Faculty/Staff
Requirements for Faculty/Staff
All RIT faculty and staff are required to read, understand, and comply with the RIT Code of Conduct for Computer and Network Use and the RIT policy regarding Digital Copyright. Administrators should visit the Resources page for implementation, configuration, guidelines, and best practices.
Security Standards
| Standard | When does it apply? |
|---|---|
| Desktop and Portable Computer Standard | Always |
| Password Standard | Always |
| Information Access & Protection Standard | Always |
| Cyber-Security (Computer) Incident Handling Standard | Always |
| Portable Media Standard | If you are storing private or confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store private information on portable media, the media must be encrypted. |
| Web Security Standard |
If you have a website at RIT, official or unofficial, and you:
|
| Signature Standard | If you are sending out an e-mail, MyCourses, or RITmail communication relating to university academic or business purposes. This applies to both RIT and non-RIT email accounts. |
| If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it. | |
| Network Security Standard |
If you own or manage a device that:
|
| Account Management |
|
| Solutions Life Cycle Management |
RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:
|
| Disaster Recovery |
For business continuity and disaster recovery. Applies to any RIT process/function owners and organizations who use RIT information resources. NOTE: The “in compliance by” date for this standard is January 23, 2016. |
All instances of non-compliance with published standards must be documented through the exception process.
Information Handling Quick Links
| Link | Overview |
|---|---|
| Digital Self Defense 103 - Information Handling | Covers important security issues at RIT and best practices for handling information safely. |
| Disposal Recommendations | How to safely dispose of various types of media to ensure RIT Confidential information is destroyed. |
| Recommended and Acceptable Portable Media | List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory). |
| Mobile Device Usage Recommendations | Recommendations for mobile device usage at RIT |
| VPN | Recommended for wireless access to RIT Confidential information. |
Questions
If you have questions or feedback about specific information security requirements, please contact us.
RIT Information Handling and Services Matrix
The table below provides information about the different classifications of information at RIT and determines how the information can be used and who has permission to access it. For more details about information classification at RIT and examples, please visit the RIT Information Access and Protection Standard webpage. This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.
Public - Information that may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.
Internal - Information that is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Internal information could include building floor plans and specific library collections.
Confidential - Information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Confidential information could include educational records, health information, and University Identification Numbers (UIDs).
Private- Information that is confidential and which could be used for identity theft. Private information also has additional mandates associated with its protection. Private information could include Social Security Number, driver's license number, and financial account information. These are all forms of information that could be used for identity theft.
The table on this page provides a quick reference list of services. In each of the tables, the classification of each service is shown in the left-hand column. The middle columns shows Check marks with an asterisk indicate there is additional information about the service and its classification in the right-hand comments column.
If you have questions about a specific use case or you do not find your use case below, reach out to rit@infosec.edu.
| RIT Service | Public | Internal | Confidential | Private | Comments |
|---|---|---|---|---|---|
| Audio/Video Conferencing: Zoom | ✓ | ✓ | ✓* | *No HIPAA-related information permitted. Other Confidential information permitted only if proper controls are used to ensure access is limited to authorized RIT participants. | |
| Audio/Video Conferencing: Zoom for Healthcare | ✓ | ✓ | ✓* | *HIPAA-related information OK. Other Confidential Information is permitted only if proper controls are used to ensure audience is limited to RIT participants. | |
| Audio/Video Conferencing: Others | ✓ | ✓ | AdobeConnect, GoToMeeting, WebEx, Bluejeans, etc. | ||
| Backups: RIT-administered (CrashPlan PROe, Veem, Commvault) | ✓ | ✓ | ✓ | ✓* | *Encryption should be enabled on backups. Backups of Private information must be encrypted. For CrashPlanPROe backups are provided by request. |
