Topics Map > Do-IT Yourself > Security
Resolving Risks to the Rice University Network
This page explains the Responsibility of Owners to resolve risks to Rice networks by their systems and the steps involved in doing so.
The Information Security Office (ISO) works with the campus to identify risks to University systems and data. If you have been identified as the owner (or responsible party) of a system with at least one vulnerability that introduces potential risk to Rice University, you are required to do one or more of the following:
- Remediate (resolve) the risk
- Mitigate the risk (minimize it through controls)
- Request a temporary acceptance of risk for that system (approved by the CIO for Rice University)
Mitigation or compensating controls:
- Implement third party support agreements for extended hardware or software support
- Disallow remote access to the system
- Relocate research data, personally identifiable information (PII), financial or other critical data to a more secure system
- Reduce and/or remove all services not specifically required by the core function of the system (such as SMB, FTP, and RDP)
- Upgrade all required service software to current versions
- Discontinue using the system for normal user-based operations (such as web browsing and email clients)
- Remove user applications not required for primary function (personal user apps, i.e. email browsers)
- Restrict access to the system by using host-based firewall configurations to limit access to mission critical functions
- Restrict outbound access to only critical local sites
- Restrict user access to the system
- Disable or remove file sharing services
- Disable USB support on the device
- Enable multi-factor authentication for system access
- Ensure that the system is configured with centralized management controls and end point management solutions (i.e. MSAD, JAMF, RH Satellite)
- Install antivirus and anti-malware software that is updated regularly
- Review systems configurations with professional OIT staff regularly
- Remove or disable unused local credentials and back doors
Conditional Exception Request
To be able to request an exception, the following criteria must be met:
- System cannot be compromised or publicly accessible (contain viruses, malware, or command and control software or have a public IP address).
- System cannot have access to or contain Rice confidential or sensitive data (email, FERPA data, ePHI/PII, financial or research data, unrestricted file services).
- System must have a defined Owner and Steward.
- System / Service must be critical to Rice University or Department operations.