Desktop & Portable Computer

To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.

Introduction and Scope

RIT uses many types of computing devices, physical and virtual (desktop, portable, tablet, smartphone, etc.), to access RIT information resources. This standard provides requirements for these computing devices to ensure that RIT information resources are accessed securely.

What Does It Apply To?

  • All RIT-owned or leased computers.
  • Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.

Not Required For

The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.

  • Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
  • Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.

Storage of Private information is prohibited on these devices.

What Do I Need To Do?

Requirements

The following security controls are required as detailed in the table. See the notes following the table for more information about each requirement.

 

RIT-owned desktop/laptop, Grant-funded computers

Lab computers

Personally-owned computers (student, visitor, home)

Other Computing Devices

1. Endpoint Protection/Anti-malware

Must be centrally managed

Must be centrally managed

Yes

Yes

2. Endpoint Firewall

Yes

Yes

Yes

Required if RIT-owned device when solution available from RIT. Recommended if personally-owned device.

3. Host-based Intrusion Prevention System (HIPS)

Yes

Yes

 

 

4. Supported Software/Apps with up-to-date security patches

Yes

Yes

Yes

Yes

5. Log out/lock out

Yes

Yes

Yes

Yes

6. PI management software

Yes

Storage of private information is prohibited

Storage of private information is prohibited

Storage of private information is prohibited

7. Full-disk encryption

Required, if accessing private information

 

 

 

8. Centralized Desktop/Device Management

Yes

Yes

 

Required if RIT-owned device when solution available from RIT. Recommended if personally-owned device.

9. Administrative privileges

Administrative privileges granted only at the discretion of VP/Dean

 

 

Jail-broken or rooted devices are prohibited from accessing Confidential or Private Information.

10. Backups (data)

Required (centrally managed preferred)

 

Recommended

Recommended

Details

All required security controls must be installed, up-to-date and enabled.

Should have anti-virus with malware signature, heuristic, anti-spyware, and reputation awareness capabilities. Anti-virus software is available for most computing devices.

Not needed with Android or iOS devices unless rooted or jail-broken.

Required on Windows operating systems. There are some recommended Host Intrusion Prevention Systems solutions

Operating system and application software must install up-to-date security patches.

  1. Users should either log out or lock the interactive session before leaving the session, computer, or device unattended.
  2. For RIT-owned computers, administrators should set a minimum automatic lockout commensurate with the use and risk of the information, e.g., a lockout after 15 minutes is recommended for typical office use.
  3. For personally-owned devices, we recommend an automatic lockout period of 2-15 minutes.

  1. The software should complete scans monthly.
  2. Users should not be storing private information on any endpoint and should immediately remediate any identified private information.
  3. The software should report results to a centralized management console controlled by ITS.
  4. The recommended Private Information management software can be found at Securing Your Computer
  5. PI software licensing may not extend to grant-funded computers

  1. If computers are used to access private information, then the computer should have full disk encryption. The encryption solution should validate that the product was installed and operating correctly.
  2. User-configurable settings should not be capable of interfering with the encryption software.
  3. Encryption software and policies should be controlled by centralized security personnel.
  4. The minimum recommended full disk encryption levels can be found at Encryption at RIT.

RIT-owned, lab computers, and grant-funded computing devices should be auditable from centralized configuration management software. This audit capability should include an inventory of applications and current patch level.

Use of limited vs. administrative privileges is determined by the divisional VP or dean.

RIT data and research data should be backed up. Backups shall enable computers/devices to be restored to a recent point in time before the incident requiring backup. Centrally-managed backups are preferred.

  1. For usage where data is stored on the network, a disk image is an acceptable backup.
  2. For situations where data is stored locally, the backup should be able to restore that data. (We recommend that data not be stored locally.)

Resources/Related Information

For additional information and product recommendations, please see Securing Your Computer.