AC-19Access Control for Mobile Devices

Applicability

Mobile devices and mobile users pose a possible risk without proper configuration and usage.

Description

Mobile computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The Texas A&M Health Science Center (TAMHSC) portable and mobile device standard applies equally to all individuals that utilize portable computing devices and access TAMHSC information resources. The terms “mobile device” and “portable device” maybe used interchangeably in this control.

HSC Implementation
  1. All HSC-owned portable devices shall be password protected or have an enforced locking mechanism.
  2. Unattended portable computing devices must be physically secure, e.g. locked in an office, a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system.
  3. All TAMHSC mobile devices shall be encrypted where applicable.
  4. TAMHSC data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all protected TAMHSC data must be encrypted using approved encryption techniques.
  5. TAMHSC data must not be transmitted via wireless transmission to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques (VPN) are utilized.
  6. Non-HSC computer systems that connect to TAMHSC networksare required to comply with HSC Office of Information Technology (OIT) standards including current security patches and antivirus software. Non-HSC computers that do not conform to TAMHSC security standards may be blocked from network access as directed by OIT Security.
  7. Portable TAMHSC assets will be enrolled in a mobile device management (MDM) solution as approved by OIT.
  8. The Information Security Officer (ISO) must approve exceptions to enrollment.
  9. All loaner laptops designated for foreign travel are exempted.
  10. All loaner laptops used solely for student testing are exempted.
Resources

HIPAA:164.312 Technical safeguards

Texas DIR: Texas Administration Code Chapter 202 – Information Security

TAMUS: 29.01.03 Information Security

Last Reviewed June 14, 2017

Next Review Date July 2019