| Backups: Other non RIT-administered | ✓ | ✓ | This includes local backup on portable media and backups to cloud services. Backups of Confidential/Private information to third party apps such as Dropbox and G Suite are not allowed | ||
| Behavioral Records Management: Maxient | ✓ | ✓ | ✓ | ✓ | Student Judicial, Public Health |
| Career Services: Co-op Evaluation System | ✓ | ✓ | ✓ | Used by external and internal employers to provide evaluations of student co-op employees | |
| Centralized Administrative Console: CLAWS | ✓ | ✓ | ✓ | ✓ | Used by systems administrators |
| Cloud-based infrastructure & platforms: Oracle, AWS, Microsoft Azure, Google Cloud Platform, etc. | ✓ | ✓ | ✓ | ✓ | RIT administered with proper controls. Private and confidential information allowed only with ISO-approved authentication and authorization; (ISO Best Practices) |
| Database Hosting: Confidential or Private Information | ✓ | ✓ | ✓ | ✓ | Database hosting of Confidential or Private information requires review by the Information Security Office |
| Database Hosting: MySQL, MariaDB, etc. (RIT administered) | ✓ | ✓ | |||
| Database Hosting: MySQL, MariaDB, etc. (Non-RIT administered) | ✓ | ||||
| Disability Services Office: DSIM | ✓ | ✓ | ✓ | DSIM information is governed by FERPA | |
| Document Management: Box, Dropbox, and Office 365 OneDrive | ✓ | ✓ | Ensure that non-public content is limited to authorized users | ||
| Document Management: Google Drive and Google Shared Drives (g.rit.edu) | ✓ | ✓ | Ensure that non-public content is limited to authorized users | ||
| Document Management: Google G Suite: All other components (Sites, Photos, etc.) | ✓ | ||||
| Electronic Signature: AdobeSign | ✓ | ✓ | ✓ | Software Licensing Overview (ITS Link) | |
| Email: Exchange | ✓ | ✓ | Confidential and Private Information should not be sent through email. | ||
| Email: RIT Gmail | ✓ | ✓ | Confidential and Private Information should not be sent through email. | ||
| Encryption: FDE-Compliant Device | ✓ | ✓ | ✓ | ✓ | FDE is "Full Disk Encryption". Refer to Encryption at RIT |
| Event Management: EMS | ✓ | ✓ | ✓ | Event management/room scheduling. Avoid putting confidential information in meeting reservations. | |
| File Transfer: Tiger File Exchanger | ✓ | ✓ | ✓ | ✓ | Link:Tiger File Exchanger |
| Innotas: Collaboration and Project Management | ✓ | ✓ | Used by project managers | ||
| Instant Messaging: Discord | ✓ | Classroom and other academic use | |||
| Instant Messaging: Jabber | ✓ | ✓ | Link:GIS Instant Messaging System | ||
| Instant Messaging: Other | ✓ | Not administered by RIT | |||
| International Enrollment and Programs: Ellucian ISSM | ✓ | ✓ | ✓ | International Student Services, Student Affairs | |
| Issue Tracking: JIRA | ✓ | ✓ | ✓ | ||
| MyCourses | ✓ | ✓ | ✓ | Contains FERPA data | |
| Network File Storage: ISO-approved (shares02) | ✓ | ✓ | ✓* | ✓* | *Confidential/Private information allowed only with appropriate RIT access controls |
| Network File Storage: Others | ✓ | ✓ | |||
| OnBase | ✓ | ✓ | ✓ | ✓ | Admissions, financial aid, academic departments |
| Oracle eServices: myInfo, eBiz | ✓ | ✓ | ✓ | ✓ | |
| Portfolium | ✓ | ✓ | ✓ | Student determines the information they share | |
| ProSAM | ✓ | ✓ | ✓ | ✓ | Financial Aid |
| Pyramed | ✓ | ✓ | ✓ | Student Health Center | |
| Research Computing Clusters CUI-compliant | ✓ | ✓ | ✓ | ✓ | NIST 800-171 |
| Research Computing Clusters: Non-CUI compliant | ✓ | ✓ | |||
| ServiceNow | ✓ | ✓ | ✓ | ITS, F&A departments | |
| Shared Calendars: Exchange (Internal) | ✓ | ✓ | Exchange calendar should not be shared (published) publicly | ||
| Shared Calendars: Google, Calendly, etc. (Public) | ✓ | Provide public and availability information only | |||
| Shared/Distributed Computing: Folding@home, World Community Grid | ✓ | ||||
| SIS/PeopleSoft/Campus Solutions | ✓ | ✓ | ✓ | ✓ | |
| Slack: Direct Messages and invite-only channels (RIT-administered) | ✓ | ✓ | Link: rit.enterprise.slack.com | ||
| Slack: Public Channels or non-RIT administered workspaces | ✓ | ||||
| Slate | ✓ | ✓ | ✓ | ✓ | Enrollment Services/CRM cloud service |
| Starfish | ✓ | ✓ | ✓ | FERPA records | |
| StarRez | ✓ | ✓ | ✓ | Link: mylife.rit.edu | |
| Survey Tools: Qualtrics | ✓ | ✓ | ✓ | Link: https://www.rit.edu/survey/ | |
| Survey Tools: others (SurveyMonkey, etc.) | ✓ | ||||
| Tableau | ✓ | ✓ | ✓ | Data visualization tool (RIT account) | |
| Trello and other online project management tools | ✓ | ✓ | Not administered by RIT | ||
| UC4 | ✓ | ✓ | ✓ | ✓ | Job scheduler (Oracle) |
| Voice Messaging: Asterisk | ✓ | ✓ | RIT administered | ||
| Voice Messaging: Voicemail | ✓ | ✓ | ✓* |
RIT administered *With proper security controls |
|
| Web Content Management: Drupal (RIT-administered sites) | ✓ | ✓ | RIT-managed solution for official RIT websites | ||
| Web Content Management: Others (WordPress, Google Sites) | ✓ | Websites not centrally managed by RIT | |||
| Wiki: Confluence | ✓ | ✓ | Link: wiki.rit.edu |
For more information or if you have questions, please contact the RIT Information Security Office at infosec@rit.edu