• Students
• Faculty & Staff
• Systems Administrators Resources

• Resources
• Alerts/Advisories
• Digital Self Defense
• Safe Practices
• Projects & Services
• Standards & Policies
• Forms
• About Us/Contacts

RIT Information Security Policy and Standards

What are Policy and Standards?

Policy defines the strategy and direction of RIT’s approach to a particular issue; in this instance information security. All policies are grouped together in the Institute Policies and Procedures Manual.

Standards are created by the Information Security Office to help the RIT community implement the Information Security Policy.

The Information Security Policy (and standards) apply to the entire RIT community, including students, faculty, staff, external business associates, and volunteers.

Policies

The following policies pertain to information security at RIT.

• Information Security Policy (C8.1)
• Information Security Policy Plain English Guide
• Information Security Policy Cross Reference (provides references to legislation and other information)
• RIT Code of Conduct for Computer & Network Use (C8.2)
• RIT Code of Conduct for Computer & Network Use Plain English Guide
• RIT Privacy Policy (C7)

Standards

Each standard has its own page that provides the standard, a corresponding Plain English Guide for the average computer user (where applicable), and additional resources to assist in compliance with the standard.

The following standards are now in effect at RIT:

• Desktop & Portable Computer Security Standard
• Password Standard
• Computer Incident Handling Standard
• Server Security Standard
• Network Security Standard
• Information Access & Protection Standard
• Portable Media Security Standard (eff. 9/1/08) (sets requirements for portable media, such as flash drives, CDs, DVDs, etc.)
• Web Standard (eff. 9/1/08) (sets requirements for all web servers and services)
• Signature Standard (rev. 9/23/09)

The following standards are currently in the standards creation process and not yet in effect:

• Services and Systems Development & Acquisitions Standard (sets requirements for acquisition and deployment of all systems, services, and applications at RIT)

Best Practices & Recommendations

• Mobile Device Recommendations
• Printers

Approved Encryption Methods

Under Development

Our Processes

The Information Security Office Extended Team is responsible for developing and implementing standards at RIT. The team is composed of different members of the RIT community representing key areas.

Currently, the Extended Team is composed of the following elements:

Core Teams	Meet to create initial draft standards that are supportable and technically comprehensive.
Standards Review Team	Reviews proposed standards and helps determine their reasonability for RIT.
Security Coordinators	Work with departmental technical and managerial resources to make standards operational.

Standards Process Flowchart (rev. 2/19/09)

Exceptions

The Information Security Office has provided a method for obtaining an exception to compliance with the published security standards.

• Information Security Exception Process
• Information Security Exception Request Form