Mobile Devices
Mobile Data Device Security Risks
Mobile Devices are especially vulnerable to loss and theft.
The loss of the data on these devices could cause embarrassment, loss of reputation or significant financial impact to the University.
In the University environment, such sensitive information may comprise:
- private information as defined by the Freedom of Information and Protection of Privacy Act (FIPPA);
- student or staff personal details;
- any information that the user would wish to remain private;
- intellectual property, e.g. research notes, data and commercially sensitive information;
- medical data, including classified and proprietary product development information;
- sensitive financial data.
To counter these risks, Mobile Data Device security is addressed in five ways:
- user responsibility - through increased user awareness of the risks and application of a mobile device security standard;
- physical security - both at the user's "base" and when traveling;
- access control/ authentication;
- data protection - using software and hardware based solutions;
- tracking/ recovery - particularly for devices at high risk or containing very sensitive data.
Purpose and Scope
Purpose
- To educate all Western University computer users on their responsibilities related to the security of sensitive information that resides on Mobile Devices, as well as the physical devices themselves.
- To ensure Mobile Devices are maintained in a secure environment to minimize the risk and impact of the loss or theft of the devices or the sensitive information that resides on them.
Scope
This document defines the standards required to minimize the security risks associated with Mobile Devices. It has two sections:
Section 1: Standards for mobile device users.
Section 2: See departmental security requirements below
The standards apply to all of Western University Computing users (e.g. employees, officers, staff, contractors, students) using notebooks, laptops, PDAs, USB keys, cellulars or other Mobile Data Devices owned by the University or containing University information.
These are intended to be standards, and not detailed implementation directions. For this information, the reader is urged to consult the associated document on Mobile Device Security Best Practices.
Departmental Security Requirements
Physical Security
As a minimum precaution, all Laptop user desks should be fitted with a cable lock device. These devices are very effective and provide good protection against the casual thief at moderate cost. However, if they are to have any effect, laptop users need to use them. This requirement should be clearly communicated to users by departmental management.
Laptops at higher risk should be fitted with additional security devices.
Access Control/Authentication
Where feasible, laptops should be protected by boot passwords and a hard disk format that precludes access in the event the machine is booted up using alternative media. This simple precaution provides sufficient protection to thwart many casual thieves from accessing sensitive data.
Non Western University owned Laptops connecting to the network must comply with the Computing Technology and Information Resources (MAPP 1.13).
All non-Western University Laptops (e.g. those belonging to students or contractors) connecting to the network need to meet the following criteria:
Data Protection
It is important that Unit Heads, including Directors, of those who need to leave Mobile Data Devices in vehicles during the day assess the risk to the University.
This situation might arise, for example, when Mobile Devices are being used on fieldwork. The risk level is based upon frequency and duration of storage in the vehicle and the crime profile of the area worked in. Advice on appropriate security measures should be obtained from The Western University Campus Community Police Services office.
Wherever possible, mobile users with sensitive data should be provided with the ability to encrypt data and to back-up off-line.
Data encryption systems protect information stored on Laptops and other Mobile Devices in the event other access control mechanisms fail. Any user who locally stores information considered to be confidential, or who has remote access to sensitive data or systems, should have a hard drive encryption solution installed on their laptop.
Solutions that encrypt the whole of the hard drive should be used by preference.
Extremely sensitive data may need to be kept on compact, removable media (ie: USB drives or similar) which are kept with the user at all times.
Off-line back-up, for users away from their base location, can vary from the simple; e.g. manually copying data to USB devices; to the sophisticated; e.g. scheduled back-up software that copies sensitive data to portable drives or other remote locations. The back-ups should be treated as securely as the original data as it represents similar risks.
In all cases, the Unit Head needs to ensure that users are fully aware of the security issues and are sufficiently confident in the use of the solutions provided.
All laptops need to have at minimum, the University standard anti-virus software installed. To ensure continued protection, all Laptops should have their system and application software updated on a regular basis and, where possible, protected by a firewall.
This ensures the University’s information systems and data are protected from the risk of virus infection and other threats. A process should be in place to ensure AV signatures and other software are kept up-to-date if the Mobile Data Device is to be used off-line (from the University network) for an extended period.
All computers, including laptops, should be configured with a password protected screen saver that activates after no more than 15 minutes idle time. This ensures additional security when users are absent from their desks. It should be noted that all users are required to secure the screen whenever they leave a machine unattended.
Tracking/Recovery
Mobile Data Devices used to store highly sensitive data may justify the use of software tracking and recovery agents.
Tracking software (combined with an irremovable tag) residing in an undetectable file on the hard drive, will trace stolen Laptops and other Mobile Devices as soon as they are connected to the Internet. The IP address, computer ID number and telephone number the Mobile Device is calling from can then be provided to the police, hopefully leading to recovery of the machine and any sensitive data it contains.
Wireless
Secure wireless access should be used where available. Western provides secure wireless access and it is important that this be used with all Western owned wireless devices on campus. This ensures that the University’s information systems and data are protected from userid and password theft. Users should exercise due diligence in public areas where encryption and secure transmission are not available.
Published on and maintained in Cascade.