Information Assets Rit

Risk Identification and Assessment at RIT

Students Name

Institution of Learning

INTRODUCTION

Availability of RIT for a large amount of intellectual and non-intellectual assets makes it a popular target for a large variety of attacks. Most of those attacks are professionally engineered to steal or misuse important information assets, which could influence the firms reputation. Therefore, the aim of this paper is to secure information assets of RIT through identification and assessment of risks. It will be done by identifying the information assets of RIT. It is necessary to identify assets of the institution through the process of self-examination. After that, the information assets can be classified into specific groups and prioritized, according to their importance to the institution. It will help to identify threats connected with these assets and measure their vulnerability to the threats. Finally, risk identification and assessment for RIT will help to develop complete and efficient policies and tools that can help diminish the risk.

The following sections will be devoted to the identification of RITs information assets, existing threats and probable vulnerabilities of them.

Read more about Research Paper Writing Help for Any Student. Feel free to order your paper from Essays-Services and forget about your worries.

INFORMATION ASSETS

RIT is an educational institution with different information assets. They should be identified in order to provide security standards that can help to secure and handle properly the assets. Information assets are identified as people, procedures, data and software/hardware.

People, as information assets, include people who can either be affiliated with RIT or not and have access to RITs data resources. The people were divided into two groups: insiders and outsiders. Insiders consisted of students, alumni, faculty, employees, consultants, contractors, and temporary employees. Outsiders were volunteers and visitors. Insiders have more access to information resources than outsiders have. For instance, students have more privileges than visitors have; they have privileged access to the RITs computer network, a set of campus buildings and facilities, library databases and faculty who can assist them with their studying process. At the same time, visitors access to the campus facilities and faculty material is limited. Insiders have higher accountability for their actions because they have special privileges to use different types of private and intellectual properties. A misuse of these properties can be harmful to the institutions standing.

Procedures: Four kinds of this information asset were identified. They include IT, business, research and academic procedures. Every group can be classified as either standard or sensitive. The difference between standard and sensitive procedures is that sensitive procedures can impose risk on the institution by making an attack possible. For instance, credit transfer is standard academic procedure of RIT in contrast with thesis procedures that imply sensitive intellectual property, in which depending on the attack can influence position of the person writing thesis or the department supervising the thesis project.

Data: This component of risk management includes the state of the data, namely, transmission, processing and storage. RIT's network is always overloaded with information, which is sent to and from RIT's network. Information is usually processed in RITs network and stored in databases, file servers and authentication servers. Information that exists in the such states include research papers, intellectual property, financial documents, technical documents, business transactions with parties, academic and administrative documents.

Software: Because RIT is an educational institution, it has a variety of resources, such as Operating Systems, applications, security components and database software. All of them are used to provide different services to the university members safely and efficiently. Many of the applications used by RIT members are purchased from vendors such as Microsoft, RedHat Linux, Adobe and others. For instance, such database software as Oracle is used in HR Department to store and manage information about employees in order to perform other services including payroll.

Hardware: RIT has many different hardware components that are used every day in order to have access to RITs resources. These are desktops, servers, storage devices, wireless devices, which include cell phones, laptops, etc., and also CCTV cameras, network printers and door access controls which require cards with magnetic strips or RFID chips. All of the hardware listed above is authenticated through RADIUS servers or other methods if a person wants to have access to RIT resources.

Networking: RIT is large infrastructure and requires a complex network infrastructure to enable handling the transmission of all necessary information in the network safely and efficiently. The network hardware is listed and described in the table below. It summarizes the assets that were identified at RIT.

Asset Category	Asset Type	Description
People	People inside RIT People outside RIT	Students, faculty, ataff, contractors, consultants Temporary employees, alumni, visitors, volunteers
Procedures	Procedures	IT, business, research and academic standard procedures
Data	Data/Information	Transmission, processing, storage, disposal
Software	Software	Applications, operating systems, security components, database software
Hardware	Hardware	Servers, desktops, storage devices, laptops and smart phones, CCTV cameras, network printers and door access controls
Networking	Networking component	Proxy servers, routers, switches, firewalls, gateways

CLASSIFICATION OF ASSETS

After identifying RITs assets, the document Security Standard: Institute Information Access and Protection was used to categorize and classify the assets. There are different classifications of data and a table below, which groups different information assets into one of the classifications.

Private: It includes all confidential data that could be used for the theft of someone's identity. Private information consists of social security numbers, driving license numbers, individual taxpayer identities etc.

Confidential: It includes all information that is restricted on the need to know basis. Confidential information consists of the educational records and files of students, personal information details of employees, etc.

Internal: It includes the entire information specific to the RIT community: professors, staff, alumni, students, volunteers, vendors, and others.

Public: It includes all the information everybody can access from any place without any limitations.

Information asset	Classification
Faculty, Staff & Students Social Security Numbers (SSN). Driving license numbers Financial information, including account numbers, credit/debit numbers	Private
University staff and students personal information University staff and students health information Research and writing reports Donor information Third party information	Confidential
RIT building layouts RIT library information RIT lab diagrams RIT volunteers	Internal
RIT external website Devices in external DMZ	Public

References

Whitman, Michael E. and Mattord, Herbert J. (2010). Management of Information Security 3rd Ed. Course Technology, Cengage Learning.

Information Access & Protection Standard for Rochester Institute of Technology. Revised 12/18/09

Business Continuity & Disaster Recovery Standard for Rochester Institute of Technology. Revised 5/18/10

Related essays