1. Purpose
These minimum standards serve as a supplement to the UTRGV Computer Security Standard, which was drafted in response to UTS-165.
Adherence to these standards will increase the security of mobile devices and help safeguard UTRGV information resources. These minimum standards exist in addition to all other UTRGV policies and federal and state regulations governing the protection of UTRGV’s data.
2. Scope
This standard applies to all personally owned mobile devices which access or store UTRGV data.
3. Audience
All employees, students, consultants, vendors, contractors, and others who own or operate a mobile device which stores or accesses UTRGV data.
4. Authority
-
UTS 165
-
UTRGV AUP
5. Definitions
Mobile Device
Includes, but is not limited to, all tablets, mobile phones, and similar devices.
Personally Owned
Includes any mobile device which is not owned, leased, or managed by UTRGV.
6. Standard Details
6.1 Requirements for Mobile Devices Accessing UTRGV Information Resources
All mobile devices which access UTRGV information resources must be password protected in accordance with UTRGV requirements. Passwords must be changed whenever there is suspicion that the password has been compromised.
6.2 Additional Requirements for Mobile Devices Accessing and Storing UTRGV Data
All mobile devices which access and store UTRGV data, including UTRGV email, must meet the following requirements.
6.2.1 Vendor Support
Mobile devices must be fully vendor supported.
6.2.1.1 Unauthorized Modifications
Jailbroken, rooted, or similarly modified mobile devices are not authorized.
6.2.2 Security Updates and Patches
Operating system and application security updates and/or patches must be expediently installed.
6.2.3 Malware and Copyright Compliance
Mobile devices must be free of malware and must not use software in a manner that infringes on copyright laws.
6.2.4 Encryption
Mobile devices must be encrypted using methods approved by the Information Security Office.
6.2.5 Auto-Lock
Mobile devices must be configured to auto-lock and password protect after 5 minutes of inactivity.
6.2.6 Auditing Tool
Mobile devices must have an auditing tool that allows the Information Security Office to validate that the mobile device is compliant with this standard.
6.2.7 Backups
Mobile device backups must be password protected and encrypted using methods approved by the Information Security Office.
6.2.8 Confidential UTRGV Data Storage
Confidential UTRGV data created and/or stored on a mobile device should be transferred to UTRGV-owned or sanctioned storage as soon as feasible.
6.2.9 Lost or Stolen Devices
Mobile devices that are lost or stolen must be immediately reported to the Information Security Office.
6.2.10 Legal and Records Requirements
Mobile devices are subject to Public Information Requests, subpoenas, court orders, litigation holds, discovery requests, and other requirements applicable to University Information Resources.
7. Roles and Responsibilities
7.1 End User
Ensures that the mobile device they own or operate meets this security standard. End users should engage with UTRGV Computer Support Staff for guidance and compliance with this standard.
7.2 UTRGV Computer Support Staff
Ensure that all mobile devices which store or access UTRGV data are configured to support the minimum requirements as defined in this standard.
7.3 Information Security Office
Define and maintain this standard to a level that can define necessary configurations and security practices to protect UTRGV information resources and ensure compliance with all UT System, state, and federal policies and standards.
8. Non-Compliance and Exceptions
Mobile devices which do not adhere to the minimum requirements defined in this standard or otherwise pose a threat to UTRGV Information Resources may have their access to UTRGV information resources immediately revoked without notice.
9. Related Policies, Standards, and Guidelines
-
UTS 165
-
UTRGV AUP
-
UTRGV Computer Security Standard