PURPOSE

Establish security guidelines, responsibilities, and procedures for mobile computing devices and mobile storage devices in order to prevent internal/controlled and/or restricted University data from being lost or compromised.

SCOPE

This policy applies to all mobile devices, owned by the University or an individual, which are used to store, process, transport, or transmit Penn State data used by Penn State Mont Alto full-time and part-time faculty and staff.

DEFINITIONS

Mobile computing devices: Any portable computing or telecommunications equipment including, but not limited to, computer systems, personal desktop assistants, iPods, iPads, tablets, smart phones, or cell phones.

Mobile storage devices: Any portable device whose purpose is the storage of data. This includes, but is not limited to USB storage devices, diskettes, compact disks, optical disks, and magnetic tape.

Mobile computing and mobile storage devices will be referred to as mobile devices in this document.

Non-Public data: Any University data categorized as Internal/Controlled or Restricted by AD71 – Data Categorization

POLICY

Reasonable efforts, in accordance with University policies and procedures, should be made to protect the integrity of University information and information systems when using mobile devices of any kind. Management and use of mobile devices must be in compliance with all University and Penn State Mont Alto Campus Policies, including but not limited to AD19 – Use of Penn State Identification Number and Social Security Number, AD20 – Computer and Network Security, AD23 – Use of Institutional Data, AD53 – Privacy Statement, AD71 – Data Categorization, ADG02 – Computer Facility Security Guideline, ADG07 – Data Categorization Examples, and established industry “best practices” identified by the University Security Operations and Services office.

General Guidelines:

  1. All mobile devices used to store or transport non-public data must be appropriately secured to prevent non-public data from being lost or compromised.
  2. All mobile devices must be password or biometrically protected, and whenever possible, all mobile devices should enable screen locking and screen timeout functions that require re-authentication upon waking.
  3. In accordance with University password policies, complex passwords resistant to human and computer-assisted discovery and compromise should be created and used whenever possible. Information on password “best-practices” can be found on the University Security Operations and Services website.
  4. Documents containing non-public data must be encrypted. If the mobile device does not support encryption, then it may not be used to store non-public data.
  5. Non-public data must be sanitized from the mobile device before it is returned, exchanged, or disposed of.

Responsibilities and Procedures:

  1. It is the responsibility of Information Technology Services to communicate regularly with the University Security Operations and Services office in order to determine “best practices” for mobile device management.
  2. Information Technology Services will be responsible for distributing information on effective password practices and effective security practices for mobile devices.
  3. It is the responsibility of each user to follow appropriate security and use practices as identified by Information Technology Services and the University Security Operations and Services office.
  4. Information Technology Services will assist end-users with how to secure mobile devices and non-public data on those devices at the request of the end-user.
  5. End-users should document the serial number(s) of their device(s), for reporting purposes, in the event that the device is lost or stolen.
  6. If a mobile device containing non-public data (owned by the University or an individual) is lost or stolen, promptly report the incident to Information Technology Services and the proper authorities. Additionally, individuals aware of any breach of information or network security, loss of mobile device, or compromise of mobile devices or non-public data, must report such situations to Information Technology Services.
  7. If available, use the remote wipe feature to remove any data from a lost or stolen device.
  8. Users should check the University Security Operations and Services website for additional suggestions for enhancing device and data security.

CROSS REFERENCE

Other policies that should also be referenced:

University Policies:

AD-19 – Use of Penn State Identification Number and Social Security Number
AD20 – Computer and Network Security Policy
AD23 – Use of Institutional Data
AD53 – Privacy Statement
AD71 – Data Categorization
ADG02 – Computer Facility Security Guideline
ADG07 – Data Categorization Examples

Campus Policies:

PSU-MA-ITS-000 – End User Computing Agreement
PSU-MA-ITS-001 – Personal Computer Use in Conjunction with the University Data Network
PSU-MA-ITS-004 – Acceptable Use and Security Policy (AUP)
PSU-MA-ITS-005 – Password Policy

POLICY HISTORY

April 14, 2015 – Draft Finalized
April 22, 2015 – Policy Presented to Policy and Planning Advisory Committee
April 28, 2015 – Policy Ratified by Administrative Council