˿��Ƶ

Mobile Devices (Phones & Tablets)

Type

Information Technology Policies

Category

Information Security Policies

The following are the minimum security requirements that must be followed for each DCL.

Systems Management

Data Classification Level (DCL)	Minimum Security Requirements
Levels 1-3:	Autolock setting should be enabled. Password or passcode must be set and must not be "simple" (e.g., 1234, 1111, etc.). Encryption must be enabled when technically possible. Operating system and applications updates must be applied as soon as they are available. Recommend use of anti-virus software
Level 4 (Highly Restricted Data)	Must comply with DCL1, DCL2 and DCL3 requirements. Autolock must be enabled and must not exceed 15 minutes. Device must support encryption. Devices that do not support encryption may not be used to access or store DCL4 information or data. Should set automatic wipe after a certain number of bad login

Network Security

Data Classification Level (DCL)	Minimum Security Requirements
Levels 1-3:	Central IT departments and system administrators must ensure adherence to the Network Security Standard. Automatic joining to unknown or untrusted networks should be turned off. Device should not be used as a hotspot/access point for other devices. University business must not be conducted on public/unsecured wireless networks (e.g., coffee shop WiFi networks) except through the use of VPN or other secure remote access services as provided or authorized by your campus IT department.
Level 4 (Highly Restricted Data)	Must comply with DCL1, DCL2 and DCL3 requirements. Automatic joining to unknown or untrusted networks must be turned off. Device must not be used as a hotspot/access point for other devices.

Physical Security

Levels 1-4:
- Lock the screen and physically secure the device when unattended.
- Report lost or stolen devices containing University data to the appropriate Information Security Officer (ISO) per the Mandatory Reporting Requirement.

Data Disposal

Levels 1-4:
- All computing devices that are surplussed or otherwise disposed of must follow University surplus property and data disposal policies.

Personally-Owned Phones & Tablets

Levels 1-4:
- Personally-owned mobile devices used for University business must be managed according to the same standards as University-issued devices.
- University business information/data must not be permanently stored on a personally-owned devices, except for information/data that may be included in University emails.

Travel

Levels 1-4:
- Review and follow the Information Security Travel Standard when traveling with a mobile device.