VISC Mobile Device Guideline
Best Practices
For
Mobile Devices
Page1
1.0MOBILE DEVICE GUIDELINES
1.1Introduction
This guideline was developed to support the CSU Polices, government regulations and audit compliance. This guideline provides support for the implementation of security best practices in the use of mobile devices. Mobile devices that process Protected Level 1 data should follow security protocols and practices to ensure the Level 1 data is not accessed without authorization.
1.2Purpose:
The purpose of this Information Security Practice Guideline is to:
- Establish encryption as a requirement in the event that Confidential University Data are to be stored on Mobile Devices, and
- Specify practices to ensure that there is a legitimate need before Confidential University Data are stored on Mobile Devices and that the User can ensure that encrypted data remain accessible in the event that an encryption key becomes lost or forgotten.
This guideline provides mobile device specific recommendations to supplement sections 8045 (Information Technology Security), 8060 (Access Control) and 8065 (Information Asset Management) of the CSU Information Security Policy ( and the CSU Information Asset Management standard, Access Control Standard, and Data Classification standard.
1.3Scope
This guideline applies to all mobile devices, regardless of ownership or location of the device, that receive, store, transmit, generate, process, consume, or otherwise make use of Level 1 and Level 2 information for which the University or its auxiliaries hold ownership or responsibility.
2.0MOBILE DEVICE INFORMATION HANDLING
Protected Level 1 data must not be stored on mobile devices unless approved by the appropriate administrator on the campus. This is unique to the campus and should be someone with authority such as the campus President, Chief Information Officer or Information Security Officer.
2.1Back-up
When stored on a mobile device, regardless of ownership or location of the device, protected Level 1 or 2 data is still subject to, and must be protected, backed up, transferred, stored, encrypted, retained, and/or destroyed in accordance with, the CSU Information Technology Security policy, the CSU Access Control policy and standard, the CSU Information Asset Management policy and standard, and CSU Executive Order 1031.
2.2Protection
All mobile devices storing Protected Level 1 or 2 data, regardless of ownership or location of the device, must comply with all applicable requirements, including those for patching, firewall protection, password protection, physical protection, antivirus protection, and disabling of unused services, from the CSU Information Technology Security policy, and the CSU Access Control policy and standard.
2.3Incident Response
Users must follow Campus Incident Response Procedures in the event of actual or suspected loss, theft or compromise of any university owned mobile device or any mobile device containing protected Level 1 or 2 data.
2.4Open Networks
Reasonable care should be taken when using mobile devices in public places, meeting rooms, or other unprotected areas to avoid the unauthorized access to or disclosure of the information stored on or accessed by the device. Similar precautions should be taken when using a campus wireless network. Additional mobile device usage precautions are listed below:
1)Special care should be taken in crowds, meetings, and security-screening areas to maintain control over the device. Do not let it out of your sight.
2)Mobile devices owned or issued by the University should not be left unattended and, where possible, should be physically locked away or secured.
3)Mobile devices should be transported as carry-on luggage whenever traveling by commercial carrier unless the carrier requires otherwise.
4)All mobile devices should be kept out of sight and covered when stored in a locked vehicle.
5)All University-owned mobile devices should be permanently marked as University property and indicate a method of return in case the device is lost.
6)Encrypted password managers should be employed on mobile devices to store passwords for systems that contain sensitive data.
7)Users should take steps to secure mobile devices, such as the following from
2.5Configure Mobile Devices Securely
Below are guidelines to configure your mobile device securely:
1)Enable auto-lock.
2)Enable password protection and require complex passwords.
3)Avoid using auto-complete features that remember user names or passwords.
4)Ensure that browser security settings are configured appropriately.
5)Enable remote wipe.
6)Ensure that SSL protection is enabled, if available.
2.5.1 Connect to secure Wi-Fi networks and disable Wi-Fi when not in use.
a)US-CERT recommends disabling features not currently in use such as Bluetooth, infrared, or Wi-Fi. Additionally, set Bluetooth-enabled devices to non-discoverable to render them invisible to unauthenticated devices.
b)Avoid joining unknown Wi-Fi networks.
2.5.2Update mobile devices frequently. Select the automatic update option if available.
a)US-CERT recommends maintaining up-to-date software, including operating systems and applications.
2.5.3Utilize anti-virus programs and configure automatic updates if possible.
a)US-CERT recommends installing anti-virus software as it becomes available and maintaining up-to-date signatures and engines.
2.5.4 Use an encryption solution to keep portable data secure in transit.
a)Data protection is essential. If confidential data must be accessed or stored using a mobile device, make sure users have installed an encryption solution (e.g., GuardianEdge Smartphone Protection, McAfee Endpoint Encryption, PGP Mobile, Pointsec Mobile Encryption).
b)Do an assessment - or at least be aware - of the encryption options available for mobile devices. Some devices may offer more mature security solutions than others. For example, Sophos has an article about iPhonevs. BlackBerry: A Mobile Device Comparison which notes that "either device can be used as a secure business tool if it is configured properly and used correctly."
c)Consider using thin client models so that data is centrally and securely maintained. This is one option to help avoid the issue of storing confidential data on mobile devices. It also means not having to develop new solutions every time a new mobile technology is released.
d)Educate users that they should avoid using or storing confidential data on a mobile device whenever possible.
2.5.5Use digital certificates on mobile devices.
Contact campusHelpDesk on obtaining and using Digital Certificates.
2.5.6Take appropriate physical security measures to prevent theft or enable the recovery of mobile devices.
a)For laptops, use cable locks.
b)Use tracing and tracking software (e.g., Computrace, Lookout, MobileMe).
c)Never leave your mobile device unattended.
d)Report lost or stolen devices immediately.
e)Remember to back up data on your mobile device on a regular basis.
2.6.7Use appropriate sanitization and disposal procedures for mobile devices.
f)Securely wipe all information stored in a device prior to discarding, exchanging, or donating it.
3.0DEFINITIONS
All definitions from the Integrated CSU Administrative Manual glossary ( are incorporated here by reference.
4.0REFERENCES
Internet2 Mobile Device Security Wiki page:
CSU Information Technology Security policy:
CSU Access Control policy:
CSU Information Asset Management policy:
CSU Data Classification standard:
Page1