Go to USC home page USC Logo University Technology Services
RSS Feed Twitter Facebook
Office Hours:
M-F 8:30 a.m. - 5 p.m.

Service Desk Hours:
M-F 8 a.m. - 6 p.m.

iCARE Center Hours:
M-F 8:30 a.m. - 5 p.m.

1244 Blossom St.
(803) 777-1800
servicedesk@sc.edu






Information Security Program - USC

UISO 901.6 Mobile Device Security Procedure

Procedure Number: UISO 901.6
Date Issued: 01-May-2012
Date Effective: 01-May-2012
Owner: UTS IT Security Office

Purpose | Scope | Definitions | Responsibilities | User Guide
Config Guide | Hardening Guide | Implementation | Enforcement


Purpose

The purpose of this document is to establish minimum standards for the base configuration and secure operation of mobile devices owned or operated by this OU, or otherwise used in the performance of assigned duties within this OU. Effective implementation of these standards will minimize the risk of malicious use of OU assets and data.

This document by itself has no authority over any entity or system. The UISO makes this opt-in Procedure available for use by any University OU authoring any University Policy, Standard, Guideline, Procedure, or process. Such an adopting OU (hereinafter, simply "OU") may require, recommend, or quote this Procedure in whole or in part, as suited to their purposes. In doing so, the OU lends its authority to the applicable provisions of this Procedure.

As recommended methodology is revised, and as resources become available for improved secure implementation of data systems, it is the intent of the UISO to revise this Procedure accordingly.

Back to Top


Scope

This Procedure applies to:

  • All OU employees, including contractors and vendors, who configure or operate OU mobile devices.
  • All mobile devices owned by OU.
  • All mobile devices use in the performance of assigned duties within OU.
  • All mobile devices used to store any non-public information obtained from OU.

When there is uncertainty about whether a specific device should be considered a workstation or a mobile device, it should be treated as a workstation, and configured and operated according to all feasible provisions of UISO 901.5 Workstation Security Procedure.
See: http://www.uts.sc.edu/itsecurity/program/workstationsecurity.shtml

Back to Top


Definitions

In the context of this document, the following terms are used as indicated here:

  • mobile device - any handheld or wearable computing device capable of storing, processing, or viewing data, and running a specialized operating system. Examples: PDA, cellular phone, smart phone, pocket computer, tablet computer. Examples of OS: iOS, Palm OS, Windows CE, Android OS.
  • workstation - any computing device, either physical or virtual, intended to provide data services only to local users, and running a broadly functioning operating system. Examples: desktop computers, notebook computers, tablet computers. Examples of OS: Windows (except CE), Mac OS, Linux.
  • operational group - one or more employees within Scope responsible for managing or overseeing the management of one or more software systems and/or hardware systems.

Back to Top


Ownership and Responsibilities

Any user of a mobile device within Scope is responsible for following all guidelines in the "User Guidelines" section below. In addition, if the user also owns the device, he/she is also responsible for implementing the "General Configuration Guidelines" and "General Hardening Guidelines" below.

For mobile devices that are not user-owned, all "Ownership and Responsibilities" processes that are applicable to servers are also applicable to mobile devices, as published in UISO 901.4 Server Security Procedure document.
See: http://www.uts.sc.edu/itsecurity/program/serversecurity.shtml

