(V1) Requirements, Policies, and Standards

Policies and Standards

Policies and Standards are the requirements the RIT community must follow when using RIT Information Resources

Requirements for Faculty and Staff
Security Standards
Standard When does it apply?
Desktop and Portable Computer Standard Always
Password Standard Always
Information Access & Protection Standard Always
Cyber-Security (Computer) Incident Handling Standard Always
Portable Media Standard If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory. If you must store Private information on portable media, the media must be encrypted.
Web Security Standard

If you have a web page at RIT, official or unofficial, and you:

  • Own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • Use RIT authentication services
Signature Standard If you are sending out an e-mail, MyCourses, or Message Center communication relating to Institute academic or business purposes. This applies to both RIT and non-RIT e-mail accounts.

Server Security Standard

If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it.
Network Security Standard

If you own or manage a device that:

  • Connects to the centrally-managed Institute network infrastructure
  • Processes RIT Confidential or Operationally Critical information
Account Management
  • If you create or maintain RIT computer and network accounts.
  • Managers reporting changes in access privileges/job changes of employees.
Solutions Life Cycle Management

RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Disaster Recovery

For business continuity and disaster recovery. Applies to any RIT process/function owners and organizations who use RIT information resources.

NOTE: The “in compliance by” date for this standard is January 23, 2016.

All instances of non-compliance with published standards must be documented through the exception process.

Information Handling Quick Links
Link Overview
Digital Self Defense 103 - Information Handling Covers important security issues at RIT and best practices for handling information safely.
Disposal Recommendations How to safely dispose of various types of media to ensure RIT Confidential information is destroyed.
Recommended and Acceptable Portable Media List of recommended and acceptable portable media devices (such as USB keys, CDs, DVDs, and flash memory).
Mobile Device Usage Recommendations Recommendations for mobile device usage at RIT
VPN Recommended for wireless access to RIT Confidential information.
Safe Practices
  • Visit our Keeping Safe section to find security resources and safe practices and to see our schedule of upcoming workshops.
Questions

If you have questions or feedback about specific information security requirements, please contact us.

Requirements for Students

Standard

When does it apply?

Desktop and Portable Computer Standard

Always

Password Standard

Always

Signature Standard

Always - All authentic RIT communications should include an appropriate signature as per the standard. Make it a habit to check for an authentic signature when receiving messages from RIT.

Web Security Standard

If you have a web page at RIT, official or unofficial, and you:

  • Host or provide access to Confidential information. If you’re hosting or providing access to Private information, contact us at infosec@rit.edu immediately. Private or confidential information is defined in the Information Access and Protection Standard.
  • Use RIT authentication services

Computer Incident Handling Standard

If the affected computer or device:

  • Contains Private or Confidential information
  • Poses a threat to the Institute network

Network Security Standard

If you own or manage a device that:

  • Connects to the centrally-managed Institute network infrastructure
  •  

    Processes Confidential information. If you’re providing access to Private information, contact us at infosec@rit.edu immediately.

Portable Media Standard

If you are storing Private or Confidential information on portable media, such as USB keys, CDs, DVDs, and flash memory.

Networking Devices
  • Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.
Safe Practices
  • Visit our Keeping Safe section to find security resources and safe practices.
Questions

If you have questions or feedback about specific information security requirements, please contact us.

Processes

Policy Creation and Approval

Institute policies are created and approved through a shared governance process. A further description of this process can be found on the Academic Senate, Staff Council and Student Government websites. 

Standards Creation and Approval

In 2005, the RIT shared governance organizations approved the Information Security Policy which vested the Information Security Office with the role of leading the RIT community in the creation, approval and implementation of Information Security Standards.

  • Core Teams composed of subject matter experts meet to create draft standards that are supportable and comprehensive.
  • The Information Security Council reviews and approves proposed standards. The Information Security Council is composed of representatives from across the University. The Information Security Council representatives also serve as coordinators in their departments to facilitate the implementation of standards.
Standards Process Overview

A flowchart of the RIT ISO's Standards Process.

Anyone not in compliance with an Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current Institute personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard. The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard. Exceptions should be approved and signed by the appropriate Information Trustee (VP, Dean, or CIO). (An email endorsing the exception request is acceptable.)

