Guidelines for Securing Mobile Computing Devices
Smart phones, tablets, laptop computers, USB memory are convenient and easy to use. They also introduce risk to personal privacy and institution data. This document outlines guidelines regarding the use of these mobile devices in the Amrita computing environment.
Risks of Mobile Computing
Mobile computing devices can store large amounts of data, are highly portable and are frequently unprotected: They are easy to steal or lose, and unless precautions are taken, an unauthorized person can gain access to the information stored on them or accessed through them. Even if not stolen or lost, intruders can sometimes gain all the access they need if the device is left alone and unprotected, if data is "sniffed out of the air" during wireless communications, or if malware is installed. The results can include crippled devices, personal data loss, disclosure of non-public institution data, and disciplinary actions for the device owner.
Mobile computing devices are of concern both because of the data that might be stored on them, and because they may provide access to other services that store or display non-public data. This access may be enabled because the mobile device contains passwords or security certificates that identify the device or its user to the email system, Virtual Private Networks (VPNs), or other applications.
Data Security Requirements
The best way to protect institution data is to remove unnecessary data from your computer. In particular, Prohibited data must not be stored on your system or device unless you have explicit permission from the Data Governance Board to do so. Prohibited data includes items such as Social Security Numbers, credit card numbers, or checking account numbers. Restricted data is also subject to mandatory institution-wide controls. The controls necessary for Confidential data are specified by its owner or custodian and may include those specified for Prohibited or Restricted data.
- Label your device with your name and a phone number where you can be reached to make it easy to return to you if it is lost, even if the battery is dead.
- Configure a passcode to gain access to and use the device. This helps prevent unauthorized individuals from gaining access to your data.
- Set an idle timeout that will automatically lock the phone when not in use. This also helps prevent unauthorized individuals from gaining access to your data.
- Keep all software up to date, including the operating system and installed "Apps". This helps protect the device from attack and compromise.
- Do not "jailbreak" or "root" your device. "Jailbreaking" and "rooting" removes the manufacturer's protection against malware.
- Obtain your apps only from trusted sources such as the Apple iTunes Store, Google Play, or the Amazon App Store for Android. This helps you avoid malware which is often distributed via illicit channels.
- Enroll your device in a managed environment. This helps you configure and maintain your security and privacy settings.
- Enroll your device in Find My iPhone or an equivalent service. This will help you locate your device should it be lost or stolen.
- If your device supports it, ensure that it encrypts its storage with hardware encryption. In conjunction with a management service or "Find My iPhone," this can allow data to be removed quickly in the event that the device is lost or stolen.