Requirements for Privileged Users

Requirements for Privileged Users

A Privileged User is anyone who handles Private or Confidential Information

All RIT people should read and understand the RIT Code of Conduct for Computer and Network Use and the RIT policy regarding Digital Copyright.

All RIT users must understand and comply with all applicable standards. The tables below provide more information on how specific standards and training relate to Privileged Users. The second table is applicable in specific situations.

 

Security Standards
(Required of All RIT Users.)
Specific Application for Private and Confidential Information is provided in the table.

Standard Sections Training Course Web Resources Comments
Information Access and Protection All DSD103 Information Handling

Talent Roadmap

Media Disposal Recommendations

The Information Access and Protection provides requirements for handling RIT Private Information. Training for the standard is provided by DSD103, a self-paced online class required for anyone who handles Private or Confidential Information. We recommend repeating the class annually. DSD103 is acccessed through the Talent Roadmap.

The disposal and sanitization/media reuse page provides guidance on disposing of and reusing both portable media and hard drives.

Password All

Computing Security Fundamentals

DSD101 Tips, Tools, and Best Practices to Stay Safe Online

DSD100 Practicing Digital Self Defense.

Talent Roadmap

Creating Strong Passwords (recommended)

The Password standard provides minimum requirements for password construction and use at RIT.

Computing Security Fundamentals is a self-paced online class that everyone at RIT is required to take annually. The course provides information on password construction, information handling, and your role in a cybersecurity incident. Computing Security Fundamentals is acccessed through the Talent Roadmap.

DSD101 is a recommended instructor-led course offered periodically or on request through CPD. The course enhances familiarity with creating strong passwords and other relevant cybersecurity topics. DSD101 is acccessed through the Talent Roadmap.

DSD100 is a recommended self-paced online course. It enhances familiarity with creating strong passwords and other relevant cybersecurity topics.  DSD100 is acccessed through the Talent Roadmap.

Desktop and Portable Computer All  

Desktop Checklists (recommended) (General, ITS-Supported, Support Personnel

Securing Your Computer (recommended best practices)

The Desktop Checklists are designed to help RIT people ensure that they're meeting all security requirements. Note that users of Private information are required to have Full Disk Encryption (FDE) on their RIT computer. Contact the ITS Service Desk for more information.

Note that use of a VPN is recommended when accessing Private or Confidential resources.

Portable Media All DSD103 Information Handling

Talent Roadmap

Media Disposal Recommendations

Minimum Encryption Level

The Portable Media Standard provides usage requirements for RIT people who access Private or Confidential information and use portable media. Knowledge of and compliance with this standard is required for anyone handling RIT Confidential or Private information. Any portable media used for Private information must be encrypted and disposed of properly.  (Generally, use of portable media for Private information is discouraged. )

The disposal and sanitization/media reuse page provides guidance on disposing of and reusing both portable media and hard drives.

DSD103 is acccessed through the Talent Roadmap.

Incident Handling How to report Computing Security Fundamentals Talent Roadmap

The Incident Handling standard provides an overview of the  steps followed in the RIT Computer/Cybersecurity Incident Handling Process. Anyone who loses or suspects the compromise of private or confidential information must report the incident to the ITS Service Desk. 

Computing Security Fundamentals is acccessed through the Talent Roadmap.

 

 

 

Applicable in Specific Situations
Standard Situation Resources Comments
Web Security Web site owner, web server or application administrator Checklist (recommended) If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information, you must comply with all aspects of this standard. The standard contains primarily technical requirements and also requires compliance with the server standard. Specific data handling requirements are in the Information Access and Protection Standard. Although much of the web standard is technical, information owners must ensure that their technical support adheres to the technical requirements.
Server Security Server system administrator Checklist (recommended) If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it, you must comply with all aspects of this standard.  This is typically a technical role.
Network Security Network administrator  for a network or network device Checklist (recommended)

If you own or manage a network device that connects to the centrally-managed Institute network infrastructure or processes RIT Confidential or Operationally Critical information, you must comply with all aspects of this standard. This is typically a technical role.

Account Management Account administrators and data owners Checklist (recommended) Anyone who administers accounts that include access to Private or Confidential information must ensure access is granted or removed when appropriate. Data owners of Private information identified by ITS should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status.
Solutions Life Cycle Management When changing or acquiring a solution that accesses Private or Confidential information Information Access and Protection Questionnaire (IAPQ) Anyone changing a current solution or acquiring a new solution that involves Private or Confidential information must complete and submit an IAPQ and receive a security review before changing or acquiring a solution a security review. The IAPQ is submitted by the RIT Business Unit to the Information Security Office and the Project Management Office.

 

All instances of non-compliance with published standards must be documented through the exception process.

Questions

If you have questions or feedback about specific information security requirements, please contact us at infosec@rit.edu