An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation.

Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP, Dean, or CIO).

If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.

NOTE: Effective 9 June, 2020, Exception Requests may be filed through the Enterprise Service Center.

For questions about exception requests, contact the Information Security Office, infosec@rit.edu, ROS 10-A200.

Security Standards

To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.

Desktop and Portable Computer Standard
What does it apply to?
  • All RIT-owned or leased computers.
  • Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.
The standard is not required for:

The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.

  • Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
  • Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.

Storage of Private information is prohibited on these devices.

What do I need to do?
Passwords

Having a strong password is increasingly important. Weak passwords can be "guessed" or "cracked" using free software available online, allowing unauthorized access that can result in identity crimes, extortion, or damage to reputation through the disclosure of sensitive or private information (yours and RIT's). Choosing a strong password is one of the most important things you can do to protect yourself online. Follow the password standard and subscribe to our social media outlets for password tips and tricks!

Password Standard
Documented Standard
Summary
  • Be at least 8 characters long (a longer passphrase is preferred)
  • Use both upper and lower case letters and at least one number, and one special character
    • We suggest putting numbers and special characters in the middle of the password, not at the beginning or end
  • Change it annually (at a minimum)
  • DO NOT use your username
  • DO NOT reuse for at least six changes of password

NOTE: These are minimum standards. Please review our password advice by visiting Creating Strong Passwords!

RIT Computer Accounts

To change the password for your RIT Computer Account, visit http://start.rit.edu. Contact the RIT Service Desk (585-475-5000) if you've forgotten your password or it is not working.

Information Access & Protection Standard

The Information Access & Protection (IAP) Standard provides requirements for the proper handling of information at RIT.

Information Classifications

The standard classifies information into four categories: Private, Confidential, Internal, and Public.

Private information

Private information is information that is confidential and which could be used for identity theft. Private information also has additional requirements associated with its protection (e.g., state and federal mandates). Examples include:

  • Social Security Numbers (SSNs), Individual Taxpayer Identification Numbers (ITINs), or other national identification numbers
  • Driver’s license numbers
  • Financial account information (bank account numbers, checks, credit or debit card numbers), etc.

The NYS SHIELD Act expands the examples of PII as follows:

  • Social security number
  • Driver’s license number or non-driver identification card number
  • Account number, credit, or debit card number in combination with other identifiable data
  • Biometric information such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation
  • User name or email address in combination with a password or security question
Confidential information

Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:

  • Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
  • Employee and student health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
  • Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)
  • University Identification Numbers (UIDs)
  • Employee Personnel information
  • Management Information Designated as Confidential
  • Faculty Research
  • Third party information the RIT has agreed to hold confidential under contract
Internal information

Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of Institute business. Examples include online building floor plans, specific library collections, etc.

Public information

Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.

To whom do the requirements apply?

This Standard applies to everyone who accesses RIT Information Resources, whether affiliated with RIT or not, from on campus or from remote locations, including but not limited to: students, faculty, staff, contractors, consultants, temporary employees, alumni, guests, and volunteers.

What are RIT Information Resources?

RIT Information Resources include but are not limited to:

  • RIT-owned or leased transmission lines, networks, wireless networks, servers, exchanges, Internet connections, terminals, applications, and computers
  • Information owned by RIT or used by RIT under license or contract, in any form, including but not limited to:
    • Electronic media
    • Portable media
    • Electronic hardware
    • Software
    • Network communications devices
    • Paper
  • Personal computers, servers, wireless networks, mobile devices, and other devices not owned by RIT but intentionally connected to RIT Information Resources.
What do I have to do?

Everyone who accesses RIT Information Resources should know and understand the four classes of information at RIT and appropriate handling practices for each class. Specific roles and responsibilities are detailed in the Information Access and Protection Standard.

What do I have to know if I access Private or Confidential Information?

If you access Private or Confidential Information at RIT, you are a privileged user.

