Mobile device standard
Purpose
To establish information security requirements for the use of mobile devices ("device").
Standard
Users that access, store, or process university data via a device must apply appropriate safeguards to ensure the risk of information exposure due to loss or theft is effectively mitigated. Mitigation strategies for devices are as follows:
- Devices and data that store, access, or process sensitive information must be encrypted. Criteria for acceptable encryption are outlined in the information security standard Acceptable Encryption.
- Encryption passwords should meet the standard set within the policy University Credentials (91.004) and should be secured.
- Devices must employ device access protections. Examples of such are pass-codes, complex passwords, pattern swipe, card swipe, fingerprint reader, etc.
- Passwords must be consistent with the standard set within the policy University Credentials (91.004).
- The device must be configured with an inactivity timeout mechanism, which requires re-authentication before use. Timeouts of no more than fifteen (15) minutes are recommended; though shorter durations may be implemented, when appropriate, based on risk and usage.
- Users should ensure the physical security of devices by implementing the following:
- Devices must be used and stored in a manner that deters theft.
- Devices should use tracking and recovery software to facilitate return if lost or stolen.
- Devices must setup remote wipe functionality in case the device is lost or stolen.
- In accordance with the information security standard Security Incident Reporting and Breach Notification, users must immediately report any incidents or suspected incidents of unauthorized data access, data or device loss, and/or disclosure of system resources as it relates to devices.
- Disposal of devices must comply with the information security standard Media Sanitization.
Required safeguards by device type
Encryption | Required for storage of sensitive data |
Passcode | Required |
Auto Lock | Required after a maximum of 15 minutes of inactivity |
Intrusion Prevention | Required lockout or wipe after 10 incorrect attempts |
Remote Wiping | Recommended if supported by device or application |
Encryption | Required for storage of sensitive data |
Passcode | Required passphrase must be used to access the operating system |
Auto Lock | Required after a maximum of 15 minutes of inactivity |
Intrusion Prevention | Required lockout after a maximum of 10 incorrect attempts, which expires after a 15-minute minimum |
Remote Wiping |
Encryption | Required for storage of sensitive data |
Passcode | Required encryption key |
Written approval from the Dean or IRB confirming a critical business need |
Encryption of the information on the device and in transit |
Devices that do not support encryption must not be used to access, store, or manipulate sensitive data. |
References
- Policy 91.004 University Credentials
- NIST 800 Series Publications
- Information Security Standard: Acceptable Encryption
- Information Security Standard: Security Incident Reporting & Breach Notification
- Information Security Standard: Media Sanitization
Definitions
Users 鈥揻aculty, staff, third-party agents of the university, and other authorized university affiliates accessing university data.
Mobile device (device) 鈥揾andheld mobile devices such as smartphones, tablets, etc., laptops or notebook computers, and mobile storage devices such as USB storage devices, CDs, or DVDs.
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Finance and Administration: Chad Mitchell
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
Enterprise Risk Management and Insurance -Larry Wines
History
Draft versions of this policy were circulated for review and approved November 20, 2020.