MUSC Policy: Information Security - Mobile Device Security

 TITLE: Information Security - Mobile Device Security  ID:
 ORIGINATOR: Information Security Office  DATE: May 8, 2012
 APPROVED: Information Security Council  DATE: Oct 29, 2014
 IMPLEMENTATION: Enterprise-wide  DATE: Oct 29, 2014


Mobile devices are widely used by faculty, staff, students and other authorized individuals to access a variety of MUSC systems that contain sensitive data, including administrative and financial records, educational records, and protected health information. While mobile access can provide valuable benefits, there is a significant risk of unauthorized access to sensitive MUSC data if a mobile device is lost or stolen, or otherwise leaves the control of its owner or authorized user.

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of additional legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.306(a) General requirements
HIPAA Security: 164.312(d) Standard: Person or entity authentication
HIPAA Security: 164.312(a)(1) Standard: Access control
HIPAA Security: 164.312(a)(2)(iv) Encryption and decryption
HIPAA Security: 164.308(a)(6)(i) Standard: Security incident procedures
HIPAA Security: 164.308(a)(6)(ii) Response and Reporting
SC Financial Identity Fraud and Identity Theft Protection Act of 2008


All mobile devices, regardless of ownership, that are used to access MUSC systems, including but not limited to smart phones, tablets, laptops, and portable storage devices, will be configured in compliance with security standards that are established and maintained by the Office of the CIO (OCIO). Likewise, all users of mobile devices that are used to access MUSC systems will comply with security procedures that are established and maintained by the OCIO.

Any mobile device that does not meet MUSC security standards may be denied access to MUSC resources, including but not limited to, the MUSC e-mail system, and the MUSC wireless network. Any mobile device user who willfully violates or circumvents established standards and procedures for mobile devices will be subject to disciplinary action.

The loss or theft of any mobile device, regardless of ownership, used to access MUSC systems, will be promptly reported to MUSC.


3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. General Standards and Procedures

The general standards and procedures in this section apply to all mobile devices used to access MUSC's network and information systems. The purpose of these general standards is to define the general security principles and the minimum security standards that apply to all types of mobile devices.

Device-Specific Standards: There are additional, device-specific standards and procedures for specific categories of mobile devices. Links to these device-specific standards and procedures are given in Section 3.4.1.

3.2.1. Compliance with MUSC Data Protection Policy

The MUSC Data Protection Policy applies to all mobile devices and all mobile device users. In particular, if there is an unavoidable business requirement to store MUSC Protected information on a mobile device, then: only the minimum necessary data may be stored, an accurate inventory of the data must be maintained, and the data must be encrypted. Mobile device users are responsible for promptly deleting any MUSC Restricted or MUSC Protected information from their devices when it is no longer needed, or their authorization for access to the data has ended, whichever comes first.

3.2.2. Password Lock

Mobile devices must be secured through the use of passwords, PINs, or comparable authentication controls.

3.2.3. Inactivity Timeout

Mobile devices must be configured to timeout after a period of inactivity that is deemed reasonable and appropriate for the device by MUSC, with re-authentication required to access the device after a timeout.

3.2.4. Encryption

Any sensitive MUSC data and any MUSC authentication credentials stored on mobile devices must be encrypted.

3.2.5. Physical Security

The physical security of mobile devices must be maintained at all times. In particular, these devices should not be left unattended in any location where loss or theft, or any access to the device by an unauthorized party, would be a reasonably anticipated and avoidable risk.

3.2.6. Incident Reporting

The loss or theft of any mobile device used to access MUSC systems must be promptly reported to the MUSC OCIO-IS Help Desk. Refer to the MUSC Computer Security Incident Reporting Procedure.

Cellular/Wireless Devices: Do not contact the cellular/wireless carrier until after MUSC's recovery procedures have been completed. It is essential that the device's wireless carrier service remain active during these procedures.

3.3. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.4. See Also

3.4.1. Device-Specific Standards and Procedures

MUSC Standards: Smartphones and Tablets
MUSC Standards: Laptop Computers
MUSC Standards: Portable Storage Devices

3.4.2. Other

MUSC Policy: Information Security
MUSC Policy: Information Security - Data Protection
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Device and Media Controls
MUSC Policy: Information Security - Encryption
MUSC Policy: Information Security - Incident Response


This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.