Information Access & Protection Standard

Resources
Information Disposal and Sanitization
Disposal/No Media Reuse
Sanitization/Media Reuse

If the media (including a hard drive) is to be reused, the following apply:

  • Private information on a laptop or desktop should be deleted securely using Spirion (Identity Finder).
  • Private information on a server (or where Spirion (Identity Finder) is not available) should be deleted using industry-standard tools and practices in the tables below.
  • Confidential information should be deleted using industry-standard tools and practices in the tables below.
  • Private or confidential information in encrypted form may be deleted securely using the delete button.
File Sanitization
Operating System Tool
Windows Eraser
Unix/Linux Eraser
Macintosh Eraser Pro
Disk Sanitization (except for Solid State Drives (SSDs))
Operating System Tool
Windows Darik's Boot and Nuke ("DBAN") (single pass), Paladin
Unix/Linux Darik's Boot and Nuke ("DBAN") (single pass)
Macintosh Eraser Pro, Burn, Paladin
Disk Sanitization (Solid State Drives (SSDs))

Recommendations forthcoming. Please contact the Information Security Office for recommendations.

NIST provides comprehensive sanitization/disposal information in NIST SP 800--88 Rev. 1, Guidelines for Media Sanitization

If you prefer to use a different tool, please contact the RIT Information Security Office.

Training
DSD 103 Information Handling

RIT employees handle or are exposed to Private and Confidential information every week. It is important to use appropriate and secure information handling practices to protect these types of information. Inadvertent loss or disclosure of Private information may result in a Notification event under the NYS Information Security Breach and Notification Act.

Course Objectives

Attendees of the Digital Self Defense (DSD) 103 – Information Handling course will learn new and improve existing information handling skills. Specifically, the course explains the different classes of information at RIT, how these types of information should be treated, and the correct means of storage, transfer, and destruction to be used. Completion of the course should provide the user with the necessary knowledge to be in compliance with the Information Access & Protection (IAP) Standard.

DSD 103 Online Course

DSD 103 Information Handling is now available as a self-paced online class through the RIT E-Learning Zone.

  1. Access DSD 103 Information Handling Web-based training on the RIT Talent Roadmap.
  2. Login with your RIT credentials.
  3. Open the course.
  4. Click the blue triangle to launch the course. (You may want to perform a Browser Check to ensure your computer is configured correctly.)
  5. Take the course and complete the post-course assessment.
Cyber-Security Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Cyber-Security Incident Handling Standard
Who does the standard apply to?
  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.
What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information
What do I have to do?
Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators
Resources
  • Incident Handling Flowchart (rev. 11/16/15)
  • Report a Computer Incident If you suspect a cybersecurity incident, immediately report it by calling the RIT Service Center at 585-475-5000, or on the web at help.rit.edu. When reporting by phone after hours, there is a prompt to speak to the on-call person in an emergency. Follow the cybersecurity incident handling instructions as described on the Information Security Office website.
Portable Media Security Standard

Portable media such as USB keys, flash memory, CDs/DVDs, etc. are a crucial part of daily business. However, portable media is easily lost or stolen and may cause a security breach.

Because portable media can be stolen or compromised easily, users should take precautions when using it to transfer or store Confidential information. We strongly discourage placing Private Information on portable media.

Approved Portable Media 

When handling RIT Private or Confidential information, you should use only portable media that provides an approved encryption level (the RIT Information Security Office requires 128-bit or 256-bit AES encryption).

Unacceptable Portable Media

USB media that doesn't include encryption

Encryption of CDs, DVDs, Removable Hard Drives, and Other Portable Media

Please contact the RIT Information Security Office for recommended encryption methods.

3rd Party Encryption Products

The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Private or Confidential information when transferred by or stored on portable media.

Media Disposal Recommendations

Media

Disposal Method

Paper

Use a shredder. Crosscut is preferred over a strip shredder.

CD, DVD, diskette, etc.

Use the media shredder (located at the RIT Service Center, 7B-1113).

Hard Drives

If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.

If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the RIT Service Center, 7B-1113). (Not for SSDs)

Tapes

Use the degausser (located at the RIT Service Center, 7B-1113).

Other

Use an industry standard means of secure disposal.

Web Security Standard

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.

