Mobile Device Security

  • Procedure Type: Information Technologies
  • Procedure Title: Mobile Device Security
  • Procedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technologies & Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy, all mobile computing devices owned or managed by OCC must comply with the following procedure. This procedure also applies to personally owned mobile computing devices (BYOD) used to store Confidential or Limited Access Data (i.e., a personally-owned smartphone used to access OCC email).

Mobile computing devices are tablets, smart phones, or other devices designed to be easily portable that do not run a traditional operating system such as Windows, Mac OS, or Linux. They often use an operating system such as iOS, Android, or Windows Phone and are capable of creating, storing, or processing College Data. (Requirements for laptops or tablets that use a traditional operating system are available in the Procedure for Desktops and Laptops.)

Authentication
All mobile computing devices must be configured to require authentication based on a PIN, passcode, or biometric scan in order to unlock the screen and access the device. After a period of inactivity not to exceed 15 minutes the device must lock automatically and require the user to correctly authenticate again.

Mobile Communications
Wireless (Wi-Fi, Bluetooth) communications of OCC data is only to be transmitted via secure protocols or with encrypted data. Wi-Fi connections should be at least using WPA2, otherwise do not transmit OCC sensitive data through Wi-Fi without additional security protocols (HTTPS, VPN). Web applications should be using HTTPS if transmitting sensitive data or login information. Bluetooth has a very close
transmit distance, be cautious of pairing Bluetooth devices or printers in a public area.

Data Restrictions
OCC-issued mobile computing devices must be encrypted where employee responsibilities include handling of confidential, FERPA, HIPPA, PII data, or have financial approval authority for purchasing or payments.

No unlicensed applications nor unauthorized Copyrighted content (software, music, video, pictures, etc.) shall be loaded on an OCC owned device. Pursuant to the Digital Millennium Copyright Act (DMCA) the device will not be used to stream illegally obtained content to or from the device.

Any personally owned computing devices on which Confidential Data is stored or created must be encrypted in a manner which protects the Confidential Data from unauthorized access. User should not allow browsers to save passwords to applications that contain OCC confidential, FERPA, HIPPA, PII data, or has financial approval authority for purchasing or payments.

Data Removal
Users are required to remove College Data from any device before giving it to a third-party for maintenance, re-use, or trade-in. Users of mobile devices may initiate a remote wipe sequence using tools on the device, iCloud, iTunes, or Exchange’s remote wipe feature. Mobile computing devices may also be subject to remote eraser/wiping by authorized College personnel in the event owner’s affiliation with OCC ends, the device is lost or stolen, or at the direction of the IT to contain an incident. Users are responsible for the data from their business area, users are required to remove all business data from their device before device is surrendered for replacement or re-use. IT staff will follow their written procedures to remove all OCC data from devices before salvage.

Physical Security
Mobile computing devices should be physically secured in situations where theft is likely (i.e. charging in unattended areas of the college, left in open view in vehicle when traveling- placed inside vehicle trunk, unattended at public places like coffee shop or food court even for a minute, and/or not in unattended hotel room - lock in hotel safe when provided).

Logical Security
All OCC mobile devices where employees responsibilities include handling of confidential, FERPA, HIPPA, PII data, or have financial approval authority for purchasing or payments must be managed by OCC IT. OCC devices and personal BYOD must be configured or software installed and configured with an application that allows the steward of the device to locate it in the event it is lost or stolen with remote lock and wipe capabilities (i.e. “iCloud” for apple devices, Google “android device manager”, Window’s phone “find my phone”).

Operating System (OS) Patching
OS Patch updates should be configured for automatic installation of the latest security patch upon release. If automated patch is not available, patch must be installed within 7 days of release.

Applications
All applications must be at least at version n-1. Security patches must be installed in a timely manner, depending on the likelihood and impact of vulnerability exploitation, at least within 7 days of release.
  
Exemptions
In the event that compliance with this mobile device procedure cannot be met, please contact IT Support Center to submit an exemption request which will be approved or denied by IT. Denied exemption requests may be appealed to the CIO for final decision. 

Change Log

  • 07-01-2018  Effective date

OCC Logo