Practice Directive Title:Mobile Device Practice Directive

Practice Directive Title:Mobile Device Practice Directive

Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services
/ (415) 405-4105 /
Effective Date:
Wednesday, February 1, 2017
Revised Date:
Wednesday, January 18, 2017

Authority (i.e., Executive Order, ICSUAM, Delegations of Authority):

This Practice Directive provides support to CSU Information Technology Security Policy stated in:

8045.S400Mobile Device Management Standard

8050.00Configuration Management

8060.S0Access Control - Appendix A

8065.S02Information Security Data Classification

8075.0Information Security Incident Management

8105.0Responsible Use Policy

Objective:

This practice directive explains how to secure university and personally-owned mobile computing devices that access or store SF State sensitive data. It must be followed to protect university data and ensure compliance with Federal, State, CSU and SF State regulations governing security of information.

Definitions:

Mobile device: Portable computing devices, including but not limited to smartphones, laptops and tablet computers

Sensitive data (Levels 1 and 2): Campus data is classified according to its potential risk which is governed by federal and state laws. Sensitive data includes confidential (Level 1) and internal use (Level 2) data classifications. See the Confidential Data Practice Directive for more information. (

Confidential data (Level 1 - Encryption Required): Level 1 data is considered confidential must be appropriately secured. If Level 1 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require a formal breach notification to impacted individuals under state and federal law.

Internal Use data (Level 2 - Encryption Recommended): Level 2 data is for internal use and may only be released under prescribed conditions. If Level 2 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require formal breach notification under state and federal law.

Statement:

User Practice for Securing Devices

Sensitive data (Levels 1 and 2) must not be accessed or stored from mobile devices unless:

1. there is a documented business need for the sensitive data to be accessed or stored by the mobile device,
2. effective security measures have been implemented to protect the data, and

In the case of storing confidential (Level 1) data:

1. an Associate Vice President, Dean, or equivalent University leadership and the campus Information Security Officer have provided approval.

Required Mobile Device Security Measures

General device security measures for mobile devices used for university business:

• Follow the security incident response procedureif a mobile device containing SF State Sensitive Data is compromised, lost or stolen.
• Frequently check for and install any available operating system and application security updates

• Only download apps from official app stores (Apple App Store, Google Play, etc.)
• Remove or refrain from downloading non-essential apps

• Do not leave unencrypted mobile devices unattended
• Regularly backup the mobile device to protect data in the event of loss, theft, or lockout

Password Security Measures

• Configure laptops to follow the SF State Password Practice Directive
• Smart phone and tablet devices that access or store sensitive data must be locked using a passcode, or password, that satisfies the following requirements:

1. Must be a minimum of six characters
2. Must not contain the user's first name, last name, account name, or phone number

• Biometric functionality (e.g. facial recognition, fingerprint scanner) and complex passcodes must be enabled if available.

Required Sensitive Data Security Measures

Sensitive data security measures apply to mobile devices that access or store data classified as confidential level 1 and internal use level 2. Note: Confidential level 1 data has additional requirements shown below:

• Use public, untrusted wireless networks with caution, preferably in conjunction with SF State VPN
• Use wireless networks that support reliable encryption (802.1x)
• Auto-wipe device after 10 failed login attempts; Use a backup to restore the device if inadvertently wiped
• Configure device to be remotely wiped in the case it is lost or stolen
• Wipe or securely delete data from mobile devices before disposing, reselling, or trading them in.

Required High Risk Confidential (level 1) Data Security Measures

Security measures for securing mobile devices that access or store confidential level 1 data:

• Conduct a formal risk assessment before installing applications that are not part of the device’s base distribution
• Limit access to the device to those that need to access the confidential data
• Confirm device is encrypted
• Disable Bluetooth and wireless access when not needed
• Use SF State’s VPN when accessing confidential (level 1) data
• Approval is required for storing confidential (level 1) data on a mobile device.

Requesting Approval to store Confidential Level 1 Data on a Mobile Device:

To request approval to store confidential (level 1) on a mobile device the requester must:

1. Complete the “Request to store confidential data on a mobile device” form.
2. Obtain approval from Associate Vice President, Dean, or equivalent University leadership.
3. Obtain approval from the Information Security Officer

Requests will be reviewed within ten business days.

Annual reviews of mobile device confidential data storage approvals shall be conducted to determine if that data storage is still required and that the device is appropriately secured.

Implementation

Responsibility for implementing this Practice Directive will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Password Practice Directives to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to .

Non-Compliance

Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.

Searchable Words:

mobile device, compliance, security, accessibility