Device Management Policy

Purpose

The purpose of this policy is to outline steps identified by the university to mitigate some of the risks inherent in computing devices. It is also intended to draw out the importance of responsibility on the part of the end user in protecting university data and resources.

Scope

This document refers to all computing devices. This includes desktops, laptops, tablets, smart phones and other devices capable of connecting to university resources or storing university data. “Mobile Devices” refers specifically to any device with a self contained processing, screen and input capabilities or any other portable device capable of connecting to university resources.

Policy

  1. Responsibility for University Data:

    1. While IT will work to appropriately provision devices to mitigate the risks to university data, it is important to highlight that it is not possible to eliminate all risk associated with using such devices. An employee accessing university data has responsibility to ensure the safety and protection of the device he or she is using. While it is not possible to enumerate every scenario, the following are examples of steps that could be taken to protect your mobile device:

      1. Do not leave the device unattended in your vehicle, locked or otherwise.

      2. Do not leave any mobile device unattended in a public location, including publicly accessible office spaces on campus. If you need to leave a mobile device at your desk it should be in a locked drawer or otherwise secured to your workstation.

      3. Do not leave the device unattended in a hotel/motel room when traveling. Use a safe or other locking mechanism when you are not able to take a device with you.

      4. Do not allow friends or family members to use the device for personal use.

    2. Misuse of a university owned device that results in the loss of university data will be subject to appropriate discipline, which could include termination of employment and criminal charges.

  2. Purchasing and Provisioning:

    1. Computing devices that are intended to be used for university business should be purchased and provisioned in conjunction with IT. Please see the Hardware and Software Procurement Policy for more details.

  3. Security:

    1. The following are the minimum security requirements for devices used by faculty, staff and administrators connecting to university resources:

      1. Devices will be protected by a PIN (minimum of 4 characters) or password.

      2. Devices will be set to lock automatically after a maximum of 5 minutes of inactivity.

      3. The university may install software on, configure and manage (including remotely) any university owned device to ensure adherence to these standards.

      4. The university may make provision for data on any university owned device to be remotely deleted in the event of loss or theft. The university will not be liable for personal data stored on the device in the event data from a device is deleted.

    2. In addition to the above requirements:

      1. Laptops used in lieu of a desktop computer should be secured to the work desk using a physical lock. IT may, at it’s discretion, require the use of a physical lock for laptops located in public areas.  

      2. If a device is used to store sensitive or protected data it is recommended that the device be encrypted in order to prevent data loss in the event of loss or theft. IT will work with employees on an individual basis to manage encryption of such devices.

  4. Use of Personal Devices:

    1. Accessing university systems or services with personal computers and devices presents a significant risk to university data. It is expected that university employees exercise due diligence to protect university data that is accessed with a personal computing device. Minimally, this would include:

      1. Permanently deleting any university files stored on a personal device, including e-mail downloads and cached browser data from the device on a regular basis. Personal devices should not be used for the storage of university data.

      2. Ensuring that any university system or service that requires authentication is password protected. If a device has credentials stored for accessing services such as e-mail, hosted storage, etc. then the device should be password protected and lock after a period of inactivity. These protections should follow those adopted for university-owned devices:

        1. Devices will be protected by a PIN (minimum of 4 characters) or password

        2. Devices will be set to lock automatically after a maximum of 5 minutes of inactivity

        3. Devices will be configured to be remotely wiped in event of loss or theft

      3. Storing credentials for university services is not appropriate on devices that are intended to be used by individuals other than the employee.

      4. Ensuring that the device is set up to be remotely wiped in the event of loss or theft. The owner of the device is responsible for ensuring that remote wipe is enabled and securing or backing up personal data to prevent loss of such data if a device is lost or stolen.

    2. Use of a personal device that results in loss of university data will be subject to appropriate discipline, which could include termination of employment and criminal charges.