Documented Standard
  • Current Web Security Standard (reflects 2015 operational transition, supersedes previous version, comply by 1/23/15)
  • NOTE: As of 12/5/2014, SSL is no longer considered to be secure.
When am I required to follow the standard?
  • If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • If you have a web page at RIT, official or unofficial, and you use RIT authentication services.
Scanning
  • Effective 2/13/15, the RIT Information Security Office no longer provides scanning services to support RIT web pages. Contact us for more information.
Resources

Updated 5/31/2016

Signature Standard

RIT uses a standardized signature to make authentic Institute communications easily recognizable. Uses of common signature elements by senders will help recipients detect counterfeit e-mails and phishing attempts. For more information, see the Signature Standard.

Who do the requirements apply to?

The requirements apply to:

  • All senders of e-mail related to Institute academic or business purposes sent by RIT faculty or staff using an RIT or non-RIT e-mail account. (The standard also applies to course-related e-mail sent via the RIT MyCourses system.)
  • All creators of Message Center communications.
  • E-mail messages sent from portable devices.

The requirements do not apply to:

  • Personal e-mail and e-mail sent by students. RIT students are encouraged to create an e-mail signature which makes their e-mail easily identifiable as authentic.
What do I have to do?

All e-mail or Message Center communications that support academic or business functions should contain the following:

  1. The name of the sender. (A department name is not an acceptable substitute for the name of a sender.)
  2. The name of the RIT-Specific organization or department the sender represents.
  3. A university telephone number, building address, and e-mail address (where available) that the recipient may use to contact the sending department with questions or to verify the authenticity of the e-mail. Web addresses may be included, but may not be the primary means of contact.
  4. The official RIT Confidentiality Statement.
    Note that the Confidentiality Statement is not required for e-mails containing only Internal or Public information (e.g., mass communications such as Message Center, or mass mailings to external audiences such as prospective students, parents, etc.)
Server Security Standard

The Server Standard provides requirements for server configuration and use at RIT.

A list of ISO-approved security assessment tools, HIPS programs, secure protocols, and a sample trespassing banner can be found in the Technical Resources

What does the standard apply to?

All servers (including production, training, test, and development) and the operating systems, applications, and databases as defined by this standard.

The standard does not apply to individual student-owned servers or faculty-assigned student servers for projects; however, administrators of these servers are encouraged to meet the Server Standard.

Recommended Strong Authentication Practices

The RIT Information Security Office recommends that all systems requiring strong authentication

  • comply with RIT's password and authentication standard (REQUIRED)
  • use a complex password of 12 or more characters. Fifteen or more characters are preferred.
  • use multi-factor authentication such as:
    • tokens
    • smart cards
    • soft tokens
    • certificate-based authentication (PKI)
    • one-time passwords (OTP)
    • challenge / response systems
    • biometrics
Approved Vulnerability Scanners

Nessus, Nexpose, and NMap are approved for scanning servers at RIT. For information on the scanning conducted by the RIT Information Security Office see the Vulnerability Management Program at RIT.

Approved Encryption Methods

See Encryption at RIT for approved encryption methods.

Server Security Standard
Network Security Standard

The Network Security Standard provides measures to prevent, detect, and correct network compromises. The standard is based on both new practices and best practices currently in use at RIT.

Please consult the checklist or the standard below for a complete list of requirements.

Who does it apply to?

All systems or network administrators managing devices that:

  • Connect to the centrally-managed Institute network infrastructure
  • Process Private or Confidential Information

Currently, personal network devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. However, the use of wireless routers is prohibited in residential areas on campus. The use of wired routers is still acceptable. Read and comply with the requirements in the Resnet guide to Using a Router on the RIT Network prior to using them.

See our Wireless Networking page for information on how to access wireless networks at RIT and how to set up and use a wireless network at home.

What do I need to do?

Use the Network Security Checklist to set up your networking device.

Network Security Standard

Network administrators should consult the Technical Resources pages for detailed information, including preferred and prohibited protocols, trespassing banners, etc.

NOTE: During the pandemic period, we are removing the restriction on split tunneling.

Account Management Standard

The Account Management Standard provides requirements around creating and maintaining user and special accounts. The primary audience for the standard is account administrators. However, there are reporting requirements pertaining to personnel and roles and responsibility changes for managers as well.

