Mobile Device Policy
1.0 Overview
The use of mobile devices is a valuable tool and critical to efficient operation of the University. However, there is potential for abuse on several fronts. Because of the ease of transport of mobile devices, there is a higher rate of theft for all devices, especially those containing sensitive data. This policy is designed to help prevent such thefts and safeguard any University data stored on these devices.
2.0 Scope
This policy applies to all mobile devices and removable storage media that are owned by Southwestern Oklahoma State University, or an individual, and are used in conducting business (email, data, and/or files) for the University. See the SWOSU Cloud Computing Policy for information pertaining to cloud computing and storage.
3.0 Definitions
Mobile device is a generic term used to refer to a variety of devices that allow people to access data and information from anywhere. This includes, but is not limited to laptops, tablets, smart phones/cell phones, PDAs, or other portable devices used for University business.
Removable storage media includes, but is not limited to USB flash drives, external hard drives, or other devices used to store data.
Sensitive data is defined as any data not otherwise protected by state and federal law or other regulations but that the University has an obligation to protect. This data is shared only among small groups who need access for the purpose of conducting University business and includes but is not limited to:
- Data collected and utilized through research that is not protected data
- Financial information that is not protected data
- E-mail messages
- Birth dates
Protected data is the most sensitive data and includes personally identifiable information protected by state and federal law. Southwestern Oklahoma State University is required to comply with HIPAA, FERPA, PCI, and the Gramm-Leach-Bliley Act. Examples of protected data include but are not limited to:
- Social Security Numbers
- Financial information, which includes credit card numbers, bank accounts, financial aid information, and bursar bills
- Medical information
- Confidentiality agreements
- Contracts
- Data collected and utilized through research grants
4.0 Security Policy
- Stewards of mobile devices are responsible for taking reasonable and prudent measures to ensure the physical security of the equipment. Mobile devices are not to be left unattended in an area that is not secure. Offices need to be locked when unoccupied even if for a brief period.
- While in transit or stored offsite, stewards must take reasonable and prudent measures to ensure security of the mobile devices against loss or theft.
- By accepting a University owned mobile device, you accept that the device may be geographically tracked.
- Personal devices used for University business may be subject to the Open Records Act.
- Removable media and mobile devices used to store sensitive data must be password protected or encrypted.
- University and student record security is critical. It is strongly encouraged that, even when using passwords or encryption technologies, mobile device stewards not store sensitive or protected data on devices unless absolutely critical to conduct University-related business.
- In the event of the loss of a mobile device that contains any stored University data, along with reporting the loss of the device, University personnel are required to immediately report any sensitive or protected data that may have also been lost with the device to their department chair, the SWOSU Human Resources Director, and the Department of Public Safety.
- Users shall not examine, change, or use another person's (or institutional) username, password, files, or e-mail.
- Personally owned mobile devices may not be physically connected to the University network by Ethernet.
- All printers and/or scanners used in offices and classrooms may not be connected to the wireless network. (Disable the wireless option to prevent connection to the network.)
5.0 Enforcement
All individuals using computer and network systems owned by the University are subject to applicable laws and University policies. Violations are subject to disciplinary action. The University may immediately suspend the computer/network privileges of alleged violators, subsequently ensuring due process. The University will provide proportional sanctions for policy violations, including but not limited to reprimand, temporary or permanent removal of computer/network privileges, dismissal from the University, and legal action. Violations of this policy may constitute a criminal offense, punishable by local, state, or federal law.