|Title:||Mobile and Remote Device Security, Information Technology|
|Policy Owner:||Information Technology Services / Chief Information Security Officer|
|Applies to:||All faculty, staff, student employees, and volunteers|
|Campus Applicability:||All campuses except UConn Health|
|Effective Date:||August 30, 2021|
|For More Information, Contact||UConn Information Security Office|
|Contact Information:||firstname.lastname@example.org or email@example.com|
To ensure data and information systems security by establishing requirements for mobile and remote devices. Mobile and remote devices are important tools for the University, and their use is supported to advance the mission of the university. Mobile and remote devices also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, mobile and remote devices can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems.
This policy applies to all University faculty, staff, student employees, and volunteers who use mobile or remote devices to access any non-public IT resources owned or managed by the University.
IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution.
Mobile Electronic Device: Includes telecommunication and portable computing devices which can execute programs or store data, including but not limited to laptops, tablet computers, smartphones, and external storage devices. Generally, a device capable of using the services provided by a public/private cellular, wireless, or satellite network.
Remote Device: Personal computer used off-site
University of Connecticut faculty, staff, student employees, and volunteers who use mobile or remote devices are responsible for any institutional data that is stored, processed, and/or transmitted via a mobile or remote device and for following the security requirements set forth in this policy.
To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements:
All users of a mobile electronic device used to access non-public university systems must take the following measures to secure the device:
- Configure the device to require a password (minimum of 10 characters), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 5 minutes of idle time.
- Keep devices on currently supported versions of the operating system and remain current with published patches.
- Enable the device’s remote wipe feature to permit a lost or stolen device to be securely erased.
- Securely store electronic devices at all times to minimize loss via theft or accidental misplacement.
Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.
STORAGE OF CONFIDENTIAL DATA
In general, confidential data should not be stored on mobile devices, including laptops. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, confidential data must be stored on university-owned devices ONLY with the following requirements:
- Except when being actively used, confidential information must at all times be encrypted on any device through a mechanism approved by the University. Alternatively, whole drive encryption software may be deployed to meet this requirement.
- Mobile devices must have university-supported software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices.
- Devices must have Mobile Device Management software installed to facilitate device protection, including remote wipe and, if possible, device location technology for recovery.
DEVICE DECOMISSION OR SEPARATION FROM UNIVERSITY
When mobile devices, specifically personally owned devices that may have had access to University resources or data, are no longer used, and donated, or given to anyone, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems.
In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal devices or computers.
Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
Policy created: August 30, 2021 [Approved by President’s Senior Team]