C08.1 Information Security Policy

I. Introduction

The Information Security Policy is the umbrella policy for a framework of standards that provides specific requirements around use of RIT information assets. Compliance with the standards ensures that the information assets of Rochester Institute of Technology (“RIT”) are available to the RIT community, protected commensurate with their value, and administered in conformance with policy, regulation, and applicable law. The increasing pace of change and complexity require the maintenance of reasonable measures to protect these assets against accidental or unauthorized access, disclosure, modification or destruction, as well as to reasonably ensure the confidentiality, integrity, availability, and authenticity of information. Reasonable measures shall also be taken to ensure availability, integrity, and utility of information systems and the supporting infrastructure, in order to protect the productivity of members of the RIT community, in pursuit of the RIT vision and mission.

Researchers may need to comply with various regulatory, contractual, or other information handling requirements. In order to foster research and academic collaboration, please contact the RIT Information Security Office (ISO) and Sponsored Research Services (SRS) for additional requirements governing information handling for research. 

II. Definitions

  1. Information Security Standards: Procedural and technical extensions of this policy addressing areas where the rate of change would preclude inclusion in the standard university governance process.  Information Security Standards are developed and reviewed by the Information Security Council composed of one or more representatives from every college and division.

  2. Information Assets: University data, systems, hardware, software, and devices.

  3. Information Safeguards: Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information.

  4. Information systems and supporting infrastructure: Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information.

  5. Lifecycle Protection: Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle.

Specific controls depend on the system, its capabilities, and expected usage, as well as anticipated threats against the information.

  1. Security Controls:

    1. Preventive - includes use of encryption, information integrity measures, security configuration, media reuse, use of antivirus, and physical protection.

    2. Detective - includes network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs.

    3. Corrective - includes containment and recovery plans for handling information safeguard failure incidents to business continuity plans.

  2. Information Security Core Functions:

    1. Identify - assists in developing an organizational understanding of managing information security risk to people and information assets.

    2. Protect - supports the ability to identify, limit, or mitigate the impact of potential threats to information assets.

    3. Detect - defines the appropriate activities to identify the occurrences of potential and actual security incidents in a timely manner.

    4. Respond - includes appropriate activities to take action regarding a detected information security incident to minimize impact.

    5. Recover - restores services and information assets affected during information security incidents, identifies appropriate activities to maintain and improve resilience, and communicates appropriately.

III. Policy Statement

RIT is committed to improving its overall information security posture and will take reasonable steps to:

  1. Establish, organize, sustain, and enhance measures necessary to perform information security core functions.

  2. Designate one or more individuals to identify and assess the risks to non-public or business-critical information within the university and establish a university-wide information security plan.

  3. Provide recommended and mandatory training (C25.0 Policy on Mandatory Training) to authorized university users in the responsible use and safeguarding of information, applications, information systems, networks, and computing devices. Consult the Training Schedule provided by the Office of Compliance and Ethics for required training and frequency.

  4. Develop, publish, maintain, and enforce Policies and Standards for lifecycle protection of RIT information systems and supporting infrastructure.

  5. Develop, publish, maintain, and enforce Policies and Standards related to the responsible use of information.

  6. Develop, publish, maintain and enforce Policies and Standards to guide RIT business associates and other third parties in meeting RIT’s standards of lifecycle protection when handling RIT information or supporting RIT information systems and supporting infrastructure.

  7. Encourage the exchange of information security knowledge, including threats, vulnerabilities, risks, countermeasures, controls, and best practices both within and outside the university.

  8. Periodically evaluate the effectiveness of information security controls.

  9. Properly dispose of electronic and physical records containing private or confidential data when no longer needed or required in accordance with C22.0 Records Management Policy.

IV. Policy Violations

RIT community members who suspect that someone is not handling RIT information according to these policies and standards should follow the instructions at Reporting an Incident as referenced in C00.0 Code of Ethical Conduct and Compliance.

  1. Investigation of Suspected Violations – The RIT Information Security Office, in conjunction with Public Safety or the Office of Compliance and Ethics, as appropriate, will investigate reports of suspected violations of this policy or its mandated standard to determine if a policy violation has occurred. Confirmed violations will be brought to the attention of the potential violators and their supervisor/manager, or the Center for Student Conduct and Conflict Resolution, if appropriate. Potential violators may engage the Ombuds Office. If the reporter desires to remain anonymous, suspected violations may be submitted through the Ethics and Compliance Hotline.

  2. Consequences of Confirmed Violations – Violations of this policy may result in sanctions including suspension of computer and network privileges and/or the full range of disciplinary action, up to and including referral to the Center for Student Conduct and Conflict Resolution; termination of employment as defined in RIT’s Staff Performance Improvement Policy; the cancellation of contractual obligations for adjunct employees or non-RIT employees serving as clinical faculty or guest lecturers; or the initiation of dismissal for cause proceedings as defined in RIT’s Dismissal of a Tenure-Track Faculty Member for Cause (E23.0) and Dismissal of a Non-Tenure-Track Faculty Member for Cause (E23.1). Violators of statutory law will be referred to Public Safety.

  3. Management of Risk as Violations are Investigated – If the Information Security Office, in concurrence with the Office of the CIO or the Office of the Provost, deems that a non-compliance violation is of sufficient risk, actions may be taken to address immediate risks, including but not limited to the suspension of access to data, services, network connections, accounts, or technical administrative privileges. Access will be restored when positive conditions can be reasonably assured, unless access is to remain suspended because of formal action imposed through the normal disciplinary or appeals processes of the university. 

V. Exceptions

Any exceptions to this policy must be submitted to the Information Security Office and approved through the Exception Process.

VI. Additional Information

For questions about policy interpretation, application or implementation, please contact the Information Security Office, infosec@rit.edu.

Responsible Office:  Information Security Office/Information & Technology Services

Aproved:  May 17, 2006

Effective Date: April 13, 2022

Policy History:
Edited August 2010
Edited August 2018 to change the responsible office
Revisions approved on an interim basis - July 1, 2019
Revisions approved by University Council April 13, 2022 - sections I, II, III, IV and V