Policy Category | Policy No. & Title | Policy Owner/Administrator | Effective Date | Revision Number | Revision Eff. Date | Review Cycle |
X Information Governance, Security & Technology | X-1.25 Mobile Device | VP of Information Security | September 15, 2021 | N/A | N/A | Every 2 years |
Purpose
The purpose of this policy is to establish information security standards for the use of Mobile Devices to access University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability
This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.
Definitions
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty
Data: Data is element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, Mobile Devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
Mobile Device: Removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones).
Personal Mobile Device: Personal Mobile Devices are user's personally owned removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones). A personal mobile device is frequently known as by the moniker "BYOD" (Bring Your Own Device).
UMGC-owned Mobile Device: UMGC-owned Mobile Devices are removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones) owned or leased by UMGC and used by the UMGC community for business purposes.
University: University of Maryland Global Campus (UMGC).
User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
Mobile Device
The University will identify and implement appropriate Mobile Device technologies and processes for the security of University Information Technology Resources and Data.
Mobile Device Configuration
All UMGC-owned Mobile Devices will be configured and managed by the University.
UMGC Users who wish to use a Personal Mobile Device to access University Information Resources must comply with the following security standard:
Submit a request to the UMGC Service Desk at servicedesk@umgc.edu for approval to use Personal Mobile Device to access, store or process University Data. Approvals must be obtained from the applicable University supervisor.
Personal Mobile Devices must have software installed (Mobile Device Management (MDM)) that allows the University to remotely manage the device to adhere to University policies and USM IT Standards. If a User suspects that their Personal Mobile Device has been compromised (e.g., hacked), the User must cease all University related activity immediately on that device and notify the service desk.
Users must comply with the University Remote Access Policy to minimize the risk of Data transmissions between a mobile device and organizational resources being logged, intercepted or changed.
Reporting a lost or stolen Mobile Device
The theft or loss of a mobile device or suspected breach of University Data must be immediately reported to a Supervisor, and to the UMGC Service Desk at servicedesk@umgc.edu.
Report the Mobile Device theft and details of the incident to the Police.
Disposing of a Mobile Device
UMGC- owned Mobile Devices: Return the UMGC-owned mobile device to the University for disposal.
Personal Mobile Devices: Prior to disposing of a Personal Mobile Device, University Data should only be backed up onto another University system (e.g., University assigned laptop, University cloud service provider). University Data must not be stored on personal external storage devices or personal cloud storage.
Support for Personal Mobile Devices is limited to configuration of security settings and connectivity to resources. The User assumes all responsibility for the Personal Mobile Device including maintenance, connectivity, and data plans.
Exceptions
Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
Related Policies
UMGC X-1.02 Data Classification
UMGC X-1.04 Information Security
UMGC X-1.05 Information Security Awareness and Training
UMGC X-1.12 Acceptable Use
Effective Date
This policy is effective as of the date set forth above.