Mobile Device Guidance

PURPOSE
This document describes the security guidelines the university has developed for mobile devices. Like desktop computers, mobile devices (such as iPads, Android tablets, mobile phones, PDAs, and laptop computers) must be appropriately secured to prevent sensitive data from being lost or compromised, to reduce the risk of spreading viruses, and to mitigate other forms of abuse to the university’s computing infrastructure. The purpose of this document is to clearly state university guidelines and user responsibilities necessary to mitigate risk and to protect university information stored on mobile devices.

SCOPE
The guidelines described in this document apply to Bryant University faculty, staff, contractors, vendors, and other personnel who are granted privileges to access university resources via a mobile device.

GUIDELINES AND RECOMMENDATIONS

1.0 University Owned Mobile Devices
Certain university employees are required to use mobile devices to facilitate university business. Employee supervisors must identify those employees who require a mobile device as part of their job responsibilities. Campus Technology Services along with the Telecommunications group will work directly with these individuals to assist with the purchase of a mobile device and the appropriate data/voice plan.

Employees are allowed incidental personal use of university owned mobile devices as long as no applicable state or federal laws and university polices are being violated by such use. Employees are reminded that university owned mobile devices, data stored on a device, and the data/voice plans and records are sole property of the university. When an employee leaves the university, all university owned mobile devices must be returned to the university unless other arrangements are made and approved by the employee's supervisor.

2.0 Personally Owned Mobile Devices
The university recognizes and allows employees, although not required to use a mobile device as a requirement of their position, to connect personally owned mobile devices to the university’s resources to access and synchronize email data, contacts, and calendar information. All use must comply with state and federal laws, as well as with the university’s own policies and guidelines governing appropriate use of technology.

3.0 Mobile Security & User Responsibilities
If an employee, either due to work-related requirements or through their own personal choice, elects to access university’s resources via a mobile device, they must adhere to the university’s acceptable use policy, best practices and guidelines. Refer to the university’s acceptable use policy found here.

If a university owned or personal mobile device containing university data is lost or stolen it is the responsibility of the device owner to call Campus Technology Services (Helpdesk) x24357 to report the missing device. If a personally owned mobile device was connected to the university’s email system an employee may request the remote wipe of the device data if lost or stolen.

4.0 General Security

  • Keep your mobile devices with you at all times or store them in a secured location when not in use.  Do not leave your mobile devices unattended in public locations (e.g. airport lounges, meeting rooms, restaurants, etc.).
  • Mobile devices should be password protected and auto lockout should be enabled. The password should block all access to the device until a valid password is enabled.   The password used should be as strong a password as your device will support.  Enable a “remote wipe” feature if available.  This also includes features that delete data stored on the mobile device if a password is not entered correctly after a certain number of specified tries. 
  • Do not circumvent security features or otherwise “jailbreak” your mobile device.
  • Standard security protocols should be followed.  This includes ensuring your device has current anti-virus software and all operating system and application updates and patches.  Firewalls should be enabled if possible.
  • Wipe or securely delete data from your mobile device before you dispose of it.

5.0 Secure Transmission

  • Where possible, data transmissions from mobile devices should be encrypted. 
  • Wireless access, such as Bluetooth, Wi-Fi, etc., to the mobile device should be disabled when not in use to prevent unauthorized wireless access to the device.
  • If available wireless access should be configured to query the user for confirmation before connecting to wireless networks.

6.0 Application and Data Security

  • Do not install software from unknown sources as they may include software harmful to your device. Research the software that you intend to install to make sure that it is legitimate.
  • When installing software, review the application permissions. Modern applications may share more information about you than you are comfortable with, including allowing for real time tracking of your location and access to your data, especially if you use social credentials to authenticate with the application.
  • Be careful when storing your personal data on your mobile device. If you lose the device, you could lose your data.
  • Follow the University’s data classification and storage guidelines with respect to University data stored on your mobile device.

7.0 Enforcement
The University considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary action by the University.

8.0 Exceptions
Any exceptions to directives outlined within this document are to be reviewed and approved by the Information Security Program Committee as needed.

9.0 Enacted and Revisions
Date Enacted: 9/21/2012
Revision: 1.2
Last Reviewed: 4/12/2016
Next Review: April 2017

10.0 Standards and Reference Categories
ISO 27002:2013 6.2 – Mobile devices and teleworking