To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.
Introduction and Scope
RIT uses many types of computing devices, physical and virtual (desktop, portable, tablet, smartphone, etc.), to access RIT information resources. This standard provides requirements for these computing devices to ensure that RIT information resources are accessed securely.
What Does It Apply To?
All RIT-owned or leased computers.
Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.
Not Required For
The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.
Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.
Storage of Private information is prohibited on these devices.
Users should either log out or lock the interactive session before leaving the session, computer, or device unattended.
For RIT-owned computers, administrators should set a minimum automatic lockout commensurate with the use and risk of the information, e.g., a lockout after 15 minutes is recommended for typical office use.
For personally-owned devices, we recommend an automatic lockout period of 2-15 minutes.
RIT-owned, lab computers, and grant-funded computing devices should be auditable from centralized configuration management software. This audit capability should include an inventory of applications and current patch level.
RIT data and research data should be backed up. Backups shall enable computers/devices to be restored to a recent point in time before the incident requiring backup. Centrally-managed backups are preferred.
For usage where data is stored on the network, a disk image is an acceptable backup.
For situations where data is stored locally, the backup should be able to restore that data. (We recommend that data not be stored locally.)