RIT Information Security
IAP Plan Creation Workshop
Ben Woelk
RIT Information Security Office
475-4122
infosec@rit.edu
http://security.rit.edu
Workshop Outline
• Requirements of the IAP Standard
• Identifying types of information
• Creating your plan
• Using the Plan Template
http://security.rit.edu
The IAP Standard
Requires RIT departments to adopt a plan to
ensure information access and
protection.
The plan is needed to help ensure:
• the confidentiality of information (protect
against unauthorized or unplanned
exposure)
• the integrity/reliability of information (protect
against unplanned changes or deletion)
• the availability of Operationally Critical
information
http://security.rit.edu
Internal and External Mandates
Institute Policies
• Privacy Policy (C7.0)
• Code of Conduct for Computer and Network Use
(C8.0)
• Intellectual Property Policy (C3.0)
Legislative Mandates
• Federal laws
– FERPA, GLB, HIPAA, SOX
• Information Security Breach and Notification Act
(NYS) and 16 other similar state laws
http://security.rit.edu
Exclusions
Information of a scholarly nature (such as research
materials) is generally excluded from the
requirements of the standard.
However, this exclusion does not extend to
• Student record information
• Information that RIT is obligated to protect by
contract
• Information that is being developed at RIT that is
intellectual property such as pre-patent
information.
http://security.rit.edu
Confidentiality Classifications
Public Information
• Information that may be accessed or
communicated by all RIT faculty, staff,
students, alumni, contractors, and business
associates without restriction.
http://security.rit.edu
Confidentiality Classifications
RIT Internal Use Only
• A suggested, but optional, categorization for
information that may be accessed or
communicated by all RIT faculty, staff,
students, alumni, contractors, and business
associates without restriction for the conduct
of Institute business.
http://security.rit.edu
Confidentiality Classifications
RIT Confidential
• A more restrictive classification, that is required for
information that is accessed or communicated on a
need to know basis, that, because of legal,
contractual, ethical, or other constraints, may not be
accessed without specific authorization.
• RIT Confidential information may have many forms
including, but not limited to, documents, data,
stored audio, or video.
• The classification “RIT Confidential” also applies to
information the unauthorized disclosure of which
could result in significant harm to the Institute,
Institute processes, or to individuals.
http://security.rit.edu
RIT Operationally Critical
RIT Operationally Critical
• A classification for information that requires a high
level of information availability in addition to
integrity.
• The classification “RIT Operationally Critical” refers
to information that is essential to the daily
operations of the Institute.
• This information must be identified and protected,
not only for business continuity planning, but also
as appropriate for information availability and
integrity. It may be of any level of
confidentiality/sensitivity.
http://security.rit.edu
Confidentiality and Integrity
Confidentiality and integrity categories
are not mutually exclusive.
• For example, information may be both RIT
Confidential and Operationally Critical.
• It may not be both RIT Confidential and RIT Internal
Use Only.
RIT Operationally Critical
RIT
RIT
Internal Use
Confidential
Only
http://security.rit.edu
Other Important Definitions
Information/Data Integrity
• The assurance that information/data is
unchanged from its source and has not
been accidentally or maliciously
modified, altered, or destroyed.
Authoritative Source
• The information source with the
highest level of information verification
or data integrity.
http://security.rit.edu
Group Exercise
• Identify a list of information your
department handles.
• Determine what categories apply to
the information.
http://security.rit.edu
Plan Elements
The Plan must contain the following
elements:
• Information identification
• Information handling processes and
safeguards, including transfer of sensitive
information outside the department
• Communications and training
• Plan maintenance
http://security.rit.edu
Plan Resources
The Information Security Office will
support plan creation by providing
the following:
• IAP Web Page
• Plan template
• Plan creation workshop
• Matrix of information and legal requirements
• Marking guidelines
• Sample non-disclosure agreement (NDA)
• FAQ
http://security.rit.edu
What if we already have a plan?
• Attach existing plan elements to your
Information Access and Protection Plan.
• You must ensure that all previously
developed materials fulfill the
requirements of the Information Access
and Protection Standard.
http://security.rit.edu
Creating your plan
Follow these steps to create your plan
1. Review information owned or handled your
department
2. Identify information that should be categorized
3. Develop and document procedures for handling
that information from creation to destruction.
The Plan should ensure that the right information
reaches only the right audience.
The Plan may identify changes to implement in
daily departmental activities.
http://security.rit.edu
Plan Template
Excel Workbook
• Help built into template
Introduction and five sections
• Information Inventory
• Protection by Media Type
• Reuse, Retirement, Destruction
• Human Protections
• Action Items
http://security.rit.edu
Introduction and Instructions
Introduction (red tab)
• Background to the
standard
• Key definitions
• Instructions for completing
the template.
http://security.rit.edu
Information Inventory
Part One (blue tab)
• Inventory and classify the
types of RIT information that
your department handles.
• Indicate how each type of
information is obtained, stored,
and shared.
http://security.rit.edu
Protection by Media Type
Part Two (yellow tab)
• Document how your
department provides
confidentiality and integrity
protection for different types
of media or devices.
http://security.rit.edu
Reuse, Retirement, Destruction
Part Three (orange tab)
• Document how your
department reuses or retires
media and devices used to
store confidential information.
• Document how your
department destroys or
disposes of confidential
information.
http://security.rit.edu
Human Protections
Part Four (green tab)
• Provide information about
human protections such as
internal and external NDAs
(Non-disclosure Agreements).
• In the Communications and
Training Section, indicate
how your department will
provide internal communications
and training for your IAP plan.
http://security.rit.edu
Action Items
Part Five (gray tab)
• Use the Action Items
section to record any
safeguards that need
to be addressed.
• In the Plan Maintenance
section, indicate the
creation date and
creator of the plan and
next review date for the
plan.
http://security.rit.edu
Closing
Keep your plan on file. Don’t send it to us
unless we ask for it.
For more information, visit the IAP Web Page at
http://security.rit.edu/iap.html or contact the
RIT Information Security Office at
infosec@rit.edu
http://security.rit.edu
Using the Template
Let’s practice filling out the template.
http://security.rit.edu