Information Access & Protection Standard
The Information Access & Protection (IAP) Standard provides requirements for the proper handling of information at RIT.
The standard classifies information into four categories: Private, Confidential, Internal, and Public.
Private information is information that is confidential and which could be used for identity theft. Private information also has additional requirements associated with its protection (e.g., state and federal mandates). Examples include:
- Social Security Numbers (SSNs), Individual Taxpayer Identification Numbers (ITINs), or other national identification numbers
- Driver’s license numbers
- Financial account information (bank account numbers, checks, credit or debit card numbers), etc.
Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:
- Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
- Employee and student health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
- Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)
- University Identification Numbers (UIDs)
- Employee Personnel information
- Management Information Designated as Confidential
- Faculty Research
- Third party information the RIT has agreed to hold confidential under contract
Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Examples include online building floor plans, specific library collections, etc.
Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.
To whom do the requirements apply?
This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.
What are RIT Information Resources?
RIT Information Resources include but are not limited to:
- RIT-owned or leased transmission lines, networks, wireless networks, servers, exchanges, Internet connections, terminals, applications, and computers
- Information owned by RIT or used by RIT under license or contract, in any form, including but not limited to:
- Electronic media
- Portable media
- Electronic hardware
- Network communications devices
- Personal computers, servers, wireless networks, mobile devices, and other devices not owned by RIT but intentionally connected to RIT Information Resources.
What do I have to do?
Everyone who accesses RIT Information Resources should know and understand the four classes of information at RIT and appropriate handling practices for each class. Specific roles and responsibilities are detailed in the Information Access and Protection Standard.
What do I have to know if I access Private or Confidential Information?
If you access Private or Confidential Information at RIT, you are a privileged user.
Information Access & Protection Standard
- Information Access & Protection (IAP) Standard (pdf)
- Information Access and Protection Inventory Template 2019 (MS Excel)
Disposal/No Media Reuse
- RIT Media disposal recommendations may be found at https://www.rit.edu/security/content/media-disposal-recommendations.
If the media (including a hard drive) is to be reused, the following apply:
- Private information on a laptop or desktop should be deleted securely using Spirion (Identity Finder).
- Private information on a server (or where Spirion (Identity Finder) is not available) should be deleted using industry-standard tools and practices in the tables below.
- Confidential information should be deleted using industry-standard tools and practices in the tables below.
- Private or confidential information in encrypted form may be deleted securely using the delete button.
Disk Sanitization (except for Solid State Drives (SSDs))
|Windows||Darik's Boot and Nuke ("DBAN") (single pass), Paladin|
|Unix/Linux||Darik's Boot and Nuke ("DBAN")(single pass)|
|Macintosh||Eraser Pro, Burn, Paladin|
Disk Sanitization (Solid State Drives (SSDs))
Recommendations forthcoming. Please contact the Information Security Office for recommendations.
NIST provides comprehensive sanitization/disposal information in NIST SP 800--88 Rev. 1, Guidelines for Media Sanitization
If you prefer to use a different tool, please contact the RIT Information Security Office.
DSD 103 Information Handling
RIT employees handle or are exposed to Private and Confidential information every week. It is important to use appropriate and secure information handling practices to protect these types of information. Inadvertent loss or disclosure of Private information may result in a Notification event under the NYS Information Security Breach and Notification Act.
Attendees of the Digital Self Defense (DSD) 103 – Information Handling course will learn new and improve existing information handling skills. Specifically, the course explains the different classes of information at RIT, how these types of information should be treated, and the correct means of storage, transfer, and destruction to be used. Completion of the course should provide the user with the necessary knowledge to be in compliance with the Information Access & Protection (IAP) Standard.
DSD 103 Information Handling is now available as a self-paced online class through the RIT E-Learning Zone.
- Access DSD 103 Information Handling Web-based training on the RIT Talent Roadmap.
- Login with your RIT credentials.
- Open the course.
- Click the blue triangle to launch the course. (You may want to perform a Browser Check to ensure your computer is configured correctly.)
- Take the course and complete the post-course assessment.