Mobile computing device security guidelines and procedures

Purpose

Mobile devices such as laptops, tablets, smart phones, memory keys and portable hard drives are convenient and widely used. They also introduce some increased risks to University information.   The devices can store large amounts of data and be used as devices to access applications and web-based services. The portable nature of the devices also means that they are susceptible to loss and theft or accessed by unauthorized persons if they are left alone and unprotected.

When followed, these guidelines reduce the risk of loss of information or unauthorized access to applications and information.

Scope

These guidelines and procedures apply to portable computing devices such as laptop computers, tablets, smartphones, and portable storage devices, including University-owned or personally-owned devices that contain data belonging to or under the care of the University that is of a protected, confidential, or sensitive nature as defined by relevant law (including FIPPA, PHIPA and others), industry regulation, and/or University policy.

Guidelines

 

  1. Restrict the type of information stored – The best way to guard against loss of information is remove unnecessary University information from the device. In particular, do not store highly confidential information, such as Social Insurance Numbers, student personal information, or health/patient data on mobile devices.
  2. Encrypt all sensitive data on mobile computers/devices. York IT services are available to facilitate this requirement.
  3. Restrict access to the device - Configure a strong password or PIN that is required for use of the device.
    1. Where PINs are used, configure the device to auto-erase institutional data on the device after 10 consecutive failed PIN attempts. Passwords should be used on devices that lack the capability to auto-erase.
    2. Set an idle and/or screen-saver timeout, of not more than 5 minutes, that will automatically lock the device when not in use and require the password/PIN to unlock.
    3. Do not share your password or PIN with others.
  4. Keep software updated according to manufacturer recommendations.
  5. Do not make unauthorized modifications to manufacturer-supplied software, such as “jailbreaking” a device.
  6. Disable Bluetooth networking when not in use.
  7. When leaving devices unattended, such as in the office, a hotel room, or in a car, keep them locked away and out of sight.
  8. Take steps to ensure important institutional data is not kept solely on a mobile device or laptop such as by storing the data also on a secure enterprise storage system provided through York IT services.
  9. Take measures to safeguard the device if it is lost or stolen –
    1. Enroll the device in an enterprise management system, such as BES for Blackberry or Lotus Notes Traveller for iPhone and iPad.
    2. Immediately report lost or stolen devices to your IT support group to ensure proper measures are taken to remotely deregister/erase the device.
  10. When the device is replaced or no longer to be used, ensure the device is disposed of securely by erasing/wiping all data in a secure fashion, or by physical secure disposal. York IT services are available to facilitate this requirement.