Faculty/Staff

Requirements for Faculty/Staff

All RIT faculty and staff are required to read, understand, and comply with the RIT Code of Conduct for Computer and Network Use and the RIT policy regarding Digital Copyright. Administrators should visit the Resources page for implementation, configuration, guidelines, and best practices.

Security Standards
Standard When does it apply?
Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Cyber-Security (Computer) Incident Handling Standard Always
Portable Media Standard If you are storing private or confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store private information on portable media, the media must be encrypted.
Web Security Standard

If you have a website at RIT, official or unofficial, and you:

  • Own, administer, or maintain an official RIT web page that hosts or provides access to private or confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or RITmail communication relating to university academic or business purposes. This applies to both RIT and non-RIT email accounts.

Server Security Standard

If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard

If you own or manage a device that:

  • Connects to the centrally-managed university network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management

RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • Host or provide access to private or confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery. Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE: The “in compliance by” date for this standard is January 23, 2016.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links
Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
Questions

If you have questions or feedback about specific information security requirements, please contact us.

RIT Information Handling and Services Matrix

The table below provides information about the different classifications of information at RIT and determines how the information can be used and who has permission to access it. For more details about information classification at RIT and examples, please visit the RIT Information Access and Protection Standard webpage. This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.

Public - Information that may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.

Internal - Information that is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Internal information could include building floor plans and specific library collections.

Confidential - Information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Confidential information could include educational records, health information, and University Identification Numbers (UIDs).

Private- Information that is confidential and which could be used for identity theft. Private information also has additional mandates associated with its protection. Private information could include Social Security Number, driver's license number, and financial account information. These are all forms of information that could be used for identity theft.

The table on this page provides a quick reference list of services. In each of the tables, the classification of each service is shown in the left-hand column. The middle columns shows Check marks with an asterisk indicate there is additional information about the service and its classification in the right-hand comments column.

If you have questions about a specific use case or you do not find your use case below, reach out to rit@infosec.edu.

RIT Service Public Internal Confidential Private Comments
Audio/Video Conferencing: Zoom ✓*   *No HIPAA-related information permitted. Other Confidential information permitted only if proper controls are used to ensure access is limited to authorized RIT participants.
Audio/Video Conferencing: Zoom for Healthcare ✓*   *HIPAA-related information OK. Other Confidential Information is permitted only if proper controls are used to ensure audience is limited to RIT participants.
Audio/Video Conferencing: Others     AdobeConnect, GoToMeeting, WebEx, Bluejeans, etc.
Backups: RIT-administered (CrashPlan PROe, Veem, Commvault) ✓* *Encryption should be enabled on backups. Backups of Private information must be encrypted. For CrashPlanPROe backups are provided by request.
Backups: Other non RIT-administered     This includes local backup on portable media and backups to cloud services. Backups of Confidential/Private information to third party apps such as Dropbox and G Suite are not allowed
Behavioral Records Management: Maxient Student Judicial, Public Health
Career Services: Co-op Evaluation System   Used by external and internal employers to provide evaluations of student co-op employees
Centralized Administrative Console: CLAWS Used by systems administrators
Cloud-based infrastructure & platforms: Oracle, AWS, Microsoft Azure, Google Cloud Platform, etc. RIT administered with proper controls. Private and confidential information allowed only with ISO-approved authentication and authorization; (ISO Best Practices)
Database Hosting: Confidential or Private Information Database hosting of Confidential or Private information requires review by the Information Security Office
Database Hosting: MySQL, MariaDB, etc. (RIT administered)      
Database Hosting: MySQL, MariaDB, etc. (Non-RIT administered)        
Disability Services Office: DSIM   DSIM information is governed by FERPA
Document Management: Box, Dropbox, and Office 365 OneDrive     Ensure that non-public content is limited to authorized users
Document Management: Google Drive and Google Shared Drives (g.rit.edu)     Ensure that non-public content is limited to authorized users
Document Management: Google G Suite: All other components (Sites, Photos, etc.)        
Electronic Signature: AdobeSign   Software Licensing Overview (ITS Link)
Email: Exchange     Confidential and Private Information should not be sent through email.
Email: RIT Gmail     Confidential and Private Information should not be sent through email.
Encryption: FDE-Compliant Device FDE is "Full Disk Encryption". Refer to Encryption at RIT
Event Management: EMS   Event management/room scheduling. Avoid putting confidential information in meeting reservations.
File Transfer: Tiger File Exchanger Link:Tiger File Exchanger
Innotas: Collaboration and Project Management     Used by project managers
Instant Messaging: Discord       Classroom and other academic use
Instant Messaging: Jabber     Link:GIS Instant Messaging System
Instant Messaging: Other       Not administered by RIT
International Enrollment and Programs: Ellucian ISSM   International Student Services, Student Affairs
Issue Tracking: JIRA    
MyCourses   Contains FERPA data
Network File Storage: ISO-approved (shares02) ✓* ✓* *Confidential/Private information allowed only with appropriate RIT access controls
Network File Storage: Others      
OnBase Admissions, financial aid, academic departments
Oracle eServices: myInfo, eBiz  
Portfolium   Student determines the information they share
ProSAM Financial Aid
Pyramed   Student Health Center
Research Computing Clusters CUI-compliant NIST 800-171
Research Computing Clusters: Non-CUI compliant      
ServiceNow   ITS, F&A departments
Shared Calendars: Exchange (Internal)     Exchange calendar should not be shared (published) publicly
Shared Calendars: Google, Calendly, etc. (Public)       Provide public and availability information only
Shared/Distributed Computing: Folding@home, World Community Grid        
SIS/PeopleSoft/Campus Solutions  
Slack: Direct Messages and invite-only channels (RIT-administered)     Link: rit.enterprise.slack.com
Slack: Public Channels or non-RIT administered workspaces        
Slate Enrollment Services/CRM cloud service
Starfish   FERPA records
StarRez   Link: mylife.rit.edu
Survey Tools: Qualtrics   Link: https://www.rit.edu/survey/
Survey Tools: others (SurveyMonkey, etc.)        
Tableau   Data visualization tool (RIT account)
Trello and other online project management tools     Not administered by RIT
UC4 Job scheduler (Oracle)
Voice Messaging: Asterisk     RIT administered
Voice Messaging: Voicemail ✓*  

RIT administered

*With proper security controls

Web Content Management: Drupal (RIT-administered sites)     RIT-managed solution for official RIT websites
Web Content Management: Others (WordPress, Google Sites)       Websites not centrally managed by RIT
Wiki: Confluence     Link: wiki.rit.edu

For more information or if you have questions, please contact the RIT Information Security Office at infosec@rit.edu