Last Revision Date: May 20, 2011
Approval Date: August 26, 2010
Approval Authority: Case Chief Information Security Officer
The purpose of this procedure is to establish standard procedures to secure mobile devices to prevent data loss should they be lost or stolen.
This procedure applies to all schools, departments, employees (student employees included), and faculty members of Case Western Reserve University, where mobile computing devices are used to store, processe, or access university information. If the university provides these devices to the employee or department, the configuration standards are mandatory.
Equipment such as laptops, tablet PCs, mini-notebooks, etc., are considered a separate class of computing equipment and are not in the scope of this procedure (however, the Tier I Controls are applicable for such equipment).
Mobile devices are approved for processing of Public Information and Internal Use Information.
Users are prohibited from storage and processing of Restricted Information in mobile devices unless approved Tier III controls are available for that device. The goal of this procedure is to provide methods to protect the data in a mobile device to the standard of Public Information Tier I Controls.
A screen lock should be applied to all devices with a password of minimum length 4. The lock screen timeout should be set to 5 minutes or lower in order to insure the device would be locked should an unauthorized user try to access it.
These settings will be implemented using the iPhone configuration file. WiFi, VPN, and the lock timeouts will all be set in the process. It is important remove any previous CWRU VPN connection, WiFi, and lock codes prior to installing the configuration on the device.
Apply a logon banner to the device according to the Case Logon Banner Standard. If the device allows for a text logon banner then you may use the text. An image my also be used to display the logon banner information; if there is an image for the device it will be linked to below.
Apply one of the following images as the background on your device. The table below is for Android devices with the standard Android interface. The user may need to save the image to your device and then apply the background as your normally would another image. Note these banner images also work well for the iPad.
Logon Banner text: The logon banner text can be found here as stated under III-7 University Logon Banner.
Mobile computing devices: Refers to small, mobile computing platforms, including smart phones, the Apple iPhone, iPod Touch, iPad, Blackberry, Android. Laptop computers are not considered mobile computing devices for the purpose of this group of standards.
University information: Most commonly files, data, documents, messages, and information pertinent to university operations governed under the Acceptable Use Policy. Email system access from a mobile device is an example of university information access through a mobile computing device.
The Office of University Counsel is responsible for the communication of a 'preservation notice' to principal personnel.
Departmental IT administrators and staff are responsible for the implementation and adherence to data preservation procedures.
This standard will be reviewed annually on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.
I have a personal device, but the logon banner says "Property of Case Western Reserve University." Does using the banner imply the university owns my device?
The login banner for personal devices is a notice of ownership of university data which may be in the device, not the device. The banner will identify the university as a point of contact for return of lost devices, which represent the risk to the data for disclosure.
What is the risk?
The primary risk addressed by these standards is the loss or theft of a device which leads to casual disclosure of university information. Because these smart devices have network services, and cached passwords, email and files may be easily disclosed when a device is lost or stolen.