Mobile Device Security Policy
1.0 Introduction
This policy defines the policies and practices that must be applied to any type of mobile device, issued by Metropolitan State College of Denver, that is used for business purposes, and which stores or accesses confidential Metro State information
2.0 Purpose
This policy was created to mitigate known risks associated with each of the following through the use of mobile devices:
Confidentiality a breach of confidentiality, especially personal, confidential information;
Integrity a breach of system or information integrity due to unauthorized access; and
Availability a loss of availability to critical systems due to unauthorized access or malicious software.
The policy is intended to address all forms of electronic information including but not limited to email, text messages, and data.
3.0 Scope
This policy applies to any mobile device issued by Metropolitan State College of Denver that is used for business purposes and used to store or access confidential Metropolitan State College of Denver information. This policy applies to all mobile devices, including but not limited to, smart phones, personal digital assistants, mobile readers, laptops and portable storage devices.
4.0 Policy
The Responsible Use of Information Technology Resources Policy specifies the rights and responsibilities of faculty and staff in the use of computing resources.
The Data Classification and Protection Policy specifies that all members of the College community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the College, irrespective of the medium on which the data resides and regardless of format (i.e., electronic, paper or other physical form).
Definition of Confidential Data
Personally identifiable information (PII) is classified as Confidential Data. PII is any element of data that, by itself, uniquely identifies a specific individual outside of the context of Metropolitan State College of Denver. Confidential Data is any data that contains any personally identifiable information, or other information that is protected by statutes, regulations, College policies or contractual language. Managers may also designate other data as Confidential. Confidential Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the College should be authorized by executive management and/or the Vice President and General Counsel.
The Electronic Media Sanitation and Disposal Policy specifies the procedures to insure that private, confidential or proprietary data is not inadvertently made available to persons not authorized to have the data. This policy includes the requirement that no electronic media which has been used to store college data is to be given away, traded, sold, sent to surplus, or thrown away and that electronic storage devices, including hard drives, tapes, CD-ROM, DVD, and any other electronic storage devices are to be fully erased before they are redeployed and are to be completely destroyed before disposal.
This policy addresses the additional responsibilities of faculty and staff when using mobile devices purchased with Metro State funds, to ensure compliance with College policies for acceptable use, data protection and asset management.
Access
• Access to Metropolitan State College of Denver information resources using a mobile device must be approved and documented.
• All mobile devices must be associated with a faculty or staff member (custodian). The custodian must register the device with Administrative Computing for security and inventory management purposes.
• Bluetooth capabilities should be disabled unless they are necessary for the particular use and the appropriate additional controls are in place to ensure connections are made only to trusted devices, especially when used in public places.
• Only applications recommended by Administrative Computing should be installed and used on mobile devices purchased by Metropolitan State College of Denver.
Authentication
• Mobile device access must require a password.
• SIM access must require a password.
• Strong passwords are required for applications that access or store sensitive information. The college standards for strong passwords are defined in, IT Policy – Computer Access Passwords.
Encryption
• The use of encryption is required for all mobile devices that support such functionality, and store or access sensitive, confidential or personally identifiable information. Device or full disk encryption is preferred when applicable. Subsystem or file-level encryption solutions may be acceptable provided Administrative Computing has been advised of such use.
• The use of encryption is required for the transmission of sensitive information to/from mobile devices. The Metro State Microsoft Exchange email system encrypts all email exchanges.
Vulnerability Management
• Security software should be used on mobile devices.
• Critical security updates for in-use software must be deployed to all mobile devices.
Incident Detection and Response
The mobile device custodian must report lost or stolen mobile devices to Administrative Computing immediately.
• Every mobile device with the capability to remotely wipe the device and/or track its location will be wiped clean and tracked when Administrative Computing is notified that it is lost.
Additional Responsibilities
Users must sign a document that acknowledges they have read and understand the policies pertinent to the use of mobile devices purchased by Metropolitan State College of Denver for college purposes.
• Users will limit the storage of sensitive data on mobile devices.
• Critical data that is stored on a mobile device must be backed up to a Metropolitan State College of Denver file server on a regular basis.
• Users will physically secure the mobile device when left unattended. Whenever possible, mobile devices will be hidden from view when not attended or in use.
• Users will not allow unattended access to mobile device by another user.
• Users will return college supplied mobile devices at the end of employment, at which time, the device will be wiped and may be reissued.
• Users must comply with all applicable laws regarding the use of mobile devices while operating moving vehicles.
Mobile Device Security Policy – September 7, 2011
