ÃÛèÖÊÓƵ

Mobile Computing and Storage Device Standard

Purpose

To establish information security requirements for the use of mobile devices ("device"). Mobile devices include but are not limited to handheld mobile devices such as smartphones, tablets, etc., laptops or notebook computers, and mobile storage devices such as USB storage devices, CDs, or DVDs.   

Standard

Users that access, store, or process sensitive university data via a device must apply appropriate safeguards to ensure the risk of information exposure due to loss or theft is effectively mitigated. Mitigation strategies for devices are as follows:   

  1. Devices and data that store, access, or process sensitive information must be encrypted.  Criteria for acceptable encryption are outlined in the information security standard  
    1. Encryption passwords should meet the standard set within the policy University Credentials (91.004) and should be secured. 
    2. Devices must employ device access protections. Examples of such are pass-codes, complex passwords, pattern swipe, card swipe, fingerprint reader, etc. 
    3. Passwords must be consistent with the standard set within the policy University Credentials (91.004).  
  1. The device must be configured with an inactivity timeout mechanism, which requires re-authentication before use. Timeouts of no more than fifteen (15) minutes are recommended; though shorter durations may be implemented, when appropriate, based on risk and  use case.  
  2. Users should ensure the physical security of devices by implementing the following: 
    1. Devices must be used and stored in a manner that deters theft. 
    2. Devices should use tracking and recovery software to facilitate return if lost or stolen.  
  1. Devices must have remote wipe functionality in case the device is lost or stolen.  
  1. In accordance with the information security standard users must immediately report any incidents or suspected incidents of unauthorized data access, data or device loss, and/or disclosure of system resources as it relates to devices.   
  1. Disposal of devices must comply with the information security standard  

Required Safeguards by Device Type  

Handheld Mobile Device (ex: smart phone, tablet, etc.)  

Encryption  

Required for storage of sensitive data  

Passcode  

Required   

Auto Lock  

Required after a maximum of 15 minutes of inactivity  

Intrusion Prevention  

Required lockout or wipe after 10 incorrect attempts  

Remote Wiping  

Recommended if supported by device or application  

Laptop / Notebook Computer  

Encryption   

Required for storage of sensitive data  

Passcode  

Required passphrase must be used to access the operating system  

Auto Lock  

Required after a maximum of 15 minutes of inactivity  

Intrusion Prevention  

Required lockout after a maximum of 10 incorrect attempts, which expires after a 15-minute minimum  

Remote Wiping   

 ???

 

Mobile Storage Devices (ex: USB storage device, CDs / DVDs, zip disks etc.)  

Encryption  

Required for storage of sensitive data  

Passcode  

Required encryption key  

Mobile devices used to access university data with a rating of sensitive are subject to additional safeguards.  

Written approval from the Dean or IRB confirming a critical business need  

Encryption of the information on the device and in transit  

Devices that do not support encryption must not be used to access, store, or manipulate sensitive data.   

Definitions

Users – faculty, staff, third-party agents of the university, and other authorized university affiliates accessing university data.  

Mobile device (device) – handheld mobile devices such as smartphones, tablets, etc., laptops or notebook computers, and mobile storage devices such as USB storage devices, CDs, or DVDs. 

Sensitive University data – University data that requires protection to ensure confidentiality and integrity, as defined in ÃÛèÖÊÓƵ’s policy Data Classification (93.001). Examples of such data can be found by referring to Sensitive Data: Defining and Classifying | ÃÛèÖÊÓƵ. 

References

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.   

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.  

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration 

History

Draft versions of this policy were circulated for review and approved November 20, 2020.

Draft revisions of this policy were circulated for review and approved on August 7, 2025.