Mobile Device Security Policy

PURPOSE
BACKGROUND/HISTORY
PERSONS AFFECTED
POLICY STATEMENT
1. Procedures
2. Roles and responsibilities
3. Recommended security practices

1. Purpose

The purpose of this policy is to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the University of South Australia.

2. Background/History

With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business needs at the University of South Australia. These devices are especially susceptible to loss, theft, hacking, and the distribution of malicious software because they are easily portable and can be used anywhere. As mobile computing becomes more widely used, it is necessary to address security to protect information resources at the University of South Australia.

3. Persons Affected

University of South Australia employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the University of South Australia.

4. Policy statement

It is the policy of the University of South Australia that mobile computing and storage devices containing or accessing the information resources at the University of South Australia must be approved prior to connecting to the information systems at the University of South Australia. This pertains to all devices connecting to the network at the University of South Australia, regardless of ownership.

Mobile computing and storage devices include, but are not limited to: laptop computers, smartphones, personal digital assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or University of South Australia owned, that may connect to or access the information systems at the University of South Australia.

Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the University of South Australia. These risks must be mitigated to acceptable levels.

Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive University of South Australia information should use encryption or equally strong measures to protect the data while it is being stored.

Mobile computing devices must be configured to require a password or PIN to be entered in order to gain access to the device.

Unless approval has been obtained from the local IT support and the owner of the data, databases or portions thereof, which reside on the network at the University of South Australia and contain core student, staff, or finance data that has privacy or security implications, shall not be downloaded to mobile computing or storage devices.

Refer to the "Removable Media Policy" to get further information about security practices for removable media.

4.1 Procedures

To report mobile computing and storage devices that have been lost or stolen, call the IT Help Desk at (+61 8) 8302 5000.

The University of South Australia, divisional IT support staff or ISTS, shall approve all new mobile computing devices that may connect to information systems at the University of South Australia.

Any non-departmental owned device that may connect to the University of South Australia network must first be approved by technical personnel, such as the local IT support staff from the University of South Australia.

Requests for an exception to this policy shall be submitted to the IT Help Desk.

4.2 Roles and responsibilities

Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information belonging to or maintained by the University of South. Before connecting a mobile computing or storage device to the network at University of South Australia, users must ensure it is approved by the local IT support staff.

The IT Help Desk must be notified immediately upon detection of a security incident, especially when a mobile device may have been lost or stolen.

ISTS is responsible for the mobile device security policy at the University of South Australia and shall assess the risks for each media type to be used on the network or on equipment owned by the University of South Australia.

ISTS will maintain a list of preferred mobile computing suppliers.

4.3 Recommended security practices

Authentication

Set a password or an access code
Laptop - use Operating system authentication.
PDA/Smartphone - use native security options for asset.

Encryption

Laptop - Use operating system inbuilt encryption mechanism.
PDA/Smartphone - Not freely available, commercial solutions exist for some models. If very sensitive data must be stored on mobile device it should be encrypted by third party tools.

Protection

Install anti-virus/anti-malware software.
Check for and apply firmware and operating systems updates monthly.

Software installation

Avoid installing software from non-verified sources on University assets, as the potential for malware is high.
Laptop - Verify the author/distributor of the software as trustworthy
PDA/Smartphone - Avoid installing remote terminal software that caches account/password info.

top^

Latest content revision:Friday, 3 December 2010

This site will work and look better in a browser that supports web standards, but it is accessible to any browser or Internet device.