RIT Information Security Policy and Standards
What are Policy and Standards?
Policy defines the strategy and direction of RIT’s approach to a particular issue; in this instance information security. All policies are grouped together in the Institute Policies and Procedures Manual.
Standards are created by the Information Security Office to help the RIT community implement the Information Security Policy.
The Information Security Policy (and standards) apply to the entire RIT community, including students, faculty, staff, external business associates, and volunteers.
Policies
The follow policies pertain to information security at RIT.
- Information Security Policy (C8.1)
- Information Security Policy Plain English Guide
- Information Security Policy Cross Reference (provides references to legislation and other information)
- RIT Code of Conduct for Computer & Network Use (C8.2)
- RIT Code of Conduct for Computer & Network Use Plain English Guide
- RIT Privacy Policy (C7)
Standards
Each standard has its own page that provides the standard, a corresponding Plain English Guide for the average computer user (where applicable), and additional resources to assist in compliance with the standard.
The following standards are now in effect at RIT:
- Desktop & Portable Computer Security Standard
- Password Standard
- Computer Incident Handling Standard
- Server Security Standard
- Network Security Standard
- Information Access & Protection Standard
The following standards are currently in the standards creation process and not yet in effect:
- Portable Media Standard (sets requirements for portable media, such as flash drives, CDs, DVDs, etc.)
- Web Standard (sets requirements for all web servers and services)
- Services and Systems Development & Acquisitions Standard (sets requirements for acquisition and deployment of all systems, services, and applications at RIT)
Best Practices & Recommendations
- Mobile Device Recommendations
- Printers (coming soon)
Approved Encryption Methods
The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Confidential information.
Our Processes
The Information Security Office Extended Team is responsible for developing and implementing standards at RIT. The team is composed of different members of the RIT community representing key areas.
Currently, the Extended Team is composed of the following elements:
| Core Teams | Meet to create initial draft standards that are supportable and technically comprehensive. |
| Standards Review Team | Reviews proposed standards and helps determine their reasonability for RIT. |
| Security Coordinators | Work with departmental technical and managerial resources to make standards operational. |
Flowcharts
These flowcharts illustrate the processes used by the Information Security Office to develop and implement standards at RIT.
- Standards Creation Process (Initial draft of standard)
- Standards Acceptance Process (Review and acceptance of standard by representatives of the Institute community)
- Standards Resourcing Process (Determines resources necessary to meet standards requirements)
- Standards Communications and Publication Process (Process for developing communications and training materials to support the implementation of standards)
If you have feedback on our processes, drop us a note at infosec@rit.edu
Exceptions
The Information Security Office has provided a method for obtaining an exception to compliance with the published security standards.