The Quaestor - Volume 3, Issue 1

Protecting and Handling Information at RIT

Contributed by: RIT’s Information Security Office

Do you know if you handle RIT Confidential or Operationally Critical information? Do you know that there are both external and internal requirements for protecting sensitive information at RIT? Do you know that each department is required to have an Information Access and Protection Plan?

There are a number of requirements for handling information and general computing at RIT. These requirements (standards) are components of the Information Security Policy (C8.1).

The Information Access and Protection Standard (IAP) requires that RIT departments determine appropriate handling of RIT information to protect its confidentiality, integrity, and availability (these requirements vary according to the information’s classification).

All information at RIT belongs to one of the following categories *:

  • RIT Confidential
  • RIT Internal Use Only
  • Public Information

Some of this information may also be needed to ensure the successful operation of the university. This type of information has an additional classification of RIT Operationally Critical.

Departmental IAP Plans

Department-specific information handling requirements are specified in your department’s Information Access and Protection Plan (IAP Plan). This plan provides the requirements you need to follow when handling RIT information through its lifecycle of creation, transfer, storage, and disposal.

In addition to helping departments comply with external and internal information protection mandates, the IAP Plan provides additional benefits:

  • The information inventory process can help you prepare better business continuity plans by documenting the information that your department needs to operate, and the sources and destinations of said information. Identifying information for which your department is the authoritative source (authoritative source meaning you hold the highest level of information verification/data integrity) will serve not only your IAP Plan, but your business continuity plan as well.
  • The information inventory process can help departments identify outdated confidential information. Obsolete data can be a security risk. During the inventory process, you may uncover old CDs or floppy disks with data that is no longer current but still confidential (for example, student Social Security numbers). In most cases, older data was collected and stored prior to the implementation of RIT security standards and during a time when the threat of identity theft was considerably lower. The inventory process provides an opportunity to sanitize or dispose of outdated information.
Next Steps

In February 2008, the Information Security Office will begin inspecting IAP plans. We will evaluate plans for opportunities to improve information handling at RIT. If you have questions about the IAP plan requirements, visit the IAP Resource page and read the Plain English Guide. We’ve provided a number of job aids, including an FAQ section and an IAP Plan template.

Additional Resources

The Information Security Office web site provides information on security requirements at RIT, general awareness information, user guides, and how to practice digital self defense. Our Digital Self Defense 103—Information Handling course provides an introduction to the information lifecycle and appropriate methods of handling sensitive information. You can access this self-paced online course through the Center for Professional Development.

The ITS Help Desk is available to provide assistance on safe information handling practices. If you need to dispose of sensitive information, the ITS HelpDesk provides access to a media shredder and a hard drive degausser.

For more information, contact RIT Information Security at Infosec@rit.edu or 585-475-4122.

*A fourth category, 3rd-Party Confidential, is used for confidential information not belonging to RIT. Information about RIT information classifications can be found at the Information Access & Protection Standard page.

Additional Information by IACA

IACA Team
Learn more about your IACA team.