Privileged Users (Training and Knowledge)
Requirements for Privileged Users
A Privileged User is anyone who handles Private or Confidential Information
All RIT people should read and understand the RIT Code of Conduct for Computer and Network Use and the RIT policy regarding Digital Copyright.
All RIT users must understand and comply with all applicable standards. The tables below provide more information on how specific standards and training relate to Privileged Users. The second table is applicable in specific situations.
Standard | Sections | Training Course | Web Resources | Comments |
---|---|---|---|---|
Information Access and Protection | All | RIT Information Handling |
The Information Access and Protection provides requirements for handling RIT Private Information. Training for the standard is provided by RIT Information Handling, a self-paced online class required annually for anyone who handles Private or Confidential Information. RIT Information Handling replaced DSD103 and is accessed through the Talent Roadmap. The disposal and sanitization/media reuse page provides guidance on disposing of and reusing both portable media and hard drives. |
|
Password | All |
Cybersecurity Fundamentals
|
Creating Strong Passwords (recommended) |
The Password standard provides minimum requirements for password construction and use at RIT.
|
Desktop and Portable Computer | All |
Desktop Checklists (recommended) (General, ITS-Supported, Support Personnel) Securing Your Computer (recommended best practices) |
The Desktop Checklists are designed to help RIT people ensure that they're meeting all security requirements. Note that users of Private information are required to have Full Disk Encryption (FDE) on their RIT computer. Contact the RIT Service Center for more information. Note that use of a VPN is recommended or application-based authentication when accessing Private or Confidential resources. |
|
Portable Media | All | RIT Information Handling |
The Portable Media Standard provides usage requirements for RIT people who access Private or Confidential information and use portable media. Knowledge of and compliance with this standard is required for anyone handling RIT Confidential or Private information. Any portable media used for Private information must be encrypted and disposed of properly. (Generally, use of portable media for Private information is discouraged. ) The disposal and sanitization/media reuse page provides guidance on disposing of and reusing both portable media and hard drives. |
|
Incident Handling | How to report | Cybersecurity Fundamentals | Talent Roadmap |
The Incident Handling standard provides an overview of the steps followed in the RIT Computer/Cybersecurity Incident Handling Process. Anyone who loses or suspects the compromise of private or confidential information must report the incident to the RIT Service Center. Cybersecurity Fundamentals is accessed through the Talent Roadmap. |
Standard | Situation | Resources | Comments |
---|---|---|---|
Web Security | Web site owner, web server or application administrator | Checklist (recommended) | If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information, you must comply with all aspects of this standard. The standard contains primarily technical requirements and also requires compliance with the server standard. Specific data handling requirements are in the Information Access and Protection Standard. Although much of the web standard is technical, information owners must ensure that their technical support adheres to the technical requirements. |
Server Security | Server system administrator | Checklist (recommended) | If you own or administer any production, training, test, or development server, and/or the operating systems, applications or databases residing on it, you must comply with all aspects of this standard. This is typically a technical role. |
Network Security | Network administrator for a network or network device | Checklist (recommended) |
If you own or manage a network device that connects to the centrally-managed Institute network infrastructure or processes RIT Confidential or Operationally Critical information, you must comply with all aspects of this standard. This is typically a technical role. |
Account Management | Account administrators and data owners | Checklist (recommended) |
Anyone who administers accounts that include access to Private or Confidential information must ensure access is granted or removed when appropriate. Data owners of Private information identified by ITS should review all accounts and access privileges at least annually to ensure that they are commensurate with job function, need-to-know, and employment status. We strongly recommend that Data owners document account management procedures for systems not administered by ITS. Segregation of Duties (SOD) Wherever possible, we recommend that Data Owners practice segregation of duties. For example, an administrative account should not be used for non-administrative activities. |
Solutions Life Cycle Management | When changing or acquiring a solution that accesses Private or Confidential information | Information Access and Protection Questionnaire (IAPQ) | Anyone changing a current solution or acquiring a new solution that involves Private or Confidential information must complete and submit an IAPQ and receive a security review before changing or acquiring a solution a security review. The IAPQ is submitted by the RIT Business Unit to the Information Security Office and the Project Management Office. |
Exceptions to Standards
All instances of non-compliance with published standards must be documented through the exception process.
Questions
If you have questions or feedback about specific information security requirements, please contact us at infosec@rit.edu