The purpose of this policy is to establish a framework and requirements regarding the use and protection of mobile devices. Devices include, but are not limited to, mobile phones, smartphones, tablets, laptops, or hybrid devices that store, transmit, or have access to resources at the University of North Carolina at Greensboro (hereinafter “the University” or “UNCG”).
Mobile devices are a valuable tool in conducting University business. While the use of mobile devices facilitates increased productivity and convenience, it also puts University data at an increased level of risk due to the potential for loss, theft, compromise, or insecure use.
The intent of the policy is to manage the risks associated with the use of mobile devices in the facilitation of University business by providing guidance for the secure use of end-user mobile devices and the data contained on those devices.
The scope of this policy applies to all Users and includes both UNCG-owned and Personally-owned mobile devices that access the University’s networks, data, or systems.
The presence or absence of any subsidy from UNCG to the owner of a Personally-owned device does not affect the applicability of this policy.
3.Definitions and Roles and Responsibilities
Mobile device is a portable computing device capable of connecting to a network to provide the user with access to data services or other computing services. This includes, but is not limited to, mobile phones, smartphones, tablets, laptops, or hybrid devices.
University-owned device is a mobile device, purchased and owned by the University.
Personally-owned device is a mobile device, purchased and owned by an individual.
Non-public (or UNCG) resources are resources, data, or systems that require UNCG credentials to access.
Connected Things refers to any Personally-owned wearable or miscellaneous device (including, but not limited to, smartwatches, Fitbits, and augmented reality [AR]/virtual reality [VR] devices) which connect to a University-owned device, or to the UNCG network.
Users refers to all persons including, but not limited to, University employees, students, contractors, consultants, suppliers, customers, government or academic agencies, all personnel affiliated with third parties, and non-affiliated visitors using UNCG-owned or Personally-owned mobile devices that access the University’s networks, data, or systems.
Restricted Systems include access-controlled software or other non-public (or UNCG) information systems that contain or manage moderate- to high-risk data (e.g. Banner, Genie, etc.)
3.2Roles and Responsibilities
Mobile device users of the University’s information resources have the responsibility to take appropriate measures to protect mobile devices and University assets accessed by the device.
- The device must be physically protected from loss, theft, and compromise.
- The device must be protected with a pin, password, passcode, or similar authentication mechanism, if supported by the device.
- Users must take appropriate precautions to prevent others from obtaining access to their mobile device(s). Users will be responsible for all transactions made with their credentials, and should not share individually assigned passwords, PINs, or other credentials.
- Storing or accessing sensitive data in any way that violates the University’s Data Classification Policy is prohibited.
- Storing unencrypted non-public (or UNCG) resources on the device is prohibited.
- The device operating system version must receive software security updates from the device provider. Unsupported end-of-life operating systems and software are not permitted.
- Third party software installed on the device may not compromise the security of University data or systems.
- If a mobile device used to access, store, or manipulate non-public University data is lost, stolen, or compromised, the User must promptly notify management, or the ITS Service Desk so appropriate steps may be taken to protect non-public (or UNCG) resources and systems.
- Users should not access restricted systems from Personally-owned devices, even if it is technically possible. Failure to comply with this provision may result in disciplinary action.
- Mobile devices and Connected Things must be wiped of all University data prior to sale or disposal of the device, or when a User separates from the University.
- In the (unlikely) event that the University needs access to either a University- or Personally-owned device, mobile device data is subject to the North Carolina Public Records Act (NCGS Chapter 132) and (“E-discovery”), including public information requests, subpoenas, court orders, litigation holds, and other requirements applicable to University Information Resources. Should this occur, Users must provide access to the subject device.
4.2University-owned Mobile Devices
The following requirements apply to all University-owned mobile devices that access, store, or manipulate non-public (or UNCG) resources:
- Each device must be configured by University support staff using an ITS provided configuration with full disk encryption.
- Devices may not be used by individuals who are not authorized University Users.
- Departments must maintain an inventory of mobile devices assigned to employees. Departments are responsible for recovery and appropriate disposal of mobile devices.
- University maintains the right to wipe the device entirely of its contents if it is lost, stolen, retired, or otherwise compromised, or when the User is separated from the University through resignation, termination, or layoff.
- Users are responsible for upgrades, including backing up and restoring data as part of the upgrade process. Users are solely responsible for backing up any personal content on the device, as that information cannot ultimately be protected by selective wipes.
- Loss or theft of the device must be immediately reported by the user to the employee’s management and to the ITS Service Desk. University Police shall be notified in cases of theft.
4.3Personally-owned Mobile Devices
The following requirements apply to all Personally-owned mobile devices that access, store, or manipulate non-public (or UNCG) resources:
- Personal use of the device may not compromise the security of UNCG data or systems.
- All Users must select strong passwords and change passwords in accordance with the UNCG password requirements.
- All Personally-owned mobile devices must be configured with a minimum password length of six alphanumeric characters or use an acceptable biometric solution for authentication.
- All Personally-owned mobile devices must be secured with a password-protected screen saver when left unattended and must be configured to automatically lock after a predefined period of inactivity.
- All Connected Things must operate in a manner that does not interfere with, disrupt, or otherwise degrade the performance of University-issued connected devices and network-dependent services
5.Compliance and Enforcement
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA nonfaculty) or “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein.
If violation of the policy also results in a violation of law, the violation may also be referred for criminal or civil prosecution.
Violations of this policy may result in termination or suspension of access, in whole or in part, to University information systems at the discretion of ITS where such action is reasonable to protect the University or its information infrastructure.
Portions of this document were informed by the language found in the ISO/IEC 27002:2013 Standard (section 6.2.1 Mobile Device policy)
The Chancellor is responsible for approval of this Policy.
6.4Contacts for Additional Information and Reporting
- Responsible Executive: Donna R. Heath, Vice Chancellor for Information Technology Services and Chief Information Officer (CIO), firstname.lastname@example.org
- Responsible Administrator: Casey J. Forrest, Chief Information Security Officer (CISO), email@example.com