1 PURPOSE
The purpose of this standard is to provide acceptable use and security guidance to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û) employees for protecting ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û data stored on or accessed through personal or institutionally provided mobile devices such as smartphones, tablets, and laptops. This standard does not apply if the mobile device is used to browse public information without authentication on ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û’s websites.Â
2 SCOPE
This standard applies to all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û business and academic units and ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û-owned information systems that collect, store, process, share or transmit institutional data. Personally owned devices connecting to the University Campus Network must meet the Bring Your Own Device standard requirements.Â
3 STANDARD
3.1 Do not store Restricted or Protected ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û data (including sensitive student data, Protected Health Information and Social Security Numbers, etc.) on personal mobile devices. Â
- 3.1.1 Mobile device users who do have a valid business need to store non-public data must seek guidance regarding additional controls from appropriate Data Stewards or ET&S Cybersecurity.Â
- 3.1.2 Additional protection may include data encryption, passwords, automatic logoffs, and secure Internet transmissions. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees are expected to secure devices to prevent unauthorized access when left unattended.Â
3.2 ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees should notify the campus Help Desk as soon as possible if a device containing university data is lost or stolen.Â
- 3.2.1 Mobile devices should have at least a 4-digit PIN to authenticate and an inactivity timeout of 15 minutes.Â
- 3.2.2 Whenever possible, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û mobile devices will be able to remotely wipe stored data if the device is lost or stolen.Â
- 3.2.3 All persistent storage within mobile devices will be encrypted.Â
3.3ÌýÂ Disposal of University Mobile Devices are required to follow the SEED Process.Â
- 3.3.1 Data stored on mobile devices should be properly purged of all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information before the device is disposed of, donated, or an employee’s relationship with the University is terminated.Â
DOCUMENT HISTORY
- Approved by:Â Thomas Nudd, Chief Information Security Officer, August 24, 2022Â
- Reviewed by:Â Dr. David Yasenchock, Directory Cybersecurity GRC, August 24, 2022
- Revision History:Â
- V 1.0 Cybersecurity GRC Working Group - August 24, 2022,Â
- V 1.1 Cybersecurity GRC Working Group - February 1, 2024Â
- May 30, 2024, K SWEENEY, Revised formatting