Using Mobile Devices to Store or Access University Information Policy

Purpose

This policy is necessary to protect the confidentiality, availability, and integrity of Western Michigan University information and data while stored, transmitted, or processed on mobile devices.

Scope

This policy applies to any mobile device that is used to store or access University information or data.  

Policy

Any user of any mobile device accessing or storing University restricted/confidential or internal information is subject to all University policies and in addition, will adhere to the following.

1. Keep mobile devices with you at all times or store them in a secured location when not in use. Do not leave your mobile devices unattended in public locations, e.g. airports, meeting rooms, restaurants, etc.
2. Mobile devices must be password protected and auto lockout must be enabled. The password must block all access to the device until a valid password is enabled. The password must be as strong as your device will support. Learn more about creating strong passwords. 
3. Enable a "remote wipe" procedure if available so that in the event the device is lost or stolen, a command can be issued so that all data on the device is deleted.  Also assure data has been wiped or securely deleted from your mobile device before you dispose of it.
4. Standard security protocols must be followed. This includes ensuring your device has current anti-virus software and all operating system and application updates and patches. Firewalls must be enabled if possible.
5. Encrypt confidential data. The Office of Information Technology has developed encryption standards, provides help in managing encryption software and has created self-help documents for the use of encryption software on laptops and other mobile devices.
6. Have an operating system-level firewall installed and active with exceptions being approved by the departmental LAN administrator.
7. Connect to restricted/confidential or internal data through WMUnet using the security protocols required by the Office of Information Technology. This may include secured connections and use of the University-licensed Virtual Private Network (VPN) software. 
8. Register for access to WMUnet utilizing the existing device registration process, unless other departmental registration procedures are in place. Re-registration may be required periodically.
9. Lost, stolen or misplaced mobile devices that contain University information or data should be immediately be reported. See information security incident response.

The University or any department within the University, at their discretion, may restrict the access of any mobile computing device to WMUnet if the mobile computing device presents a threat to the integrity of University data or other computing resources. See also mobile device security.

Definitions

A mobile device is any type of device that is designed to be moved and is capable of collecting, storing, transmitting, or processing electronic data or images. Movement in this case refers to the device generally not having a fixed connection to the network. Examples of mobile computing devices include but are not limited to a laptop or tablet PC, Smartphone, or a USB flash drive.

WMUnet is the campus wired and wireless network. To gain access to WMUnet, the device must be registered with the user’s Bronco NetID and password credentials.

Confidential information includes any individually identifiable information about WMU students, research participants, faculty, staff, alumni, donors, or others who do business with the University. See also data classification.

Justification

Mobile devices are very popular because of their convenience and portability. The use of such devices, however, is accompanied by risks that must be recognized and addressed to protect both the physical devices and the information they contain. The most effective way to secure confidential data is not to store it on mobile devices. This can be accomplished by storing sensitive data only on secure central University servers and accessing it remotely using secure communication technologies. University business requirements may however, on occasion, justify storing confidential data on mobile devices. In these cases, users are required to assure that steps have been taken to keep the data secure. It is the responsibility of the user to recognize these risks and take the necessary steps to protect and secure their mobile device.

Enforcement

Individuals using mobile devices that are attached to University network resources shall abide by the rules of this policy. Any person found to be in violation of this policy will be subject to appropriate disciplinary action as defined by current University policy.

Reference

• Data security responsibilities
• File encryption
• WMU data classification policy
• WMU password guidelines
• WMUnet acceptable use policy