Guidelines for the Use of Information Technology

Last updated: 01-11-2019

 

Introduction

These are general guidelines to follow for the protection of IT devices and security of private information.  If you have any questions about any of these guidelines please consult your OIT Divisional Representative or the IT Security Office.

Training

  1. Require training on how to identify protected classes of data, like sensitive and confidential information, and provide training on departmental procedures used to handle it (https://vpit.rice.edu/information-security/resources/risk-classifications).
  2. Require completion of the Cyber Security Awareness Training provided by OIT through our training catalog (https://catalog.rice.edu).
  3. Identify and provide training for any compliance requirements beyond securing sensitive and confidential information.
  4. Require familiarity with university policies around the use of information technology and protecting information:

Computers and Devices

  1. Require the use of equipment under an active warranty and use a currently supported operating system.  Purchase through authorized channels like the Rice Technology Marketplace (https://solutions.sciquest.com/apps/Router/SAMLAuth/Rice) or the Rice Procurement office (https://buy.rice.edu).  Maintain a departmental inventory of devices purchased by and / or used in the department.
  2. Require encryption on all devices.  Make sure the system requires passwords or passphrases to unlock on startup and reboot.  Set a screen saver password for no more than 15 minutes.
  3. Require  system and application patching on a regular basis.
  4. Require an OIT supported antivirus or other antimalware software on supported computers.
  5. Require the use of software designed to identify protected information that may inadvertently be stored in computers.
  6. Require proper disposal procedures when retiring devices. Remove all data from the devices and recover software licenses when possible (https://vpit.rice.edu/information-security/how-do-i/dispose-computing-resources-physical-and-cloud).

Accounts

  1. Require strong and unique passwords.  Use stronger account options when available, like multifactor authentication. (https://vpit.rice.edu/information-security/how-do-i/manage-passwords)
  2. Require multifactor authentication for privilege-use applications, such as administrative server login, system administration, and accessing confidential and other regulated data.
  3. Require different passwords for different services.
  4. Require an organizational email account that is separate from an individual’s account.
  5. Require the use of Rice-owned equipment, services, and accounts for Rice business.  For example: Do not use public file hosting services such as Dropbox.com for Rice-related business and do not use a Rice email address with personal services such as Amazon or Facebook.

Data

  1. Identify the kinds of data handled by employees.  Require protected classes of data be handled only when necessary and on department-approved computers and devices.
  2. Follow Rice and departmental procedures to safely handle and dispose of protected information.
  3. Require the use of approved, secure connections like Rice VPN to access Rice data from devices when off campus.
  4. Develop and implement a plan for “data continuity” for when employees leave the University.  Make sure files and emails needed by the department are accessible and saved to central locations before staff transitions.
  5. Require that Rice data is properly backed up using supported methods (https://kb.rice.edu/page.php?id=70762).
  6. Individuals may be held responsible for any lost, stolen, or improperly accessed data if that data was not appropriately protected (e.g. password, encryption). Departments may be held financially responsible for the cost associated with data loss by one of their faculty, staff, or students (who have been granted access to confidential or sensitive data) including, but not limited to, the costs of contacting affected individuals or organizations and providing credit monitoring services.

Application and Service Contract Review

  1. Before signing a contract, require a security and legal review of the application or service through the IT Security Office and the Office of the General Counsel.
  2. Require an additional review if something changes, including any changes to the service offering, terms of the service or application, or how the application or service is used.
  3. Require a periodic review of the contract and terms of service.

Physical Security

  1. Do not leave devices unattended or in unlocked areas. 
  2. Travel with technology only when necessary.  Follow travel best practices depending on the destination, paying attention to international requirements and concerns with encryption and protected classifications of data.
  3. Follow RUPD guidance on how to physically secure your environment, which can be found on RUPD’s 2017 Annual Security Report, "Responsibilities of the University Community," on page 8 (http://www.rice.edu/safety/Safety-Report-2018.pdf).