New Mobile Device Guidelines

Document Sample
New Mobile Device Guidelines Powered By Docstoc
					                                Information Security Guideline

Policy Title         Mobile Device Guidelines           Reference No          03.05.01
Version No           0.1                                Status                Final
Creation Date        November 13, 2007                  Revision Date
Approval Date        6/1/2009                           Approved by            TAG
Key Words            Guideline

Statement of Policy

Washington University School of Medicine (WUSM) is committed to conducting business in
compliance with all applicable laws, regulations and WU policies. WUSM has adopted this
policy to outline the security measures required to protect electronic information systems and
related equipment from unauthorized use.

Mobile computing and storage devices include, but are not limited to: laptop computers, personal digital
assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital
Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and
any other existing or future mobile computing or storage device, either personally owned or WUSM
owned, that may connect to or access the information systems at WUSM.

Scope of Policy

All WUSM employees, consultants, vendors, contractors, students, and others who use mobile computing
and storage devices are subject to this policy.

Non-WUSM Equipment
Mobile devices of all types should be issued by the respective business unit so that the controls applied to
protect them can be standardized and applied across the school. The selection and use of these devices can
be left up to the Business Units. Devices purchased by individuals under the employ of the University,
though discouraged are not prohibited under the following condition:

Once a mobile device syncs with any WUSM system, it is no longer a personal device, but is to be included
in this policy.

Technical personnel and users, which include employees, consultants, vendors, contractors, and students, shall
have knowledge of this policy along with the Computer Acceptable Use Policy. Compliance with other
applicable WUSM policies, procedures, and standards as it pertains to Mobile Devices is recommended.

General User Responsibilities

  Promptly report a lost or stolen device
                               Information Security Guideline

   Lost or stolen mobile computing and storage devices shall be reported through Protective Services or the
   Information Security Office ( For further procedures on lost or stolen
   mobile devices, please see the 01.01.05 Incident Response Guideline.

 Password-protect your mobile device

   Choose a strong Password or PIN for authentication. This should be used to limit access to the device in
   the event it is lost or stolen if it is being used to store sensitive information. Access to mobile devices
   which store or transmit sensitive information, or which can be used to connect to other protected systems
   should be authenticated. Passwords/Pins should be changed and maintained according to 02.01.01 User
   Account and Password Guidelines.

 Keep your Business Unit informed on how you will use the device

   Users should give notification to the Business Units IT staff and/or the Information Security Office if
   databases or portions thereof, E-Mail, or other repositories containing protected or confidential
   information will be downloaded to the mobile computing or storage devices. In this way the appropriate
   security controls can be applied to mitigate the additional risk associated with that information.

 Verify encryption mechanisms
   Sensitive information stored on laptops or other mobile devices should be protected against unauthorized
   access and disclosure via encryption or other appropriate measures. Your accounts and passwords should
   never travel unencrypted over a wireless network. Wireless network traffic can be easily sniffed.
   Therefore, any sensitive data, especially login information, should always be encrypted. Sensitive
   documents, if stored on the device, should be encrypted if possible (keeping in mind that some devices
   encrypt stored documents by default).

 Regularly back up data
   Users are responsible for backing up their data that is stored on the mobile device on a regular basis. Be
   sure to have a back up copy of any necessary data in case your mobile device is lost or damaged. Consider
   using multiple backup mechanisms and if you travel, have a portable backup device that you can take with

 Disable options and applications that you don't use
  Reduce security risk by limiting your device to only necessary applications and services. You won't need
  to manage security updates for applications you don't use and you may even conserve device resources
  like battery life. Bluetooth and IR are two examples of services that can open your device to unwelcome
  access if improperly configured.

 Be aware of mobile computing risks
  The use of laptop computers and mobile devices provide flexibility and enhanced communications that
  allow us to be more productive. However, the use of these devices outside of the University poses risks to
  those devices and the information they contain. These devices may also present a hazard to University
  resources upon their return (for example, by spreading a virus that was obtained outside the office). These
  devices have the capability for direct connectivity to the Internet or other networks which lack the
  protections afforded by the WUCON firewalls and other perimeter protections. Laptops and other capable
  mobile devices should use antivirus and personal firewall software when connected to any network other
  than WUCON.
                                Information Security Guideline

Implementation Guidance For Administrators and Business Units

 Refer to the Mobile Device Requirements (Mobile Device Requirements 03.05.02) for a detailed breakdown
 of these requirements.
    Business units will keep an annual inventory of the allocation of the mobile devices used to store
     sensitive and confidential information and the personnel who use them.

    The Business Units should approve all new mobile computing and storage devices that will connect to
     any information system and notify the Information Security Office of its use.

    Any non-departmental owned device that will connect to a WUSM information system or network
     should first be approved and inventoried by the IS Staff of the Business Unit prior to its use.

    Any Mobile Device shall be capable of meeting the WUSM Mobile Device Requirements for the class of
     information it will store and process.

    Devices used for messaging should secure communication to stop eavesdropping and backdoor network
     access by using a strong encryption and authentication method. For sensitive information mobile
     firewalls should be used to inhibit wireless-borne attacks against active devices. For sensitive
     information mobile antivirus should be used to detect and prevent device compromise through mobile
     code and malware.

    The ability to remotely disable devices and/or destroy sensitive information shall be required for devices
     that contain sensitive information.

     The School of Medicine has purchase licenses for a product called CompuTrace that can automatically
     trace and wipe laptops that have been stolen or misplace once they are reconnect to the internet. If you
     are using the device to store protected information it is a requirement that you have this software
     installed on the system.

Physical Security

     If possible do not allow mobile devices into sensitive areas by unauthorized personnel.

    Permanently mark the outer case of the laptop or mobile device with your contact information. This
     may greatly increase the odds of getting it returned to you if you happen to carelessly leave it

    For laptops in publically open areas get a cable lock and use it. While this may not stop a determined
     thieve, it will effectively deter casual thieves.

    In public areas lock up your PCMCIA cards and USB devices. There is little you can do to keep
     someone from stealing these devices that are sticking out of the side of your laptop. When not in use,
     eject these cards/devices from the laptop bay and lock them in a safe place.


    All users of mobile devices should attend regular security awareness training. In particular training
                                Information Security Guideline

    that relates to safe and secure mobile device use, current mobile device threats, and Medical School
    policy. Users will sign that they understand the risks and adhere to the policies in regard to the use of
    such devices.

 Transfer of Protected Information

    The data custodian is responsible for insuring the protection of sensitive information that they own.
    Processes and procedures should be in place to control the distribution of this data to any mobile
    device. Custodians should approve the distribution and log the following when protected information
    is transferred to any mobile device:

    1)    Time and Date
    2)    Index of information transferred
    3)    Type of device transferred to
    4)    Recipient of the information

Related References

01.02 Information Classification

University Acceptable Use Policy

01.01.05 Incident Response Guideline

03.05.02 Mobile Device Technology Requirements

02.01.01 User Account and Password Guidelines

Shared By: