Purpose:

This document establishes acceptable and supported use of mobile devices used to access University managed IT resources. Like desktop computers, mobile devices (such as iPads, smartphones and tablet computers) must be appropriately secured to ensure that all business information stored on and transmitted using a mobile device is secured using an industry best practice standard that meets all regulatory requirements and prevent sensitive data from being lost or compromised, reduce the risk of spreading viruses, and mitigate other forms of abuse of the University computing infrastructure. 

Scope:

This document applies to all mobile devices that have access to the campus networks, data and systems.  In order to secure information stored in a mobile device, the campus community should adhere to the following best practices when using mobile devices.   

Password-protect your mobile device:

Physical security is a major concern for mobile devices, which tend to be small and easily lost or misplaced. If your mobile device is lost or stolen, a password may be all that stands in the way of someone reading your email and other sensitive data.  Choose a strong password and/or implement biometric authentication as supported by the mobile device. 

Timeout/locking features:

  When possible, all mobile devices should have timeout/locking features enabled, choosing the shortest time provides the best security.  Most handheld devices provide a lockout option that locks the device if someone makes several consecutive unsuccessful attempts to enter the password, PIN, or pattern.  Auto-wipe is similar to the lockout option, but more secure. After several consecutive unsuccessful password, pattern, or PIN attempts, the device will automatically erase (i.e., wipe) all stored data and reset itself to the factory defaults. 

Promptly report a lost or stolen device:

In some cases, a device can be remotely deactivated thus preventing email or other sensitive data from being exposed. Understand what options are available to you and exercise them promptly when necessary. Additionally, consider documenting the serial number of and/or engraving your device.  Lost or stolen university owned devices should be reported to campus police. 

Verify encryption mechanisms:

Your account username and password should never travel unencrypted over a wireless network. Wireless network traffic can be easily sniffed; therefore any sensitive data, especially login information, should always be encrypted by connecting to systems that only support HTTPS connections or utilizing a VPN on your device. 

Storing confidential/sensitive information:

Confidential/sensitive information should not be stored on mobile devices unless it is able to be encrypted and permission is granted from the data owner.    

Disable options and applications that you don't use:

Reduce security risk by limiting your device to only necessary applications and services. You won't need to manage security updates for applications you don't use and you may even conserve device resources like battery life. Bluetooth and infrared (IR) are two examples of services that can open your device to unwelcome access if improperly configured. 

Regularly backup data:

Be sure to have a backup copy of any necessary data in case your mobile device is lost or damaged. Consider using multiple backup mechanisms and if you travel, have a portable backup device that you can take with you. 

Follow safe disposal practices:

When you are ready to dispose of your device, be sure to remove all sensitive information first. Mobile devices typically hold personal information, such as contact information for family and friends, call history, personal photos, stored passwords, and potentially sensitive data that can fall into the wrong hands. As such, there are some basic steps that should be taken prior to returning, disposing of or passing ownership of your mobile device to someone else. 

Step 1: Wipe your mobile device by initiating a “factory reset”. Follow the instructions in the mobile device manual or check the website of your mobile provider or mobile device manufacturer. 

Step 2: If disposing of and replacing a SIM and/or memory card, remove and physically destroy (e.g., shred) the card(s). If transferring cards to a new mobile device in your possession there is no need to wipe the card. 

Step 3: After you have deleted all information on the mobile device, double-check to make sure all personal information and sensitive data has been removed, including apps that you might have downloaded and installed.