Documented Standard

Account Management Standard

Who does the standard apply to?
  • IT personnel who support account creation and maintenance for RIT information resources.
  • Managers reporting changes in access privileges/job changes of employees.
Key Concepts
  • Requires appropriate controls to ensure that users prove their identity and only have access to the resources to which they are authorized.
  • Provides requirements for managing and maintaining accounts accessing RIT information resources.
  • Provides requirements for special account types.
Resources

Updated 1/21/20

Solutions Life Cycle Management Standard

The Solutions Life Cycle Management Standard provides information and processes for managers and decision makers who are considering purchasing new information technology solutions or services. The standard defines required engagement with purchasing and the RIT Information Security Office and provides additional information about managing solutions from initial consideration of the solutions to their retirement.

Documented Standard

Current Solutions Life Cycle Management Standard

Who does the standard apply to?

RIT departments exploring new IT services (including third-party and RIT-hosted, and software as a service) that meet any one or more of the following:

  • Host or provide access to Private or Confidential information
  • Support a Critical Business Process
Key Concepts
  • Provides critical vs. non-critical business continuity classifications.
  • Provides disaster recovery and restoration requirements for IT support organizations.
Resources
Disaster Recovery Standard

The Disaster Recovery Standard provides information for critical process and function owners and support personnel about what they should do to prepare for a disaster to ensure that RIT as a whole can restore and continue operations.

Documented Standard

Current Disaster recovery Standard (compliance was required 1/23/16)

Who does the standard apply to?
  • RIT process/function owners and organizations who use RIT Information Resources.
Key Concepts
  • Provides critical vs. non-critical business continuity classifications.
  • Requires the establishment of recovery point objectives, creation of appropriate documentation, and contingency planning for disaster recovery and business continuity.
  • Provides disaster recovery and restoration requirements for IT support organizations.

Roles and Responsibilities

Roles and Responsibilities

This table provides roles and responsibilities in relation to specific standards.

