Mobile Device Security Policy

Statement of Policy

Washington University in St. Louis (WashU) is committed to conducting all university activities in compliance with all applicable laws, regulations and university policies. WashU has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

Objectives

This policy establishes methods of protection for mobile computing and storage devices that contain or access information resources at WashU.

Applicability

All Workforce members with mobile computing and/or storage devices used to access university computer systems and/or store confidential or protected information. Mobile devices, personal or WashU owned, are to be included in this policy if confidential and / or protected information will be available through the device.

Policy

With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business and personal needs of individuals and organizations. They are portable, easily lost or stolen, presenting a high risk for unauthorized access, disclosure of university information.

  • The Information Security Office (ISO) will conduct periodic risk assessments to establish safeguards for secure use. It is responsible for auditing the use of mobile computing devices and departmental processes to ensure compliance with this policy.
  • Users must give notification to their department or school if databases, E-Mail, or other repositories containing confidential or protected information will be downloaded to the mobile devices. In this way the appropriate security controls can be applied to mitigate the additional risk associated with that information.
  • Departments and schools will establish processes that allow them to keep track of mobile devices used to store sensitive information, any policies applied to them, and the personnel who use them.
  • Users who have these mobile devices must have breach notification training and understand their responsibilities to promptly report lost or stolen devices.
  • Lost or stolen mobile computing devices must be reported to the Privacy Office or the Information Security Office immediately. This shall occur before the user of the device cancels the service with the provider.
  • Security policies must be deployed to all mobile devices that will access or store protected information. Devices incapable of accepting these security policies must not access or store protected information. Mobile Device Guidelines will be used to establish these policies.
  • Devices storing protected information will need to follow the 02.05 Encryption Policy to protect information.
  • Additional controls may be required for devices based upon the security risk assessment.

References

Mobile Device Requirements
Mobile Device Guidelines

Title: Mobile Device Security
Version Number: 2.0
Creation Date: November 13, 2007
Applicability: Protected and Confidential
Reference Number: 03.05
Status: Final
Revision Date: April 27, 2016
Policy Owner: Information Security Office