Mobile Device Security Guidelines

Introduction

Mobile devices, including smartphones, tablets, PDAs, and other similar devices are often significant risks due to their portability and broad utilization for both work and personal needs. If your mobile device is lost, stolen, or compromised then both your personal information as well as any relevant University data may be placed in jeopardy.

In addition, University employees who utilize personal mobile devices to conduct Appalachian State business should also be aware of conditions unique to this use.

To help with both of these items: ITS has provided a set of awareness items and security steps that can help protect your mobile computing devices.

smartphoneAppState Mobile Security Materials

Using Personal Mobile Devices for University Business

Many University employees utilize personal mobile devices to help conduct University Business. The list of awareness items below is not meant to discourage the use of personal mobile devices but rather to help spread awareness of our shared responsibilities when using personal devices in this manner.

  • Responsibility For Mobile Device Security - The University does not currently centrally manage the security of personal mobile devices. For this reason, employees need to be aware that they are individually responsible for the security of their personal mobile devices. To help address this responsibility, ITS strongly recommends following the security steps listed below.
  • Do Not Store Confidential or Sensitive Data- University data that has been classified as Confidential or Sensitive should not be stored on personal mobile devices. Common examples of data that should not be stored on these devices include:
    • Personal Identifiers: Social Security Numbers, Drivers license, State identification card, or Passport numbers
    • Financial Data: Credit Card Numbers, Debit Card Numbers, Checking / Savings Account Numbers
    • Authentication Data: Biometric Information, Passwords, Digital Signatures
    • Health Information: Protected Health Information
  • Public Records Act Requests - All Appalachian State University employees are subject to the North Carolina Public Records Act (NCGS Chapter 132). This act provides a method for third parties to request records associated with the public business of all state agencies, including Appalachian. If University-related materials are stored on personal mobile devices (i.e. work-related SMS messages, voicemail recordings, electronic work documents) then our personal devices may be subject to such a request as the device may be viewed as being used to facilitate official University business. This could mean that employees could be required to present all of the information from the mobile device to the University for inspection and possible disclosure should the University be legally compelled to produce materials.
  • Appalachian Policies Relevant To Personal Mobile Devices - Appalachian employees must follow University policies when conducting University business irrespective of whether resources used are managed/owned by the University or not. Therefore, it is important to keep in mind that mobile devices that are used to conduct University business and access University data are subject to University policies and standards.

Mobile Device Security Best Practices

Step 1. Lock & Password Protect Your Device

An important first line of defense for your mobile devices is making sure that someone can't easily access your data should you accidentally misplace your tablet or smartphone.

  • All Devices: Set your mobile device to lock the screen after a period of inactivity and require a PIN, Password, Fingerprint, or Swipe Pattern you specify to unlock the device. (HOWTO - Google/Android and HOWTO Apple/iOS)
  • All Devices: Make sure that your PIN, Password or Swipe pattern is not easy to guess.

Step 2. Encrypt Your Devices

When you encrypt your mobile device, you add a layer of protection around your data that makes it more difficult to read should your device be lost or stolen. Note that utilization of encryption of mobile devices requires that your device utilize a screen lock (see Step #1 above).

Step 3. Enable Loss or Theft Protection

One of the most common security issues with mobile devices is that they can be easy to lose and are often attractive to thieves.  Loss and Theft Protection features can help you potentially locate your device and/or send commands to render the device as well as its data unusable.

Step 4. Use Mobile Antivirus & Install Security Updates

Many individuals do not realize that mobile platforms are also at risk of malicious software. To help protect against mobile device malware it is recommended to utilize a good mobile antivirus program. In addition, security updates that are applicable to mobile operating systems should be applied as soon as they are made available.

Step 5. Secure Wireless Networking

Because our mobile devices go with us wherever we go, it is easy to habituate to using wireless networks in a manner that can expose our information.

  • All Devices: Disable WiFi & Bluetooth networking when not in use.
  • All Devices: Limit use of authenticated (public) wireless (use cell data plan instead)