arrow_circle_left Back to All Policies

Mobile Device Policy

JSCC Policy Number: Not Yet Assigned

TBR Policy Reference: Not Yet Assigned

TBR Guideline Reference: Not Yet Assigned

Approved By: Dr. Allana Hamilton

Original Date Effective: 2015-10-16

Last Modified: 2017-08-01

Responsible Office: Office of Information Technology

Purpose

The purpose of this policy is to provide guidance for the appropriate use and configuration of mobile devices as necessary to protect the Jackson State (JSCC) network and information from unauthorized access or disclosure. Mobile devices incorporate features traditionally found in a personal computer (PC). Their smaller size and affordability make these devices a valuable tool in a wide variety of applications; however, these devices are also subject to increased risk of loss, breakage, theft, and unauthorized use.

This policy applies to all faculty and staff who utilize a mobile device, owned by JSCC or the individual, to access the JSCC network, or to retrieve or store sensitive college information. Vendors, contractors, or other users who use mobile devices to access the JSCC network, or to retrieve or store sensitive college information may also be subject to this policy.

Definitions

A mobile device includes any device that is portable and capable of collecting, storing, transmitting, or processing electronic data or images. Examples include, but are not limited to, laptops or tablet PCs, iPads, personal digital assistants (PDAs), media players such as iPods, "smart" phones such as iPhone or Android devices, digital photo cameras, and video cameras. This definition also includes storage media, such as USB hard drives, memory sticks or flash drives (also known as "thumb drives"), Secure Digital or Compact Flash cards, CD-R or DVD-R media, and any peripherals connected to a mobile device.

A personal mobile device includes any mobile device that is not owned or issued by Jackson State, but is used to access the JSCC network to retrieve or store sensitive college information.

Sensitive college information includes, but is not limited to:

  • Personal identity information (PII): Information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number, or biometric records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
  • Protected health information (PHI): Includes health information that is defined in federal and state laws, and Tennessee Board Regents and JSCC policies and guidelines.
  • Student record information: Includes academic, personal, and financial information based on student status or history and maintained or stored by the college.

Security and Protection

The user and/or owner of any mobile device used to access the JSCC network is responsible for protecting the device and any college data retrieved, accessed, or stored by the device.

Suggested methods of security and protection are:

  • Use of encryption and passwords: All data owned by the college should be encrypted where and when possible and secured by a password.
  • Network Shared Drives: JSCC provides protected network shared drives to store institutional information. Shared drives are secured and only allow authenticated users access, which can be limited to one or multiple users. The use of shared drives also fosters collaboration in a secured environment. Shared drives should be used to distribute sensitive data instead of using e-mail and/or other portable options.
  • Virtual Private Networks (VPN): JSCC provides VPN options for connection to the institutional network when connecting remotely. The use of VPN software provides secure and encrypted connections to all institutional data.
  • Tracking and Recovery software: JSCC encourages owners and users of personal mobile devices to incorporate tracking software on their devices, particularly if used to access the JSCC network or to retrieve or store sensitive college information. As an example Apple's app store has a free app called Find my iPhone that works on iPhone, iPod, and iPad that allows display on a map of location, sending of a message and playing of a sound, locking of the device, and allows you to wipe all of the data on the device via a login iCloud. When any personal phone attaches to JSCC email, JSCC has the ability via Microsoft Exchange to wipe the phone should it ever be lost or stolen.
  • Physical protection: Owners and users must exercise due care in physically protecting mobile devices from loss, theft, or damage. This would include using security locks when possible and ensuring that the item is not vulnerable to loss, theft, or unapproved access.
  • Device identification: Mobile devices owned or issued by Jackson State must comply with the college's inventory policies. JSCC encourages owners and users of personal mobile devices to retain a copy of identifying information for the device and store it in a secure location.
  • Virus protection: All mobile devices owned by the college should run, when possible, the college's centrally managed security software to allow for protection from viruses, spyware, and other known and unknown security issues. JSCC encourages owners and users of personal mobile devices to install and configure antivirus and other security software to fully protect access to institutional sensitive information.
  • Disable unused services: To reduce the risk of unauthorized access, wireless, infrared, Bluetooth or other connection features on any mobile device should be turned off when not in use.
  • Storage of passwords: The unencrypted storage of usernames and passwords on mobile devices should be avoided.

Access and Storage of Sensitive College Information:

The following represent "best practices" for anyone utilizing a mobile device; however, all mobile devices, including personal mobile devices, used to access or store sensitive college information must meet the following requirements.

  • Access and use of sensitive information appropriately: Unencrypted sensitive information should not be stored on mobile devices. If users need remote access to the college network from mobile devices should utilize secure VPN access. This will allow users to securely access documents without storing them on the mobile device.
  • Use of personal devices to store sensitive information: Sensitive college information should not be stored on personal mobile devices. Sensitive documents and correspondence accessed via e-mail should be removed from mobile devices as quickly as possible. It is the responsibility of the user to insure no sensitive data is stored on the device that is locally or remotely accessing any college network, data, or system.
  • Use of USB drives: The use of unencrypted USB drives, known as "thumb drives" or "flash drives", and portable hard drives for the storage of sensitive college information is prohibited.
  • Physical protection: Mobile devices used to access or store sensitive college information, email, etc must not be left unattended and, where possible, must be physically locked away or secured. Additionally, any portable media; e.g. portable hard drives or CD-R or DVD-R disks used for backup of systems containing sensitive college information must be stored securely in locked drawers, cabinets, or other secure enclosures.
  • Passcodes: All personal or JSCC owned mobile devices such as phone, ipads, etc should have a passcode installed to be able to access.
  • Exclusivity of use: Any mobile device that stores sensitive college information must not be shared with any unauthorized user.
  • Protection of information: Reasonable care must be taken when using mobile computing facilities in public places, meeting rooms, or other unprotected areas, either on or away from the college's premises, to avoid the unauthorized access or disclosure of information stored on or accessed by the device.

Termination of college relationship:

All college-owned mobile devices must be returned to the Office of Information Technology upon termination of the assigned user's relationship with the college. In addition, any software applications purchased by the college and installed on a personal mobile device must be removed by the user. Sensitive information must be removed from the personal mobile device upon termination of the assigned user's relationship with the institution.

Report any loss, suspected misuse, or theft:

Owners or users of mobile devices are required to report the loss, suspected misuse, or theft of any mobile device immediately to Campus Security and the Office of Information Technology. This provision includes personal mobile devices that store sensitive college data.

General Procedures

This policy will be posted to JSCC internal website and each employee is responsible for reading and noting any changes to the policy.