IAP Plan Requirements and Template
Excerpted from the Information Access and Protection Standard
- Information Inventory
- All RIT organizational units (departments, divisions, etc.) should identify and maintain an inventory (type, classification, location, accessibility) of all Private, Confidential, and Internal information they handle or maintain. The ISO provides an Information Access and Protection Plan Template to facilitate this requirement. (The plan should be updated at least annually.)
- Divisional VPs and Deans are responsible for ensuring that mandatory information handling training is provided to any RIT employees (including adjuncts, temporaries and contractors), student employees, volunteers (including trustees, agents, members of affiliate groups, etc.) with access to Confidential or Private information.
- This training should be conducted on an appropriate periodic basis. (Annually is appropriate, and can be fulfilled through the self-paced web-based DSD103 Information Handling, available through the Talent Roadmap.)
- Divisional VPs and Deans are responsible for ensuring that users comply with RIT non-disclosure requirements, which may include signing a non-disclosure agreement.
- Systems, applications, or web page administrators (including student employees) who administer information systems containing Confidential or Private information should sign the RIT Systems Support Personnel Non-Disclosure Agreement form.
- Information Access and Protection Plan Template (The template provides instructions, examples of information classifications, and an inventory with examples.)
- Requirements for Privileged Users (Training and knowledge requirements for anyone who accesses Private or Confidential Information)