Guidelines for the Use of Information Technology

last updated: 12-01-2021

Introduction

These are general guidelines to follow for the protection of IT devices and security of private information.  If you have any questions about any of these guidelines please consult the Office of Information Technology (OIT) Help Desk or the Information Security Office (ISO).

Training

  1. Require training on how to identify protected classes of data, like sensitive and confidential information, and provide training on departmental procedures used to handle it (https://iso.rice.edu/risk-classifications).
  2. Require completion of the Cyber Security Awareness Training provided as part of the R.I.C.E. Way Training.
  3. Identify and provide training for any compliance requirements beyond securing sensitive and confidential information.
  4. Require familiarity with university policies around the use of information technology and protecting information:

Computers and Devices

  1. Require the use of hardware, software, and services purchased by Rice University and supported by the Office of Information Technology (OIT).
  2. Require the use of equipment under an active warranty and use a currently supported operating system.  Supported equipment can be purchased via iO using a purchase order (https://io.rice.edu) or through the Rice Procurement office (https://controller.rice.edu/procure-pay).  Preferred suppliers can be contacted directly by using the contact information on the Preferred Suppliers page.
  3. Maintain a departmental inventory of devices purchased by and / or used in the department.
  4. Require encryption on all devices.  Make sure the system requires passwords or passphrases to unlock on startup and reboot.  Set a screen saver password for no more than 15 minutes.
  5. Require system and application patching on a regular basis according to best practices.
  6. Require an OIT supported antivirus or other antimalware software on supported computers.
  7. Require the use of software designed to identify security vulnerabilities and protect computers from being compromised by cyber threats.
  8. Require proper disposal procedures when retiring devices. Remove all data from the devices and recover software licenses when possible (https://iso.rice.edu/resources-disposal).

Accounts

  1. Require strong and unique passwords.  Use stronger account options when available, like multifactor authentication (https://iso.rice.edu/manage-passwords).
  2. Require multifactor authentication for privilege-use applications, such as administrative server login, system administration, and accessing confidential and other regulated data.
  3. Require different passwords for different services, portals, and websites.
  4. Require an organizational email account for generic departmental communication that is separate from an individual’s account.
  5. Require the use of Rice-owned equipment, services, and accounts for Rice business.  For example: Do not use public file hosting services such as Dropbox.com for Rice-related business and do not use a Rice email address with personal services such as Amazon or Facebook.

Data

  1. Identify the kinds of data handled by employees.  Require protected classes of data be handled only when necessary and on department-approved computers and devices.
  2. Follow Rice and departmental procedures to safely handle and dispose of protected information.
  3. Require the use of approved, secure connections like Rice VPN to access Rice data from devices when off campus.
  4. Develop and implement a plan for “data continuity” for when employees leave the university.  Make sure files and emails needed by the department are accessible and saved to central locations before staff transitions.
  5. Require that Rice data is properly backed up using supported methods (https://kb.rice.edu/70762).
  6. Individuals may be held responsible for any lost, stolen, or improperly accessed data if that data was not appropriately protected (e.g. password protected and encrypted). Departments may be held financially responsible for the cost associated with data loss by one of their faculty, staff, or students (who have been granted access to confidential or sensitive data) including, but not limited to, the costs of contacting affected individuals or organizations and providing credit monitoring services.

Application and Service Contract Review

  1. Before signing a contract, require a security and legal review of the application or service through the IT Security Office and the Office of the General Counsel.
  2. Require an additional review if something changes, including any changes to the service offering, terms of the service or application, or how the application or service is used.
  3. Require a periodic review of the contract and terms of service.
  4. Require a security assessment and approval to use applications and services.

Physical Security

  1. Do not leave devices unattended or in unlocked areas. 
  2. Travel with technology only when necessary.  Follow travel best practices depending on the destination, paying attention to international requirements and concerns with encryption and protected classifications of data. Be aware of potential export restrictions when traveling internationally (https://research.rice.edu/compliance/export-control/international-travel).
  3. Follow RUPD guidance on how to physically secure your environment, which can be found on RUPD’s 2019 Annual Security Report, "Responsibilities of the University Community," on page 7 (https://www.rice.edu/sites/g/files/bxs2566/files/2019-10/Safety-Report-FY20-101619-final.pdf).