SEC-S007 Bring Your Own Device Standard

  1. OBJECTIVE: 
    1. Austin Peay State University (APSU) is responsible for ensuring the confidentiality, integrity, and availability of data stored on its systems.  Personally owned computing devices are increasingly being used to access university technology resources and university data.  A security breach when using a personal device could result in loss or compromise of university data, damage and/or unauthorized access to university information technology resources, and/or financial harm to the university.
  2. RESPONSIBILITIES: 
    1. Individuals who elect to utilize a personal device to access university information technology resources and/or university data are responsible for the following:
      1. Abiding by the requirements identified within this document;
      2. Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a university information technology resource and/or accessing university data; 
      3. All transactions made under their university enterprise account.
    2. The Information Technology Security director is responsible for implementation and enforcement of this Standard.
  3. APPROVAL AUTHORITY:
    1. Chief Information Officer
  4. SCOPE:
    1. This Standard, operating under University Policy 4:042 Information Security and Data Classification, defines and establishes the minimum security requirements for personally owned devices that connect to university information technology resources and/or access university data.  These devices include but are not limited to smart phones, tablets, laptops, and notebooks.
  5. DEFINITIONS:
    1. Authentication - Verifying the identity of a user, process, or device to allow access to a university information technology resource.
    2. Campus Network – The wired and wireless components and information systems connected to the network managed by the university.  Excluded are: the residence hall network, student wireless, and guest wireless.  
    3. Device – A server, computer, laptop, or mobile device used to enter or access university data from a university information system.
    4. Jailbroken - The process of modifying an iOS device such as an iPhone, iPad, or iPod to bypass restrictions imposed by Apple for the purpose of modifying the operating system, install non-approved applications, and/or grant the user elevated administrative privileges.
    5. Remote Wipe – A security feature that allows data on a device to be deleted without physically possessing the device.
    6. Rooted – The process of allowing Android users to attain privileged control over subsystems to alter or replace system applications and settings, run specialized applications that require administrative permissions, and/or perform other operations that are otherwise inaccessible to a normal Android user.
    7. Supported operating system – The entity (ex: vendor, open source or an individual) providing the operating system is actively and routinely providing and deploying patches and security updates for the operating system.
    8. University data – Anything that contains information regarding the university made or received in connection with its operations and/or that the university has collected and stored on university personnel, students, and others.  University data resides as both hard copy and electronic media.
    9. University Information System – An application or software that is used to support academic, administrative, research, and outreach activities of the university, whether operated and managed by the university or a third-party vendor.
    10. University Information Technology Resources – University owned hardware, software, and network equipment; technology facilities; and other relevant hardware and software; as well as personnel tasked with the planning, implementation, and support of information technology.
  6. REQUIREMENTS:
    1. Personal Device Use
      1. ​​​​Individuals who elect to use a personal device to access university technology resources and/or university data, whether for personal use, university business, on university time, or during personal time must:
        1. Abide by the Acceptable Use of Information Technology Resources and Information Security and Data Classification Policy;
        2. Maintain and backup the personal data stored on the device;
        3. Ensure the physical security of the device to prevent loss, theft, and/or damage;
        4. Report lost or stolen devices that contain university data;
        5. Ensure the device meets the security requirements identified within section 6.2 of this document.
      2. A personally owned device must not disrupt the use or function of the campus network and/or the university information system to which it is connected.  The university will ban or prevent any device from accessing the campus network that continually causes disruptions to university information technology resources. 
      3. The device owner must change their university enterprise account password immediately when a personal device that has access to university data is lost or stolen.  
      4. Authentication is required before a personal device is permitted to access the campus network.
      5. Personally owned devices must never be used as a university server or networking device.
    2. Device Security
      1. To prevent others from obtaining unauthorized access, device owners must never leave their device unattended.​​​​​​​
      2. All devices that connect to university technology resources and/or access university data must meet the following security requirements:
        1. Devices must use an active form of access protection such as passcode, passphrase, facial recognition, or fingerprint;​​​​​
        2. Passwords/passphrases must meet the minimum requirements identified within the Password Management Policy;  
        3. Devices must be configured to lock or log out and require a user to re-authenticate if left inactive for more than 15 minutes.  Devices that do not support this capability must be secured alternatively such as restricting access in a locked room;
        4. Devices must run supported operating systems that are patched and updated regularly;
        5. Devices must be configured to allow remote wipe in the event the device is lost or stolen.  Devices that do not support remote wipe functionality must be encrypted.
      3. Devices that are jailbroken, rooted, or have been subject to any other method that changes built-in operating system protections must not be used to access university information technology resources.
      4. Devices must support WPA2 and AES to connect to the university employee wireless network.
    3. Conducting University Business on Personal Devices
      1. ​​​​​​​The university provides the use of university information technology resources, including university assigned devices, which must be used by university employees as the primary means to create, store, send, or receive university data.​​​​​​​
        1. Occasional use of personally owned devices is permitted to access university data and/or conduct university business provided the device meets the security requirements identified within section 6.2 of this document and the device is made available on request for inspection by the university to ensure appropriate security controls are in place.
        2. The use of a personal device as the primary means to create, store, send, or receive university data and/or conduct university business is prohibited with the exception of adjunct and post retirement faculty who do not have access to university assigned or available devices; in this case, personally owned devices may be used as the primary device if the security requirements are met as defined in section 6.2 of this document. 
      2. Data classified as Restricted or Private in the Information Security and Data Classification Policy must never be accessed or downloaded to a personally owned device.
      3. Software licensed to the university must never be downloaded  to a personally owned device unless specifically permitted by the license.
      4. University data subject to document requests (e.g. Freedom of Information Act or Family Education Rights and Privacy Act) or document production (e.g. warrants, subpoenas, court orders) stored on a personally owned device must be produced upon the request of the university.
      5. Any university data downloaded to a personally owned device must be destroyed, removed, or returned to the university once the individual:
        1. Is no longer employed by the university;
        2. No longer requires access to the university data due to changing job responsibilities; or
        3. Is no longer the owner or primary user of the device.
    4. Exceptions
      1. ​​​​​​​This Standard does not apply to university-owned devices.  For more information regarding university owned devices refer to the University Owned Endpoint Device Standard.​​​​​​​​​​​​​​
  7. ASSOCIATED DOCUMENTS:
    1. 4:042 Information Security and Data Classification Policy
    2. 4:029: Acceptable Use of Information Technology Resources
    3. 4:039 Password Management Policy
  8. RECORD RETENTION TABLE:

 

Storage

Retention

Disposition

Protection

OITManagers Network Share

Electronic

Perpetual

Delete

Electronic Back-up

  1. REVISION HISTORY:

Date:

Rev.

Description of Revision:

8/18/2022

 

Initial Release