Mobile and Remote Devices Security Policy

Introduction 

This document defines King’s University College Information Technology Services policy on the secure use of mobile and remote devices which access any information resources owned or managed by the College. 

Mobile and remote devices are important tools for the College, and their use is supported to advance our academic mission.  However, mobile and remote devices also represent a significant risk to information security.  If appropriate security applications and procedures are not applied, mobile and remote devices can serve as a conduit for unauthorized access to institutional data and IT infrastructure that can subsequently lead to confidential data exposure or malware infection. 

College faculty, staff, students, student employees, and volunteers who use mobile or remote devices are responsible for all institutional data which is stored, processed and/or transmitted via that device, and for following the security requirements in this policy.  Security requirements are dependent upon data classification based on the roles of the individual user.  Any device that does not meet the requirements specified in this policy may not be used to access or store any College data that is classified as sensitive or confidential.  

Whenever practical, elements of this policy will be enforced via centrally administered technological controls.  The College may request proof of compliance from any user of a mobile or remote device for any policy issues that cannot be automatically managed or enforced. 

Definitions 

Users 

Any faculty, staff, student, student employee, volunteer or agent of the above who uses a mobile or remote device to access any public or non-public information systems owned or managed by King’s University College.  Security requirements are dependent upon data classification based on the roles of the individual user. 

Data Classifications   

Public data is any information that is freely available to the public.  Disclosure of data would result in little or no risk to the College.  Examples of public data include press releases, course information and research publications.

Sensitive data is institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations.  Disclosure, alteration or destruction of sensitive data could result in a moderate level of risk to the College.  Sensitive data must be protected from unauthorized access, modification, transmission, storage or release.

Confidential data is institutional information protected by provincial or federal regulations and data protected by confidentiality agreements.  Additional types of institutional data may be designated as confidential.  Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the College.

Devices & Media 

Mobile Device: Any electronic device that is easily transported, communicates via wireless technology (cellular services, Wi-Fi, etc.), and is used to access College information systems or store sensitive or confidential information.  Examples include: laptops, smartphones, and tablets.  

Remote Device: Any self-contained computing or storage device not physically tethered at the College campus that is used to access or store sensitive or confidential information.  Examples include: personal home computers, College-owned laptops, CD/DVD media discs, portable hard drives, and flash drives.   

For the purposes of this policy, devices are not restricted to those owned by the College. Furthermore, a device can be both mobile and remote – i.e., a College-owned laptop that is used on campus and from home.  

Required Device Configurations and Capabilities 

Configurations for Mobile Devices 
  1. All users of a mobile electronic device must take the following measures: 

• Configure the device to require a password, biometric identifier or PIN to be entered before local access to the device is granted.  

• Enable a screen lock or similar mechanism to require the password or PIN to be entered after an idle time of at most five minutes.

• Enable the device's automatic wipe functionally to occur after a sequence of no more than ten unsuccessful attempts to unlock the device. 

• Register the device with a remote wipe service to permit a lost or stolen device to be securely erased.

  1. Users accessing sensitive or confidential data on their mobile devices must register their device with King’s ITS and have it placed on the College Mobile Device Management System. 
Configurations for Remote Devices 

Users of personally owned remote devices must take the following steps: 

• Configure the operating system to automatically download and install system patches and updates.  

• Ensure that an anti-virus package is installed, operational, and configured to automatically download and install signature updates.  

ALL DEVICES MUST BE CLEARLY LABELED WITH USER’S NAME AND PHONE NUMBER
Encryption of Data in Transit 

Sensitive and confidential information must be encrypted while in transit from College network resources to any device.  Transit encryption services will be provided by King’s ITS or the appropriate software vendor, and/or by the use of a secure Virtual Private Network (VPN) connection. 

Encryption of Data at Rest

Except when being actively viewed on a device, confidential information should at all times be encrypted on that device through an approved mechanism.  King’s ITS is working toward establishing encryption methods for our users but does not yet demand encryption of data at rest.

Encryption mechanisms being evaluated include: 

• Microsoft BitLocker (Windows) 

• File Vault (Apple OSX)

User Responsibilities 

Required Actions for Lost or Stolen Devices 

Upon determining that devices have been lost or stolen, device owners must as soon as possible: 

1. Report the loss or theft to the ITS Help Desk @ 4441 or to support@kings.uwo.ca.

2. Invoke the remote wipe functionality to securely erase the contents of the device.  Consult the ITS Help Desk for assistance if required.

3. Reset your password(s). 

Required Actions for Decommissioned Devices 

In the event that a mobile device is to be sold, traded or recycled, the primary user must securely erase the contents of the device while it is still in his or her possession.     

Prohibited User Actions 

Bypassing Security Mechanisms 

In many cases, College-owned devices issued to users will have been pre-configured to adhere to the standards described in this policy.  Users must not alter or defeat those pre-configured mechanisms unless expressly instructed to do so by an authorized member of ITS.

Risks/Liabilities/Disclaimers

  • While King’s ITS will take every precaution to prevent the employee’s personal data from being lost, in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions such as backing up email, contacts, etc.
  • The College reserves the right to disconnect devices or disable services without notification.
  • Lost or stolen devices must be reported to IT within 12 hours.  Employees using personally owned devices are responsible for notifying their mobile carrier immediately upon loss of a device.
  • The employee is expected to use his or her devices in an ethical manner at all times and adhere to the College Acceptable Use Agreement.
  • The employee is personally liable for all costs associated with his or her device.
  • The employee assumes full liability for risks including, but not limited to, the partial or complete loss of College and personal data due to an operating system crash, errors, viruses, malware, and/or other software of hardware failures or programming errors that render the device unusable.