UMGC Policy X-1.25 UMGC Policy on Mobile Devices

Purpose

The purpose of this Policy is to establish Information Security standards for the use of Mobile Devices to access University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Mobile Device

1. Mobile Device Configuration
   1. All UMGC-owned Mobile Devices will be configured and managed by the University.
   2. UMGC Users who wish to use a Personal Mobile Device to access University Information Resources must comply with the following security standard:
      1. Submit a request to the UMGC Service Desk for approval to use Personal Mobile Device to access, store, or process University Data. Approvals must be obtained from the applicable University supervisor.
2. Personal Mobile Devices must have software installed Mobile Device Management (MDM) that allows the University to remotely manage the device to adhere to University policies and USM IT Standards. If a User suspects that their Personal Mobile Device has been compromised (e.g., hacked), the User must cease all University related activity immediately on that device and notify the service desk.
3. Users must comply with the UMGC X-1.11 Remote Access Policy to minimize the risk of Data transmissions between a Mobile Device and organizational resources being logged, intercepted, or changed.
4. Traveling with a Mobile Device
   1. Information Security must be notified in advance of traveling with UMGC-owned Mobile Devices to locations outside of the US or outside of where UMGC performs regular business. See Worldwide Locations for a list of locations where UMGC performs regular business. Users must submit requests via the UMGC Service Desk for approval to Information Security.
   2. Travelers must ensure physical security of the UMGC-owned Mobile Device while in transit and while traveling.
5. Reporting a Lost or Stolen Mobile Device
   1. The theft or loss of a Mobile Device or suspected breach of University Data must be immediately reported to a Supervisor, and to the UMGC Service Desk.
   2. Report the Mobile Device theft and details of the incident to the Police.
6. Disposing of a Mobile Device
   1. UMGC- owned Mobile Devices: Return the UMGC-owned mobile device to the University for disposal.
   2. Personal Mobile Devices: Prior to disposing of a Personal Mobile Device, University Data should only be backed up onto another University system (e.g., University assigned laptop, University cloud service provider). University Data must not be stored on personal external storage devices or personal cloud storage.
7. Support for Personal Mobile Devices is limited to configuration of security settings and connectivity to resources. The User assumes all responsibility for the Personal Mobile Device including maintenance, connectivity, and data plans.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC X-1.02 Data Classification
2. UMGC X-1.04 Information Security
3. UMGC X-1.05 Information Security Awareness and Training
4. UMGC X-1.11 Remote Access
5. UMGC X-1.12 Acceptable Use