Mobile Device Security
|
|
Objective
In accordance with the Information Security and Acceptable Use Policy, all mobile
computing devices owned or managed by OCC must comply with the following procedure.
This procedure also applies to personally owned mobile computing devices (BYOD) used
to store Confidential or Limited Access Data (i.e., a personally-owned smartphone
used to access OCC email).
Mobile computing devices are tablets, smart phones, or other devices designed to be easily portable that do not run a traditional operating system such as Windows, Mac OS, or Linux. They often use an operating system such as iOS, Android, or Windows Phone and are capable of creating, storing, or processing College Data. (Requirements for laptops or tablets that use a traditional operating system are available in the Procedure for Desktops and Laptops.)
Authentication
All mobile computing devices must be configured to require authentication based on
a PIN, passcode, or biometric scan in order to unlock the screen and access the device.
After a period of inactivity not to exceed 15 minutes the device must lock automatically
and require the user to correctly authenticate again.
Mobile Communications
Wireless (Wi-Fi, Bluetooth) communications of OCC data is only to be transmitted via
secure protocols or with encrypted data. Wi-Fi connections should be at least using
WPA2, otherwise do not transmit OCC sensitive data through Wi-Fi without additional
security protocols (HTTPS, VPN). Web applications should be using HTTPS if transmitting
sensitive data or login information. Bluetooth has a very close
transmit distance, be cautious of pairing Bluetooth devices or printers in a public
area.
Data Restrictions
OCC-issued mobile computing devices must be encrypted where employee responsibilities
include handling of confidential, FERPA, HIPPA, PII data, or have financial approval
authority for purchasing or payments.
No unlicensed applications nor unauthorized Copyrighted content (software, music, video, pictures, etc.) shall be loaded on an OCC owned device. Pursuant to the Digital Millennium Copyright Act (DMCA) the device will not be used to stream illegally obtained content to or from the device.
Any personally owned computing devices on which Confidential Data is stored or created must be encrypted in a manner which protects the Confidential Data from unauthorized access. User should not allow browsers to save passwords to applications that contain OCC confidential, FERPA, HIPPA, PII data, or has financial approval authority for purchasing or payments.
Data Removal
Users are required to remove College Data from any device before giving it to a third-party
for maintenance, re-use, or trade-in. Users of mobile devices may initiate a remote
wipe sequence using tools on the device, iCloud, iTunes, or Exchange’s remote wipe
feature. Mobile computing devices may also be subject to remote eraser/wiping by authorized
College personnel in the event owner’s affiliation with OCC ends, the device is lost
or stolen, or at the direction of the IT to contain an incident. Users are responsible
for the data from their business area, users are required to remove all business data
from their device before device is surrendered for replacement or re-use. IT staff
will follow their written procedures to remove all OCC data from devices before salvage.
Physical Security
Mobile computing devices should be physically secured in situations where theft is
likely (i.e. charging in unattended areas of the college, left in open view in vehicle
when traveling- placed inside vehicle trunk, unattended at public places like coffee
shop or food court even for a minute, and/or not in unattended hotel room - lock in
hotel safe when provided).
Logical Security
All OCC mobile devices where employees responsibilities include handling of confidential,
FERPA, HIPPA, PII data, or have financial approval authority for purchasing or payments
must be managed by OCC IT. OCC devices and personal BYOD must be configured or software
installed and configured with an application that allows the steward of the device
to locate it in the event it is lost or stolen with remote lock and wipe capabilities
(i.e. “iCloud” for apple devices, Google “android device manager”, Window’s phone
“find my phone”).
Operating System (OS) Patching
OS Patch updates should be configured for automatic installation of the latest security
patch upon release. If automated patch is not available, patch must be installed within
7 days of release.
Applications
All applications must be at least at version n-1. Security patches must be installed
in a timely manner, depending on the likelihood and impact of vulnerability exploitation,
at least within 7 days of release.
Exemptions
In the event that compliance with this mobile device procedure cannot be met, please
contact IT Support Center to submit an exemption request which will be approved or
denied by IT. Denied exemption requests may be appealed to the CIO for final decision.
Change Log