Role Responsibilities Standard(s)
Account Administrator Those who support Accounts by adding, modifying, assigning account attributes such as passwords, access, roles, etc. Account Management
Account Holder The individual or group which is assigned the Account Account Management
Applications/Module Administrator Ensures that applications/modules are in compliance with RIT Information Security standards. Server
Application Owner Ensures that the application is supported by an application administrator and a systems administrator. Server
Business Continuity Office Provides guidance and assistance to process/function owners regarding the identification of processes/functions and vital records, particularly those classified as critical. Ensures critical processes/functions are included in the academic/business continuity system. Academic/Business Continuity and Disaster Recovery
Data Owner The data owner is the authority responsible for establishing standards/guidelines for granting and revoking access privileges. Account Management
End Users
  • Ensures that all assigned RIT-owned or leased desktop and portable computers that connect to the Institute network meet the minimum standards set forth above.
  • Ensures that all personally-owned portable media that may contain Private or Confidential information meet the minimum standards and follows the Information Access and Protection Standard.
  • In order to enhance compliance with the Standards, end users may engage support personnel such as systems administrators. The burden for compliance with each standard falls on each end user.
  • Report loss or compromise of portable media containing Private or Confidential information in accordance with the Computer Incident Handling Process standard.
  • End users who have administrator rights or the ability to share systems are defined as systems administrators.
  • Ensures that all passwords for accounts on computing and networked resources owned or leased by the Institute meet the minimum standard
  • Complies with the Information Access and Protection Standard and any management directives regarding the handling of Confidential or Private information
  • End users are responsible for reporting security incidents. End users whose failure to comply with relevant RIT Security Standards results in a security incident are subject to the sanctions provided in RIT’s Code of Conduct for Computer and Network Use.
All
Information Security Officer The person responsible for issuing security standards based on legal context, threats and the needs of the Institute for protection. The ISO champions implementation efforts, facilitates recognition and communication of best practices, offers acceptable alternatives, and provides exceptions as appropriate. The staff of the Information Security Office provides communication and training materials as appropriate. All
Information Trustee (VP or Provost)
  • Comprehends the risks associated with each security standard and information at RIT
  • Provides direction to all students, faculty, staff and contractors within his or her domain to ensure full compliance with the Standards, and with all otheer requirements the Information Trustee may wish to impose. The Information Trustee is encouraged to assign a member of his/her organizational unit the responsibility of coordinating compliance with this and other information security standards
  • Prioritizes Critical Processes/functions
All
Information Security Coordinator The person responsible for acting as an information security liaison to their colleges, divisions, or departments. Responsible for information security project management, communications, and training for their constituents. All
Institute Audit, Compliance & Advisement (IACA) IACA reviews compliance with this Security Standard (and all Security Standards) as part of departmental audits. All
IT Organization Build systems and processes/functions to ensure that certified and funded RTOs and RPOs identified by academic/business units are supported. Develop disaster recovery plans to support academic/business continuity and disaster recovery plans. Academic/Business Continuity and Disaster Recovery
IT Support Personnel Ensures that the incident handling processes detailed in Section 5.0 is followed. If an alternate plan is proposed, the IT support personnel should review the plan with the respective Information Trustee and the Information Security Office by the compliance date of the standard. Computer Incident Handling Process
Network Administrator
  • Ensures that all existing supported Network Devices are configured to support the minimum standard, or an alternate plan for risk management is provided to the CIO/Security Program Manager and the Information Security Office in accordance with the Exception Process
  • Ensures that all newly-supported Network Devices are configured to support the minimum standard.
Network
Process/Function Owners
  • Ensure that all academic/business processes/functions are identified and that each critical process/function is classified appropriately with an RTO and RPO (as applicable).
  • Ensure that vital records are identified. Ensure this information
  • is provided to the Business Continuity Office for entry into the academic/business continuity system.
  • Communicate IT support requirements to appropriate organization
Academic/Business Continuity and Disaster Recovery
Procurement May assist with RFP preparation and vendor selection. Reviews and revises contracts; negotiates contract terms. Solutions Life Cycle Managemen
Project Management Office (PMO) Coordinates the prioritization, evaluation and implementation of IT projects. Solutions Life Cycle Managemen
RIT Faculty or Staff Member ensures that all e‑mails they send that are related to Institute business comply with the standard. Signature Standard
Solution Administrator Ensures that all solutions are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided to their Information Trustee in accordance with the Exception Process. Solutions Life Cycle Management
Solution Owner Ensures that the proposed solution is submitted to the ISO for review, that any proposed changes are evaluated against security requirements, and that the solution is maintained by the solution administrator. Solutions Life Cycle Management
System(s) Administrator
  • Those who are members of an organization that supports enterprise, division, or department level IT services. System administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures to conform to campus information security standards and guidelines.
  • Ensures that all existing RIT-owned supported portable media that may contain Private or Confidential information are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided to their Information Trustee.
Account Management, Information Access and Protection
Systems, Applications, or Web Page Administrator

Includes network and systems administrators who support systems containing Confidential or Private information. They may

  • implement technical access controls based on RIT Information Security Standards
  • verify the transition of data rights from departing or former employees or contractors to current employees or contractors
  • provide technical support for the information’s integrity, business continuity, and electronic data retirement or destruction.
Information Access and Protection
System Owner The system owner is ultimately responsible for providing the system’s service/functionality to the campus. Often the system owner is a manager/director, department chair, or dean. The system owner is responsible for ensuring that operating procedures are developed which meet the standards/guidelines outlined by the Data Owner. Account Management
Third Party Complies with the Information Access and Protection Standard and any RIT management directives regarding the handling of Confidential or Private information. Accesses Confidential or Legally-Regulated information only when specifically authorized. Information Access and Protection
Volunteers Includes trustees, agents, members of affiliate groups, etc., who are loosely affiliated with RIT but who are not employees. Volunteers comply with this standard and any RIT management directives regarding the handling of Confidential or Private information. Volunteers have limited access to Confidential or Private information Information Access and Protection
Web System Administrator The person responsible for ensuring the server providing web services and applications is compliant with the Server Standard. This person ensures that all web servers are configured to support the minimum standard . Web
Web Services/Application Administrator The person responsible for the administration of a web service or application. This person ensures that all web services and applications (including web tools) are configured to support the minimum standard. The web services/application administrator is responsible for ensuring that third-party applications meet the standard. Web
Web Content Administrator A person responsible for the development and administration of content in a web service or application. Web