IS7045 - Mobile Computing

Purpose

This procedure provides guidelines for the safe and productive use of mobile devices (laptop computers, tablets, smartphones, etc.) by employees. It includes stipulations for DMACC and employee-owned devices and requirements for users and requirements for DMACC Technical Support responsible for supporting and administering mobile devices.

Scope

All students, full-time and part-time employees, contract workers, consultants, interns, and temporary workers who utilize mobile devices to conduct DMACC business are covered by this procedure. It also applies to all DMACC-owned equipment and related material, as well as employee-owned devices used for business purposes.

Exceptions

There are no exceptions to this procedure unless permitted in writing by the DMACC IT or DMACC Security departments.

Mobile Device Computing Procedure Details

If issuing DMACC-owned devices to users, these students and employees must be approved to receive mobile devices as part of their school or job duties. This approval should be made by student advisers/counselors or employee managers during the hiring process and communicated to DMACC IT to arrange procurement of the device(s). Note that wearable devices and Internet of Things (IoT) devices should be considered separate from mobile devices.

Requirements for Users

• Ensure that all mobile device use involving DMACC operations is for school, business, or professional reasons.
• Only access information that is needed to perform your job or assist others in doing so as part of the valid scope of their duties.
• Lock devices when not in use.
• Do not share devices with other students, employees, or non-DMACC personnel.
• Never share passwords with those who are not authorized to have them or leave passwords in an accessible place.
• Passwords must be changed immediately if you suspect they may have become known to others.
• Do not install unauthorized or pirated applications. Install only software that is DMACC owned and/or authorized for use by the DMACC IT department.
• Download files only from known good sources for business purposes. All systems handling these files must have updated anti-malware programs, which must not be disabled or tampered with.
• If applicable, run a virus scan on any executable file(s) received through the internet. If a virus is found (either during a scan or via a check by anti-malware software), power off the system and immediately contact the DMACC IT department to notify them of the situation; take no further action until instructed.
• Do not access or view confidential or copyrighted material if you are not authorized to do so.
• Do not copy or transfer copyrighted materials without permission.
• Know and abide by all applicable DMACC policies dealing with security and confidentiality of DMACC records.
• Avoid transmission of private or confidential information via mobile devices. If it is necessary to transmit this data, take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use.
• Share and store private or confidential information by adhering to security restrictions (e.g., via encrypted transmission or encrypted media). For instance, do not keep private or confidential information on unsecured media or employee-owned or unsecured services/devices such as flash drives or laptops, or employee-owned cloud storage applications.
• No single copy of DMACC data is to be stored on any mobile device- secondary copies must be kept on an internal server.
• No personal identifier data, such as social security numbers, driver’s license numbers, and bank/credit card numbers, should be kept on mobile devices
• Users are responsible for backing up/restoring their own personal data.
• All laptops must have antivirus/firewall protection and any applicable security software intended to protect the device and/or data. These applications/settings/procedures should not be tampered with or circumvented.
• Do not “jailbreak” or “root” devices.
• Allow the immediate installation of any system or application updates, patches, or other fixes released either by the device vendor or the DMACC IT department.
• Never access, insert, or connect to DMACC systems any disks, USB drives, or other storage media of unknown origin.
• Become familiar with device tracking services such as Apple’s Find My or Google’s Find My Device to be able to find lost or stolen devices.
• Mobile devices are always to be kept under your control. Do not check, ship, or give them to anyone else for transport.
• Keep in mind that airports, train stations, bus terminals, and other high-traffic travel areas can be particularly dangerous places in terms of loss or theft. Exercise special caution in these areas.
• It is acceptable for security personnel to X-ray mobile devices. However, metal detectors can harm these objects, so travelers should request visual inspections instead.
• Do not leave mobile devices visible in unattended vehicles, even if locked.
• Do not leave mobile devices unprotected in hotel rooms-use a safe or a security cable.
• If possible, copy any updated DMACC information on a mobile device back to internal servers periodically via secure means, such as VPN connections.
• Notify your manager as well as the DMACC IT department immediately if a device is lost or stolen.
• In the event that you believe a personally owned or DMACC-provided device authorized to connect to the DMACC’s resources, systems, and networks might be infected by a malware threat or might be somehow compromised, you must immediately notify the DMACC IT department, by phone or in person, of the potential security risk.
• In the event that you lose or misplace a personally owned or DMACC-provided device authorized to connect to the DMACC’s resources, systems, and networks, you must immediately notify the DMACC IT department, by phone or in person, of the potential security risk.
• Do not discard previously authorized devices, return the equipment to the DMACC IT department for disposal.
• Whenever you prepare to return or otherwise cease using a personally owned or DMACC provided device authorized for business use, notify the DMACC IT department that the device will no longer be used to connect to DMACC’s resources, systems, and networks.
• Hand in all DMACC-issued systems and devices upon termination of employment.
• Notify the DMACC IT department of all passwords, the whereabouts of any confidential data, and any other details that should be transferred to others upon termination of employment.
• Be aware that the DMACC IT department reserves the right (and will proceed) to remotely wipe a device if it has been lost, or you have been terminated and have not brought the device to the IT department for decommissioning.

