Acceptable Use of Mobile Devices

Overview:

Mobile devices, such as smartphones and tablet computers, are important tools for organizations and their use is supported to achieve business goals.  However mobile devices also represent a significant risk to information security and data security.  If the appropriate security applications and procedures are not applied, they can be a conduit for unauthorized access to the organization’s data and IT infrastructure.  This can subsequently lead to data leakage and system infection.

Saint Michael’s College (SMC) has a requirement to protect its information assets in order to safeguard intellectual property and institutional reputation. This document outlines a set of practices and requirements for the safe use of mobile devices.

Scope:

The scope of this policy includes the following:

• All mobile devices, whether owned by SMC or owned by employees, that have access to institutional networks, data and systems.  This includes smartphones and tablet computers, but not institutionally owned laptops managed by IT.
• Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted by the SMC IT security team. 

Applicability:

This policy applies to all users of all information systems that are the property of, or used by, SMC. Specifically, it includes:

• All employees, whether employed on a full-time or part-time basis by SMC
• All contractors and third parties that work on behalf of and are paid directly by SMC
• All contractors or consultants that work on behalf of SMC but are paid by a third party
• All employees of partners and clients of SMC that access SMC’s non-public information systems
• All students, graduate and undergraduate, whether enrolled full time or part-time at SMC
• Any other user with authorized network access

Technical Requirements:
The following technical requirements must be followed when using mobile devices to connect to SMC information systems:

• Devices must run a recent version (within the last 6 months) of IOS and Android operating system
• Whole device encryption must be enabled
• Devices must be configured with a secure logon access method enabled:
  • A password/passcode that has a minimum of 6 characters
  • Additional secure access methods may be used depending on the device’s capabilities.  These may include:
    • Fingerprint of the user
    • Facial recognition of the user
    • Swipe code
• Devices must be configured to lock the screen after a maximum of 5 minutes of inactivity
• Devices must be configured to wipe all data after 10 invalid login attempts
• Configure the ability to remotely wipe the phone if necessary:
  • Enable and configure the device’s Find My Phone feature according to your device’s operating system
  • For Microsoft email users only – Install the Microsoft Outlook email client and connect it to SMC’s Exchange/Office 365 email system
• Devices must store all user-saved passwords in an encrypted password store
• Devices should be backed up in an effort to avoid losing personal information in the event that a phone must be wiped

User Requirements:

1. Users must only load data essential to their role onto their mobile device(s) and must never download personally identifiable information (PII), classified personal information.
2. Users must report all lost or stolen devices to the SMC IT helpdesk immediately.
3. If a user suspects that unauthorized access to institutional data has taken place via a mobile device the user must report the incident to the SMC IT helpdesk immediately.
4. Devices must not be “jailbroken”* or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user.
5. Users must not load pirated software onto their devices.
6. Applications must only be installed from official platform-owner approved sources. These include The Apple Apps Store and the Google Play Store.  Installation of code from un-trusted sources is forbidden.  If you are unsure if an application is from an approved source contact the SMC IT helpdesk.
7. Devices must be kept current with manufacturer or network provided updates.  As a minimum users should check for updates weekly and apply at least once a month.
8. Devices must not be connected to a PC which does not have up-to-date and enabled anti-malware protection and which does not comply with our SMC Acceptable Use policy.
9. Users must be cautious about the use of both personal and work email accounts on their devices, and must take particular care to ensure that institutional data is only sent through the SMC exchange email system. If a user suspects that institutional data has been sent from a personal email account, either in body text or as an attachment, they must notify the SMC helpdesk immediately.

Enforcement:

At this time the policy relies on voluntary compliance but consider the following scenario:

A member of a department with access to all employee social security numbers loses their phone or it is stolen.  What would you want done?

If the user had complied and even if the user ws an exception to the PII rule, there would be little to no risk.  If the user had not complied, a call to the helpdesk could result in a wipe of the phone and no risk.  The procedure to authorize that wipe includes a discussion with the owner, the relevant Vice-President, the CIO and IT staff.  Their decision is final.

Violation of any of the constraints of this policy may be subject to discipline as outlined in the employee and student handbooks, or the termination of the contract in the case of contractors or consultants.  Additionally, individuals may be subject to loss of Saint Michael's College information resource access privileges, may be subject o legal action, and my also be held financially liable. 

The College reserves the right to revoke access privileges at its sole discretion in the event of a threat to network security or a security breach.

Notification of possible violations may be made to the Helpdesk at 802.654.2020 or to abuse@smcvt.edu

*To jailbreak a mobile device is to remove the limitations imposed by the manufacturer.  This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software.