Date Approved: August 26, 2010
Effective Date: August 26, 2010
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 1.0; dated May 20, 2011
Related legislation and University policies: N/A
Review Period: 5 Years
Date of Last Review: May 20, 2011
Related to: Faculty, Staff, Students
Purpose
The purpose of this procedure is to establish standard procedures to secure mobile devices to prevent data loss should they be lost or stolen.
Scope
This procedure applies to all schools, departments, employees (student employees included), and faculty members of Case Western Reserve University, where mobile computing devices are used to store, process, or access university information. If the university provides these devices to the employee or department, the configuration standards are mandatory.
Equipment such as laptops, tablet PCs, mini-notebooks, etc., are considered a separate class of computing equipment and are not in the scope of this procedure (however, the Tier I Controls are applicable for such equipment).
Cancellation
Not applicable.
Procedure Statement
General
Mobile devices are approved for processing of Public Information and Internal Use Information.
Users are prohibited from storage and processing of Restricted Information in mobile devices unless approved Tier III controls are available for that device. The goal of this procedure is to provide methods to protect the data in a mobile device to the standard of Public Information Tier I Controls.
Procedure
1. Apply Automatic Screen Lock
A screen lock should be applied to all devices with a password of minimum length 4. The lock screen timeout should be set to 5 minutes or lower in order to insure the device would be locked should an unauthorized user try to access it.
Screen Lock - WinCE Devices
- Press the Start button
- Goto Settings
- Goto Lock
- Check the box that says "Prompt if phone unused for"
- In the drop-down menu select the lock screen timeout length (must be 5 minutes or less)
- Select the password type you would like to use
- Type your password of at least 4 characters
- Select Ok to finish
Screen Lock - iPhone/iPod (Touch)
These settings will be implemented using the iPhone configuration file. WiFi, VPN, and the lock timeouts will all be set in the process. It is important remove any previous CWRU VPN connection, WiFi, and lock codes prior to installing the configuration on the device.
- Remove any lock codes, CWRU VPN connection, and WiFi connection
- Download the latest configuration file for the iPhone, iPad, and iPod below(CWRU UserID and password required)
- Select Install now
- Enter VPN username: "abc123" (Note: the installation hangs if you don't provide this input)
- Do not enter VPN password, leave this blank.
- Enter a passphrase for your device, at least 5 characters or numbers long.
- Installation Complete.
Screen Lock - Android Devices
- Goto Settings
- Select Location & security settings
- Select Set unlock pattern
- There will be an information screen that explains the unlock patterns, press Next
- This screen shows an example pattern, press Next
- Draw your unlock pattern, press Next
- Draw the same pattern again, press Confirm
- Press the Back button
- Select Sound & display
- Select Screen timeout
- Choose a time that is 5 minutes or less
Screen Lock - BlackBerry Devices
To set the lock screen password:
- On the Home screen, click the Options icon
- Click Security Options
- Click General Settings
- Change the Password field to Enabled
- Display the menu and click Save
- Type your new password, click Enter
- Verify your new password by typing it again, click Enter
To set the lock screen timeout:
- On the Home screen, click the Options icon
- Click Security Options
- Click General Settings
- Set the Security Timeout field to 5 minutes or less
- Display the menu and click Save
2. Apply Logon Banner
Apply a logon banner to the device according to the CWRU Logon Banner Standard. If the device allows for a text logon banner then you may use the text. An image my also be used to display the logon banner information.
Definitions
Logon Banner text: The logon banner text can be found here as stated under III-7 University Logon Banner.
Mobile computing devices: Refers to small, mobile computing platforms, including smart phones, the Apple iPhone, iPod Touch, iPad, Blackberry, Android. Laptop computers are not considered mobile computing devices for the purpose of this group of standards.
University information: Most commonly files, data, documents, messages, and information pertinent to university operations governed under the Acceptable Use Policy. Email system access from a mobile device is an example of university information access through a mobile computing device.
Responsibility
The Office of University Counsel is responsible for the communication of a 'preservation notice' to principal personnel.
Departmental IT administrators and staff are responsible for the implementation and adherence to data preservation procedures.
Standards Review Cycle
This standard will be reviewed annually on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.
Frequently Asked Questions
I have a personal device, but the logon banner says "Property of Case Western Reserve University." Does using the banner imply the university owns my device?
The login banner for personal devices is a notice of ownership of university data which may be in the device, not the device. The banner will identify the university as a point of contact for return of lost devices, which represent the risk to the data for disclosure.
What is the risk?
The primary risk addressed by these standards is the loss or theft of a device which leads to casual disclosure of university information. Because these smart devices have network services, and cached passwords, email and files may be easily disclosed when a device is lost or stolen.