Back to Top


User Guidelines

  • Configure the device to require the use of a password, PIN, passphrase, or similar to operate the device. Engage this protection whenever the device is not in active use.
  • Update operating system and application software promptly.
  • "Jailbreaking" or "Rooting" a mobile device, or otherwise subverting or circumventing configured security mechanisms is prohibited.
  • Available wireless networking features, such as wi-fi (802.11a/b/g/n, etc.) and Bluetooth connectivity, should be disabled unless actively in use.
  • To protect against data snooping or injection, when establishing a connection between a mobile device and a wireless accessory (e.g. Bluetooth pairing), set a new value for the PIN or password instead of using the default/zero/null value.
  • Mobile devices should never be used on unsecured wireless networks unless data connections are protected by VPN or other secure tunneling technologies.
  • If a secure channel connection is available, privileged access, including access to sensitive data, must be performed over secure channels (e.g. HTTPS, SSH, IPSec or VPN).
  • If a mobile device is lost or stolen, immediately report it to the OU help desk and to the established OU security contact.
  • Do not perform a remote-wipe of mobile devices without first consulting OU help desk or the established OU security contact.
  • To the extent possible, users of mobile devices must adhere to UISO 901.3.1 Media Security Procedure.
    See: http://www.uts.sc.edu/itsecurity/program/mediasecurity.shtml
  • Data that is "Restricted" or "Limited Access" must not be stored on or accessed with mobile devices in such a way that it would be stored on systems not approved by appropriate University data stewards; for example: cloud backup services, email services, or synchronized workstations.

Back to Top


General Configuration Guidelines

Where feasible, required security controls should be implemented and enforced through a central management console.

  • The operating system and services must be hardened using best practices guidelines. See the "General Hardening Guidelines" section below.
  • In order to minimize the impact of unauthorized physical access, require the use of a password, PIN, passphrase, or similar to operate the device.
  • Software patches must be deployed as prescribed by UISO 901.4.2 Software Patching Procedure.
    See: http://www.uts.sc.edu/itsecurity/program/softwarepatching.shtml
  • Mobile devices used to store, process or transmit sensitive data should be configured with whole-disk encryption, where possible.
  • "Jailbreaking" or "Rooting" a mobile device, or otherwise subverting or circumventing configured security mechanisms is prohibited.
  • Available wireless networking features, such as wi-fi (802.11a/b/g/n, etc.) and Bluetooth connectivity, should be disabled unless actively in use.
  • Where feasible, a mobile device should be configured to allow use of VPN or other secure tunneling technologies.
  • Mobile devices should be configured with remote-wipe capabilities, to include removable storage.
  • Mobile devices used to store or access "Restricted" or "Limited Access" data must not be configured to stored such data on systems not approved by appropriate University data stewards; for example: cloud backup services, email services, or synchronized workstations.

Back to Top


General Hardening Guidelines

  • Services and options not necessary to perform assigned work duties should be uninstalled or disabled.
  • Applications not necessary to perform assigned work duties should be uninstalled.
  • Mobile device lockout (for consecutive missed passwords) should be enabled, where possible.
  • Passwords should be set according to the standards in UISO 901.4.3 Password Practices Procedure.
    See: http://www.uts.sc.edu/itsecurity/program/passwordpractices.shtml
  • Where possible, antivirus/antimalware software should be installed, configured for on-access scanning, and updated daily.
  • To protect against data snooping or injection, when establishing a connection between a mobile device and a wireless accessory (e.g. Bluetooth pairing), set a new value for the PIN or password instead of using the default/zero/null value.

Back to Top


Responsibility for Implementation

Any OU manager of an operational group assigned to administer a mobile device within Scope is responsible for overseeing the implementation of this Procedure.

Any OU manager who has EPMS authority over an employee who uses a mobile device for assigned duties within OU is responsible for overseeing the implementation of this Procedure by that employee.

Back to Top


Enforcement and Consequences

Compliance assessments will be performed on a regular basis by authorized personnel within this OU. Reasonable efforts will be made to prevent assessments from causing operational outages.

Failure to comply with this Procedure could result in serious legal and/or public relations consequences for the University. Any person found in violation of this Procedure may face disciplinary action as appropriate.

Back to Top

 
Safety/Emergency Information Directory: Find People                   Map: Find Places                   Calendar: Find Events                   VIP Contact and Site Information
Columbia, SC 29208 • 803-777-1800 • Webmaster © University of South Carolina Board of Trustees