|TITLE: Information Security - Mobile Device Security||ID:|
|ORIGINATOR: Information Security Office||DATE: May 8, 2012|
|APPROVED: Information Security Council||DATE: Oct 29, 2014|
|IMPLEMENTATION: Enterprise-wide||DATE: Oct 29, 2014|
Mobile devices are widely used by faculty, staff, students and other authorized individuals to access a variety of MUSC systems that contain sensitive data, including administrative and financial records, educational records, and protected health information. While mobile access can provide valuable benefits, there is a significant risk of unauthorized access to sensitive MUSC data if a mobile device is lost or stolen, or otherwise leaves the control of its owner or authorized user.
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of additional legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
All mobile devices, regardless of ownership, that are used to access MUSC systems, including but not limited to smart phones, tablets, laptops, and portable storage devices, will be configured in compliance with security standards that are established and maintained by the Office of the CIO (OCIO). Likewise, all users of mobile devices that are used to access MUSC systems will comply with security procedures that are established and maintained by the OCIO.
Any mobile device that does not meet MUSC security standards may be denied access to MUSC resources, including but not limited to, the MUSC e-mail system, and the MUSC wireless network. Any mobile device user who willfully violates or circumvents established standards and procedures for mobile devices will be subject to disciplinary action.
The loss or theft of any mobile device, regardless of ownership, used to access MUSC systems, will be promptly reported to MUSC.
The general standards and procedures in this section apply to all mobile devices used to access MUSC's network and information systems. The purpose of these general standards is to define the general security principles and the minimum security standards that apply to all types of mobile devices.
Device-Specific Standards: There are additional, device-specific standards and procedures for specific categories of mobile devices. Links to these device-specific standards and procedures are given in Section 3.4.1.
The MUSC Data Protection Policy applies to all mobile devices and all mobile device users. In particular, if there is an unavoidable business requirement to store MUSC Protected information on a mobile device, then: only the minimum necessary data may be stored, an accurate inventory of the data must be maintained, and the data must be encrypted. Mobile device users are responsible for promptly deleting any MUSC Restricted or MUSC Protected information from their devices when it is no longer needed, or their authorization for access to the data has ended, whichever comes first.
Mobile devices must be secured through the use of passwords, PINs, or comparable authentication controls.
Mobile devices must be configured to timeout after a period of inactivity that is deemed reasonable and appropriate for the device by MUSC, with re-authentication required to access the device after a timeout.
Any sensitive MUSC data and any MUSC authentication credentials stored on mobile devices must be encrypted.
The physical security of mobile devices must be maintained at all times. In particular, these devices should not be left unattended in any location where loss or theft, or any access to the device by an unauthorized party, would be a reasonably anticipated and avoidable risk.
The loss or theft of any mobile device used to access MUSC systems must be promptly reported to the MUSC OCIO-IS Help Desk. Refer to the MUSC Computer Security Incident Reporting Procedure.
Cellular/Wireless Devices: Do not contact the cellular/wireless carrier until after MUSC's recovery procedures have been completed. It is essential that the device's wireless carrier service remain active during these procedures.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.