IT-12.1 Mobile Device Security Standard

Scope

This standard applies to all faculty, staff, affiliates, and student-employees who choose to use a mobile computing device, regardless of who owns the device, to access, store, or manipulate institutional data.

Rationale

The use of mobile devices to access information, including personally owned devices, has become pervasive. Although this use fosters increased convenience and productivity, mobile devices and the information stored on them and accessed from them are at increased risk of inappropriate exposure due to loss or theft. Therefore, to mitigate this risk, additional safeguards must be applied to mobile devices used to access university information.

Standard

All mobile devices used by faculty, staff, affiliates, or student-employees to access, store, or manipulate institutional data must:

• have appropriate safeguards applied to mitigate the risk of information exposure due to loss or theft (see table below). These safeguards may be verified at the university's discretion and promoted via technical means.
• be reported to it-incident@iu.edu if lost, stolen, or otherwise compromised.
• be wiped before transferring ownership (e.g. sales or trade-ins).

For instructions on applying the safeguards described in the table below to handheld devices, see How can I protect data on my mobile device?

Required safeguards by device type

[1] Remember that use of mobile devices to access, store, or manipulate critical information requires:

• Written approval from the senior executive of the unit involved or the Institutional Review Board confirming a critical business need, and
• Encrypting the information on the device and in transit. Source: Protecting Red-Hot Data.

Devices that do not support encryption must not be used to access, store, or manipulate critical information.

In addition to appropriate information handling requirements determined by the general data classification, sector-specific data (ex. PCI-DSS, HIPAA, etc.) may have additional requirements. Check with the appropriate official or office, or contact the UIPO for assistance. See Protecting Red-Hot Data for additional direction on the safe handling of Critical Information.

[2] See KB article on Passwords and Passphrases.

Definitions

Standard – Standards (like procedures) support policy by further describing specific implementation details (i.e. the "how"). A standard can be thought of as an extension of policy that articulates the rules, mechanisms, technical or procedural requirements or specifications to be used in carrying out/complying with policy. Standards, along with procedures, promote a consistent approach to following policy. Standards make policies more practically meaningful and effective. Standards are definitional and clarifying in nature specifying the minimums necessary to meet policy objectives. Because standards directly support policies, compliance with standards is non-optional and failure to follow standards may result in sanctions imposed by the appropriate university office.

Institutional data (or information) – Data is considered institutional data if it meets one or more of the following criteria: 1) The data is relevant to planning, managing, operating, or auditing a major administrative function of the university, 2) The data is referenced or required for use by more than one organizational unit, 3) The data is used to derive a data element that meets these criteria.
Source: Policy DM-01.

Critical Data (or information) – Inappropriate handling of this data could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access to this type of information by an individual or many individuals.
Source: Classifications of Institutional Data.

Mobile computing device – This includes electronic devices that are capable of accessing, storing, and manipulating information in an untethered manner (usually, but not always, through a wireless connection). This includes laptop/notebook computers, personal digital assistants, smart phones, tablets; and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations.

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Related Information

• Policy IT-12 Security of Information Technology Resources
• Policy ISPP-26 Information & Information System Incident Reporting, Management, & Breach Notification
• At IU, what should I do if my computer is stolen? (KB)
• Protect data on your mobile device (KB)
• Your mobile device at IU (KB)

Responsible Organization

Office of the Vice President for Information Technology
University Information Policy Office

History

Initial draft – June 15, 2012
Revised – Sept. 26, 2012, Oct. 24, 1012, Nov. 16, 2012, Jan. 16, 2013, and Feb. 5, 2013
Effective – Feb. 5, 2013