Mobile Device Security Standards and Guidelines
Consistent with requirements in UT System Policy 165, the purpose of this document is to provide standards and guidelines for securing mobile devices that are owned by UT Arlington. It also covers non-UT Arlington owned devices, including personally owned mobile devices containing UT Arlington data. The guidelines and standards have been created to ensure that users are aware of certain requirements and best practices for securing such devices.
Mobile computing devices such as smart phones and tablets are now as ubiquitous as desktop and laptop computers, and are rapidly becoming incorporated into our daily productivity routines. While these mobile devices aid with our jobs, they pose an information security risk to UT Arlington given that they may store information that is considered confidential or controlled; UT System has recognized, based on past experience, that the small form factor and portable nature of these devices render them easily lost or stolen, risking the confidentiality of the information held within. Additionally, if left unsupervised and unsecured, these devices can be accessed by unauthorized individuals (including friends or family members).
As a practical matter, it may be difficult to avoid University information from being stored on such devices as typical mobile access configurations routinely download data from University systems (such as e-mail and attachments). As such it is the responsibility of every user of such devices to ensure that the information is protected.
What is a Mobile Device?
A mobile device can be distinguished from other devices, such as laptops or portable storage devices, by the nature of the operating system that runs on it. For the purpose of Mobile Device Management at UT Arlington, computing devices that run the following operating systems are considered mobile devices:
- Apple iOS
- Blackberry OS
- Google Android
- Google Chrome OS
- Microsoft Windows RT
The above is a non-exhaustive list of mobile operating systems that are typically run on smart phones or tablet form factor computers. Distinguishing a mobile device by its operating system is important as the security will be limited by its software capabilities — the methods that are available for securing a full operating system (such as Apple OS X, Microsoft Windows, Redhat Linux) may not be available for, or practical to implement on, mobile operating systems.
Best practices and requirements:
The following are general best practices that must be implemented on University owned and personal mobile devices containing confidential or controlled University information. When available, University provided Mobile Device Management software will be required to enforce portions of these best practices. Additional measures should be implemented based on risk and/or based on specific capabilities of particular devices.
- Enable full disk encryption – newer models of mobile devices have built-in full disk encryption capability, but in many cases must be manually enabled. On iOS devices and some Android devices, encryption is enabled as soon as a password is set. You must manually verify that the encryption is enabled. Enabling encryption not only prevents unauthorized access to data, but also provides safe harbor from State breach notification requirements.
- Back up your data frequently: Make sure that all of your data is backed up in case your mobile device is lost or damaged, or your device is locked out for any other reason. Device encryption will prevent data recovery and so your only option is to restore from backups. Make sure that the location that you are backing to is secure and approved for University data (ensuring encryption during transmission and storage) and that you test the integrity of your backups periodically.
- Choose a strong password – while it may not always be practical to implement a very complex password on a mobile device, you must ensure that the password is not easy to guess. Avoid using easy to guess sequences of numbers like, ‘1111’, ‘1234’. Where technically capable, enable a minimum of 6 hard-to-guess characters with a lock-out of 30 minutes after 3 incorrect tries. Change the password every 6 months.
- Never share your password with anyone – similar to your NetID, never share your mobile device password with anyone including friends or family members, especially if doing so will also provide unfettered access to resident confidential or controlled University information.
- Avoid jailbreaking — tampering with a device operating system software to allow services or install applications that have not been vetted by a reputable app store is prohibited for University owned devices, unless this activity is in support of related research or other very narrow circumstances that have been approved by the Information Security Officer. Storing or accessing confidential University information on jailbroken devices is prohibited.
- Verify apps before installing: Make sure that you only install app from a well-known trusted source such as Apple iTunes, Google Play Store, Amazon Prime or Microsoft as these vendors perform some security checks on the applications before they are made available for public purchase or download. Obtaining the software from unauthorized sources increases the likelihood of a malware infection.
- Install an anti-malware app – while somewhat less susceptible to malware, all mobile devices can be rendered vulnerable to malware if user of the device does not have good judgment on what apps are considered safe. In some cases, some malicious software vendors supply “clean” applications app stores but then provide subsequent malicious updates that bypass the app store security checks. A number of vendors offer antivirus and anti-spam solutions, including Lookout Security, Sophos, Avast, F-Secure, Symantec and Trend Mobile.
- Keep your operating system up-to-date: Much like you do with a regular computer, protect your mobile device and the data held within by enabling automatic updates, or accepting both operating system and software updates when prompted by the device manufacturer, operating system provider, service provider or application provider.
- Inventory your University owned device - University mobile devices should be inventoried in order to track who is assigned to them. Accounting for them even though they may fall under state threshold for inventory management helps ensure that any lost or stolen devices are identified.
- Promptly report a lost or stolen device – All lost or stolen University owned devices must be reported to UT Arlington police and to the Information Security Office. All personal devices containing confidential University information must be reported to the Information Security Office.
- Remote access and network encryption: It is very easy to harvest unencrypted information travelling through any network, including wireless. Enable VPN or a secure protocol such as TLS 1.2 or higher in order to protect your username and password when using untrusted and/or public wireless or wired networks. Special care should be taken to verify encrypted connections when accessing wireless networks abroad.
- Disable features and applications that you don't use: Reduce security risks by limiting your device to only necessary applications and services. In general, the lower number of non-critical services or apps that you have running on your mobile device, the more secure and stable it will be. Disable Bluetooth, NFC and other network protocols when not in use.
- Limit who can access your mobile device: University owned mobile devices or personal devices containing confidential information must not be shared with non-employees unless special care has been taken to prevent unauthorized access. Note that family members are not authorized to access confidential university information and as such access to University files or email must be protected on personal devices.
- Securely erase the device – All University owned mobile devices or personal devices containing confidential information must be securely erased or reset before being surplused or discarded. Most mobile devices have built-in capability that is sufficient to prevent data from being accessed. Where possible, remote wipe feature must be enabled to securely erase data in the event that it is lost or stolen.
Updates and modifications to this guideline.
This guideline will be modified as necessary to address changes in technology and related risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of mobile devices. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.