

  2. Information Security Core Functions:

    1. Identify - assists in developing an organizational understanding of managing information security risk to people and information assets.

    2. Protect - supports the ability to identify, limit, or mitigate the impact of potential threats to information assets.

    3. Detect - defines the appropriate activities to identify the occurrences of potential and actual security incidents in a timely manner.

    4. Respond - includes appropriate activities to take action regarding a detected information security incident to minimize impact.

    5. Recover - restores services and information assets affected during information security incidents, identifies appropriate activities to maintain and improve resilience, and communicates appropriately.

III. Policy Statement

RIT is committed to elevating its overall information security posture and will take reasonable steps to:

  1. Establish, organize, sustain, and enhance measures necessary to perform information security core functions.

  2. Designate one or more individuals to identify and assess the risks to non-public or business-critical information within the university and establish a university-wide information security plan.

  3. Provide training to authorized university users in the responsible use and safeguarding of information, applications, information systems, networks, and computing devices.

  4. Develop, publish, maintain, and enforce standards for lifecycle protection of RIT information systems and supporting infrastructure in the areas of networking, computing, storage, human ordevice/application authentication, human or device/application access control, incident response, applications or information portals, electronic messaging, and encryption.

  5. Develop, publish, maintain, and enforce standards for RIT workforce security related to the responsible use of information.

  6. Develop, publish, maintain and enforce standards to guide RIT business associates and third parties in meeting RIT’s standards of lifecycle protection when handling RIT information or supporting RIT information systems and supporting infrastructure.

  7. Encourage the exchange of information security knowledge, including threats, vulnerabilities, risks, countermeasures, controls, and best practices both within and outside the university.

  8. Periodically evaluate the effectiveness of information security controls.

  9. Properly dispose of electronic and physical records containing private or confidential data when no longer needed or required.

IV. Policy Violations

Violations of this policy may result in sanctions including suspension of computer and network privileges and/or the full range of disciplinary action, up to and including immediate termination of employment; for staff, the cancellation of contractual obligations for adjunct employees or non-RIT employees serving as clinical faculty or guest lecturers, or the initiation of dismissal for cause proceedings for tenured-track and non-tenure track faculty. A violation of this Policy shall be considered personal conduct that substantially impairs one’s fulfillment of institutional responsibilities and shall be adequate cause as defined in RIT’s Dismissal of a Tenure-Track Faculty Member for Cause (E23.0) and Dismissal of a Non- Tenure-Track Faculty Member for Cause (E23.1).

V. Exceptions

Any exceptions to this policy must be submitted to the Information Security Office and approved through the exceptions process.

VI. Additional Information

For questions about policy interpretation, application or implementation, please contact the Information Security Office, infosec@rit.edu.

Related Documents:

Responsible Office:  Information Security Office/Information & Technology Services

Effective Date: July 1, 2019 (Interim)

Policy History:
Approved May 17, 2006
Edited August 2010
Edited August 2018 to change the responsible office

Copyright © Rochester Institute of Technology. All rights reserved | Disclaimer | Copyright Infringement.