Helpful Links

Navigate OHIO

About OHIO Admission Athletics
Academics Life at OHIO

Connect With Us

Bobcat Depot
1 Park Place
Athens, OH 45701
help.ohio.edu

Mobile device standard

Purpose

To establish information security requirements for the use of mobile devices ("device").

Standard

Users that access, store, or process university data via a device must apply appropriate safeguards to ensure the risk of information exposure due to loss or theft is effectively mitigated. Mitigation strategies for devices are as follows:

  1. Devices and data that store, access, or process sensitive information must be encrypted. Criteria for acceptable encryption are outlined in the information security standard Acceptable Encryption.
    1. Encryption passwords should meet the standard set within the policy University Credentials (91.004) and should be secured.
    2. Devices must employ device access protections. Examples of such are pass-codes, complex passwords, pattern swipe, card swipe, fingerprint reader, etc.
    3. Passwords must be consistent with the standard set within the policy University Credentials (91.004).
  2. The device must be configured with an inactivity timeout mechanism, which requires re-authentication before use. Timeouts of no more than fifteen (15) minutes are recommended; though shorter durations may be implemented, when appropriate, based on risk and usage.
  3. Users should ensure the physical security of devices by implementing the following:
    1. Devices must be used and stored in a manner that deters theft.
    2. Devices should use tracking and recovery software to facilitate return if lost or stolen.
  4. Devices must setup remote wipe functionality in case the device is lost or stolen.
  5. In accordance with the information security standard Security Incident Reporting and Breach Notification, users must immediately report any incidents or suspected incidents of unauthorized data access, data or device loss, and/or disclosure of system resources as it relates to devices.
  6. Disposal of devices must comply with the information security standard Media Sanitization.

Required safeguards by device type

 

Handheld mobile device (ex: smart phone, tablet, etc.)
Encryption Required for storage of sensitive data
Passcode Required
Auto Lock Required after a maximum of 15 minutes of inactivity
Intrusion Prevention Required lockout or wipe after 10 incorrect attempts
Remote Wiping Recommended if supported by device or application

 

Laptop / Notebook Computer
Encryption Required for storage of sensitive data
Passcode Required passphrase must be used to access the operating system
Auto Lock Required after a maximum of 15 minutes of inactivity
Intrusion Prevention Required lockout after a maximum of 10 incorrect attempts, which expires after a 15-minute minimum
Remote Wiping  

 

Mobile Storage Devices (ex: USB storage device, CDs / DVDs, zip disks etc.)
Encryption Required for storage of sensitive data
Passcode Required encryption key

 

Mobile devices used to access university data with a rating of sensitive are subject to additional safeguards.

Written approval from the Dean or IRB confirming a critical business need

Encryption of the information on the device and in transit
Devices that do not support encryption must not be used to access, store, or manipulate sensitive data.

References

  • Policy 91.004 University Credentials
  • NIST 800 Series Publications
  • Information Security Standard: Acceptable Encryption
  • Information Security Standard: Security Incident Reporting & Breach Notification
  • Information Security Standard: Media Sanitization

Definitions

Users –faculty, staff, third-party agents of the university, and other authorized university affiliates accessing university data.

Mobile device (device) –handheld mobile devices such as smartphones, tablets, etc., laptops or notebook computers, and mobile storage devices such as USB storage devices, CDs, or DVDs.

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Information Technology: Ed Carter (Chair)
  • Human Resources: Michael Courtney
  • Faculty: Hans Kruse
  • Finance and Administration: Chad Mitchell
  • Associate Dean: Shawn Ostermann
  • Regional Higher Education: Larry Tumblin
  • Research and Sponsored Programs: Maureen Valentine

Enterprise Risk Management and Insurance -Larry Wines

History

Draft versions of this policy were circulated for review and approved November 20, 2020.