Requirements for the IT Department

If applicable, the DMACC IT department should have a procurement and support procedure for issuing DMACC-owned mobile devices. Standardize on the smallest number of models possible for consistency of use and ease of support. Ensure the procurement of unlimited data plans for users to reduce data usage throttling or penalties. Establish a minimum operating system level for Android and iPhone devices to connect to DMACC resources/services or access DMACC data. Where possible, the DMACC IT department should apply centralized security policies (such as via an Exchange server) to DMACC-connected mobile devices. These policies should have the ability to:

• Restrict access only to authorized devices which have the required security settings/operating system
• Deny access to modified or rooted devices
• Enforce password changes at a minimum every 180 days.
• Remotely erase (wipe) these devices in the event of loss or theft
• Disable/enable device functions (such as the camera or use of an internal storage card)
• Deploy or limit apps and gather usage statistics.

If such a district-wide procedure does not exist, as many of the above settings as possible should be individually applied to devices.

Where possible, standardize on the same apps for both mobile devices and laptops/desktops. For instance, deploy Microsoft Outlook and Microsoft Teams across the board to all systems.

Implement and support secure remote connectivity methods for mobile devices to access DMACC resources, such as via an encrypted VPN connection. Two-factor authentication is also recommended.

If employees are to install DMACC-related apps on devices, set up a secure portal such as on iTunes or Google Play for them to do so and require authentication to these portals via DMACC credentials.

Ensure that all mobile devices run anti-malware software that is updated regularly and confirm that all critical and security patches are installed on mobile devices on a periodic basis.

Establish an on-call or after-hours method for users to communicate device mishaps, such as theft or malware infection.

Enforce encrypted storage mechanisms on mobile devices if the potential exists for the device to save, cache, or even temporarily store DMACC data. This should entail at minimum 128-bit encrypted storage (AES is recommended). This includes external USB flash drives and internal storage cards.

Where possible, whole disk encryption should be employed. See the National Institute of Standards and Technology’s Guide to Storage Encryption Technologies for End User Devices (PDF) for further details.

Whether personal or DMACC-owned. when a mobile device is to be decommissioned from use, remove any required encryption, VPN, and anti-malware licensing from the user’s device. Also confirm that the user’s device does not contain any traces of protected, sensitive, or proprietary information and delete any such data remaining on the device.

Remotely wipe a device if it has been lost or the employee has been terminated and has not brought their device to the DMACC IT department for decommissioning.

Monitoring

The DMACC IT department will monitor for adherence to this procedure. Any changes to this procedure must be approved by DMACC IT, Human Resources, or other groups designated as being responsible for revisions or updates.

Violations and Penalties

Violations of this procedure must be immediately reported to any involved managers, the Human Resources department, or the Judicial Officer. Violating this procedure or any of its tenets could result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under local, state, and federal laws.