Chief Information Technology Officer Karl Kowalski asked Governance leaders for feedback on a proposed mobile device security policy. I had the opportunity to hear a discussion about IT risk analysis during the last Board of Regents meeting. The greatest threat to protecting sensitive information is people transporting and sharing sensitive information on their laptops or mobile devices and being careless about security. He wants to hear back from us by Jan. 15. Please contribute any suggestions, concerns or feedback. Thanks!
Rationale: The proliferation of mobile devices on our campuses utilizing our information resources has necessitated the development of policy regarding use of those devices and protection of University information assets, intellectual property and research.
Kowalski proposes the following policy. Regulation will follow and then guidelines for specific tools and practices for protecting mobile assets.
P02.07.066. Mobile Device Security Policy
University employees and students who use a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for the university data stored, processed or transmitted via that computer or mobile device and for following the security requirements set forth in this policy and other applicable Information Resources Policies regardless of whether that device is the property of the university or the individual.
The use of unprotected mobile devices to access or store non-public information is prohibited regardless of whether or not such equipment is owned or managed by the university.
The Chief Information Technology Officer (CITO) is responsible for coordinating with the campuses in the development of consistent measures and business practices for ensuring the security of sensitive data on mobile devices.