Using Mobile Devices to Store or Access University Information

Purpose

This policy is necessary to protect the confidentiality, availability, and integrity of Western Michigan University and University affiliates’ information while stored, transmitted, or processed on mobile devices.

Scope

It applies to any mobile device that is used to store or access University information. This policy will not supersede any University developed policies but may introduce more stringent requirements than current policies dictate.

Policy

Any mobile device accessing or storing University restricted/confidential or internal information is subject to all University policies and in addition, will adhere to the following.

If the capability exists for the device, mobile devices will be configured to:

  1. Receive and install security updates from the operating system vendor.
  2. Have anti-virus software enabled, active, and up to date.
  3. Use a device and/or screen saver password. Portable computing devices must, at a minimum, be password protected in accordance with University policy.
  4. Encrypt confidential data. The Office of Information Technology has developed encryption standards, provides help in managing encryption software and has created self-help documents for the use of encryption software on laptops and other mobile devices.
  5. Have an operating system-level firewall installed and active with exceptions being approved by the departmental LAN administrator.
  6. Connect to restricted/confidential or internal data through WMUnet using the security protocols required by the Office of Information Technology. This may include secured connections and use of the University-licensed Virtual Private Network (VPN) software.
  7. Register for access to WMUnet utilizing the existing device registration process, unless other departmental registration procedures are in place. Re-registration may be required periodically.
  8. Have physical security measures in place when not in use. This means the device must be secured, e.g. locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet with a cable lock system.

The University or any department within the University, at their discretion, may restrict the access of any mobile computing device to WMUnet if the mobile computing device presents a threat to the integrity of University data or other computing resources.

Definitions

A mobile device is any type of device that is designed to be moved and is capable of collecting, storing, transmitting, or processing electronic data or images. Movement in this case refers to the device generally not having a fixed connection to the network. Examples of mobile computing devices include but are not limited to a laptop or tablet PC, Smartphone, or a USB flash drive.

WMUnet is the campus wired and wireless network. To gain access to WMUnet, the device must be registered with the user’s Bronco NetID and password credentials.

Confidential information includes any individually identifiable information about WMU students, research participants, faculty, staff, alumni, donors, or others who do business with the university. 

Justification

Mobile devices are very popular because of their convenience and portability. The use of such devices, however, is accompanied by risks that must be recognized and addressed to protect both the physical devices and the information they contain. The most effective way to secure confidential data is not to store it on mobile devices. This can be accomplished by storing sensitive data only on secure central University servers and accessing it remotely using secure communication technologies. University business requirements may however, on occasion, justify storing confidential data on mobile devices. In these cases, users are required to assure that steps have been taken to keep the data secure. It is the responsibility of the user to recognize these risks and take the necessary steps to protect and secure their mobile device.

Enforcement

Individuals using mobile devices that are attached to University network resources shall abide by the rules of this policy. Any person found to be in violation of this policy will be subject to appropriate disciplinary action as defined by current University policy.

Reference

Document action

Reviewed by: WMU LAN Managers Group
Reviewed by: Office of Information leadership team
Revised by: Campus Information Security Committee, May 2010
Approved by: Campus Information Security Committee, May 2010