Title: Mobile Device Configuration Standards
Approved by: Office of the President
Date approved by President or Board of Trustees: August 26, 2010
Effective date: August 26, 2010
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies: None
Review Period: 3 Years
Date of Last Review: July 26, 2024
Relates to: Faculty, Staff, Students
Summary
The purpose of this policy is to establish standard procedures to secure mobile devices to prevent data loss should they be lost or stolen.
This policy applies to all schools, departments, employees (student employees included), and faculty members of Case Western Reserve University, where mobile computing devices are used to store, process, or access university information. If the university provides these devices to the employee or department, the configuration standards are mandatory.
Equipment such as laptops, tablet PCs, mini-notebooks, etc., are considered a separate class of computing equipment and are not in the scope of this procedure.
Purpose
Mobile devices are approved for processing of Public Information and Internal Use Information.
Users are prohibited from storage and processing of Restricted Information in mobile devices unless approved Tier III controls are available for that device. The goal of this procedure is to provide methods to protect the data in a mobile device to the standard of Public Information.
The primary risk addressed by these standards is the loss or theft of a device which leads to casual disclosure of university information. Because these smart devices have network services, and cached passwords, email and files may be easily disclosed when a device is lost or stolen.
Apply Automatic Screen Lock
A screen lock should be applied to all devices with a password of minimum length 4. The lock screen timeout should be set to 5 minutes or lower in order to insure the device would be locked should an unauthorized user try to access it.
Apply Logon Banner
Apply a logon banner to the device according to the CWRU Logon Banner Standard. If the device allows for a text logon banner then you may use the text. An image may also be used to display the logon banner information.
Definitions
Logon Banner text: The logon banner text can be found here as stated under University Logon Banner.
Mobile computing devices: Refers to small, mobile computing platforms, including smart phones, the Apple iPhone, iPod Touch, iPad, Blackberry, Android. Laptop computers are not considered mobile computing devices for the purpose of this group of standards.
University information: Most commonly files, data, documents, messages, and information pertinent to university operations governed under the Acceptable Use Policy. Email system access from a mobile device is an example of university information access through a mobile computing device.