Mobile Device Security – LR208.7

Back to Administration

University of Arkansas at Little Rock
Policy Name: Mobile Device Security
Policy Number: LR 208.7
Effective Date: November 19, 2021
Revised Dates: November 19, 2021; August 2, 2021
Most Recent Review Date: November 19, 2021

Purpose

UA Little Rock implements necessary controls, technologies, and devices to secure information systems and critical data in UA Little Rock infrastructure. Mobile devices are an inevitable part of our daily lives, and they are used to conveniently perform UA Little Rock business-related activities and provide access to UA Little Rock data. However, mobile devices have fewer security controls to keep UA Little Rock systems and data secure. UA Little Rock developed this policy to define the best practices and principles to secure individual devices, university systems, and data.

Scope

This policy applies to every mobile device—university-owned or personal—accessing UA Little Rock systems and data to perform university business by university employees.

Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the university is legally or contractually required to protect. Sensitive data refers to any element of data that is uniquely or in aggregate protected by federal regulations (ex: HIPAA, FERPA), categorized as PII or PHI, or any other data that has been identified as business-critical or business-sensitive data, such as financial records or intellectual property of UA LR.

Mobile Devices: Mobile devices are smartphone or tablet type devices that typically run Apple IOS or Android operating systems. These often very portable devices include some form of internet connectivity (Wi-Fi and/or Cellular) and are used to perform various functions such as reading and responding to emails, providing access to various enterprise applications, and interacting with various documents.

Policy

This policy is intended to ensure all employees follow safe computing practices when using mobile devices. Users are encouraged to apply these best practices to all mobile devices, including those that are not used for accessing campus data, to minimize risks and data loss associated with lost or stolen devices. UA Little Rock understands and respects that the use of personal devices to access campus data is a personal choice that happens to provide significant benefit to the campus and the community served. UA Little Rock does, however, have an obligation to this same user community that access to campus data and resources is done in a safe and secure manner. Employees choosing to opt-out of this set of identified best practices or employees that have devices that can not comply with the best practices identified below must not access campus data from their mobile devices.

To ensure compliance with UA System policies, UA Little Rock policies, laws, and regulations, employees using mobile or personal devices to perform UA Little Rock business, functions, and tasks or accessing and processing university data must implement the following security best practices and device settings to protect the security of their mobile devices and campus data:

  1. Sensitive or business-critical data must not be stored on the mobile device.
  2. If the device supports encryption, it must be enabled.
  3. All applications must be installed from official application repositories.
  4. Auto-updates must be enabled for the mobile devices operating system and all applications running on the device.
  5. Device screen must be locked with a passcode, fingerprint, face recognition, or similar method.
  6. Device auto-lock must be enabled.
  7. If the device supports “Remote Wipe” this functionality must be enabled to permit the end-user to erase a lost or stolen device.
  8. This policy is not meant to require individuals to update their devices to the newest major software version (i.e. IOS 15.0) immediately upon public release when previous major versions are still in vendor support for their specific device (i.e. IOS 14.0) and receiving patches and updates (i.e. 14.8). Rather, individuals are simply required to keep their devices patched by updating them to the most recent minor release available.

Additionally, some mobile devices provide additional security features that may be beneficial to end-users, such as “Find My Device (Phone).” UA Little Rock encourages end-users to weigh the benefits of enabling such capabilities (such as recovering a lost device). UA Little Rock can in no way use these additional features for administrative oversight on personally owned devices.

In the future, employees who wish to continue to access UA Little Rock IT resources and data via mobile devices may be required to install a third party software application to safeguard campus data and monitor compliance with these best practices. Should campus require this third party software for data access, employees will be provided advanced notice of the installation requirement and at no time will UA Little Rock have the capability to technically or administratively compel users to install this software on personally owned devices. However, users who choose not to install the software will not be granted access to campus IT resources from their mobile devices. Further, should the need for a third party software application be required, campus will clearly articulate any necessary access permissions and administrative functions the software permits.

Users uncertain whether their devices are in compliance with these are requirements or those that have further questions are encouraged to contact the IT Assistance Center for additional help.

Attempting to knowingly circumvent the security best practices and device settings mandated in this policy may result in revocation of access, suspension of accounts, and disciplinary action.

References

  1. Definitions
    1. Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the university is legally or contractually required to protect. Sensitive data refers to any element of data that is uniquely or in aggregate protected by federal regulations (ex: HIPAA, FERPA), categorized as PII or PHI, or any other data that has been identified as business-critical or business-sensitive data, such as financial records or intellectual property of UA Little Rock.
    2. Mobile Devices: Mobile devices are smartphone or tablet type devices that typically run Apple IOS or Android operating systems. These often very portable devices include some form of internet connectivity (Wi-Fi and/or Cellular) and are used to perform various functions such as reading and responding to emails, providing access to various enterprise applications, and interacting with various documents.

Source: Initial Policy
Status:  Active
Approved By: Christina Drale, Chancellor
Originator:  Vice Chancellor for Finance and Administration
Custodian: Information Technology Services