Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Wednesday, February 1, 2017
Revised Date:
Thursday, October 21, 2021
Authority:
Mobile Device Management (ISO Domain 12: Operations Security Standard)
Configuration Management (ISO Domain 12: Operations Security Policy)
ISO Domain 9: Access Control Standard
Data Classification Levels (Asset Management ISO Domain 8 Standard)
Objective:
This policy explains how to secure university mobile computing devices that access or store SF State sensitive data. The measures specified herein must be followed to protect university data and ensure compliance with Federal, State, CSU and SF State regulations governing security of information. Only SF State owned devices are approved for use with sensitive data.
Definitions:
Mobile device: Computing devices that use a mobile operating system (for example, iOS or Android) excluding traditional Internet of Things (IoT) devices such as sensors or cameras.
Sensitive data (Levels 1 and 2): Campus data is classified according to its potential risk which is governed by federal and state laws. Sensitive data includes confidential (Level 1) and internal use (Level 2) data classifications. See the Confidential Data Policy for more information.
Confidential data (Level 1 - Encryption Required): Level 1 data is considered confidential must be appropriately secured. If Level 1 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require a formal breach notification to impacted individuals under state and federal law.
Internal Use data (Level 2 - Encryption Recommended): Level 2 data is for internal use and may only be released under prescribed conditions. If Level 2 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require formal breach notification under state and federal law.
Statement:
User Practice for Securing Devices
Sensitive data (Levels 1 and 2) must not be accessed or stored from mobile devices unless:
- The device is university-owned
- There is a documented business need for the sensitive data to be accessed or stored by the mobile device
- Effective security measures have been implemented to protect the data, such as high risk workstation controls or equivalent
- Full-device or container encryption is enabled, where appropriate
Required Mobile Device Security Measures
General security measures for mobile devices used for university business:
- Follow the security incident response procedure if a mobile device containing SF State Sensitive Data is compromised, lost or stolen
- Frequently check for and install any available operating system and application security updates
- Only download apps from official app stores (Apple App Store, Google Play, etc.)
- Remove or refrain from downloading non-essential apps
- Do not leave unencrypted mobile devices unattended
- Regularly backup the mobile device to protect data in the event of loss, theft, or lockout
Device Access Security Measures
- Mobile devices that access or store sensitive data must be locked during inactivity
- Unlocking requires strong authentication, such as: a passcode, or password, or biometric functionality
- If using a password, it should comply with the SF State Password Policy.
- Biometric functionality (e.g. facial recognition, fingerprint scanner) and complex passcodes must be enabled if available.
Required Sensitive Data Security Measures
Sensitive data security measures apply to mobile devices that access or store data classified as confidential level 1 and internal use level 2.
- Use public, untrusted wireless networks with caution, preferably in conjunction with SF State VPN
- Use wireless networks that support reliable encryption (802.1x)
- Auto-wipe device after 10 failed login attempts
- Maintain a backup of data and use it to restore the device if inadvertently wiped
- Configure device to be remotely wiped in the case it is lost or stolen
- Wipe or securely delete data from mobile devices before disposing, reselling, or trading them in.
Required Confidential (level 1) Data Security Measures
Security measures for securing mobile devices that access or store confidential level 1 data:
- Conduct a formal risk assessment before installing applications that are not part of the device’s base distribution
- Limit access to the device to those that need to access the confidential data
- Confirm device is encrypted
- Disable Bluetooth and wireless access when not needed
- Use SF State’s VPN when accessing confidential (level 1) data
- Approval is required for storing confidential (level 1) data on a mobile device.
Implementation
Responsibility for implementing this Policy will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Password Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.
Non-Compliance
Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.
Searchable Words:
mobile device, compliance, security, accessibility