Number: IT 110
Effective: December 1, 2016
Department: Information Technology
Last Revision: December 19, 2016

Purpose

To ensure secure, reliable and accountable use of mobile computing and storage devices containing CWI data by establishing unified management of and formally assigning roles and responsibilities with respect to the use of such devices.

Scope

Applies to all mobile computing and storage devices used by CWI’s users in the performance of their duties and to all CWI data when accessed through, or stored on, mobile computing and storage devices, regardless of the device’s ownership.

Definition

Mobile Computing Devices: Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. Current examples include, but are not limited to, laptop, notebook, netbook and similar portable personal computers, as wells as smartphones and PDAs (Android, Blackberry, iPhone, and others).

Mobile Storage Devices: Media that can be easily carried by a single person and provide persistent storage. Current examples include, but are not limited to, magnetic storage devices (diskettes, tapes, USB hard drives), optical storage devices (CDs, DVDs, magneto-optical disks), memory storage devices (SD cards, thumb drives), and portable devices that make nonvolatile storage available for user files (cameras, MP3 and other music players, audio recorders, smart watches, and cell phones).

Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of CWI, or within the scope of CWI activities that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to, medical records, social security numbers, credit card numbers, drivers licenses, non-directory student records, research protocols and export controlled technical data.

User: Anyone who uses CWI’s information technology resources, even if they have no responsibility for managing the resources. This includes students, faculty, staff, contractors, consultants, and temporary employees.

Policy

CWI is committed to and encourages an open and collaborative environment through the use of mobile devices to facilitate interaction among Users. However, mobile computing devices and mobile storage devices that connect to CWI’s servers or contain CWI Restricted Data can be a substantial security risk for CWI. To reduce that risk, CWI has adopted the following guidelines.

Guidelines

  • All mobile computing devices and mobile storage devices that access the CWI Intranet and/or store CWI Restricted Data must be compliant with CWI Information Security Policies and Standards. CWI information security policies applicable to desktop or workstation computers also apply to mobile computing and mobile storage devices.
  • Restricted Data stored on mobile computing and storage devices must be encrypted.
  • Any and all mobile computing and mobile storage devices used within CWI’s information and computing environments must meet all applicable CWI encryption standards.
  • Mobile devices purchased with CWI funds, including but not limited to contracts, grants, and gifts, must also be recorded in the CWI IT assets inventory.
  • CWI’s Chief Information Officer will establish standards to govern the secure use of all mobile computing and storage devices at CWI.
  • CWI’s Chief Information Officer will provide guidance to assist departments and units in complying with these requirements.
  • All CWI managers, in conjunction with IT support teams, are responsible for ensuring all existing users of mobile computing and storage devices within their areas of responsibility are compliant with CWI policies and standards.
  • All Users who are currently using personally-owned mobile computing and storage devices that access the CWI Intranet and/or store CWI Restricted Data are required to bring their personal device into compliance with the CWI Information Security Standard for mobile computing and storage devices.
  • All Users will report the loss or theft of a mobile computing or storage device to the Help Desk (562-3522) immediately upon detection of the loss. CWI’s Chief Information Officer must be immediately notified of theft or loss of any mobile computing device or mobile storage device that contains Restricted Data. CWI’s Restricted Data may not be released for storage on, or access through, devices that do not meet these requirements.
  • Failure to comply with these guidelines may result in suspension or termination of connectivity privileges and/or corrective action, up to and including termination or expulsion.