Information Security for Portable Devices (D-58)
Original Implementation: October 18, 2011
Last Revision: None
Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to the university and the individuals using the devices.
Definitions:
Confidential Information – Information that is protected from disclosure requirements under the provisions of applicable state or federal law, e.g., Family Educational Rights and Privacy Act (FERPA), The Texas Public Information Act. Most student records are confidential information.
Information Resources (IR) - The procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
Information Resource Owner– an entity responsible for:
- a business function; and,
- determining controls and access to information resources supporting that business function.
Internet Service Provider (ISP) – A company that provides access to the Internet.
Portable Computing Device – An easily portable device that is capable of capturing, processing, storing, and transmitting data to and from the SFA information resources. This includes, but is not limited to: laptops, personal digital assistants (PDAs), and smart phones
Portable Storage Device – An easily portable device that stores electronic data. This includes, but is not limited to: flash/thumb drives, iPods, CD-Rs/CD-RWs, DVDs, and removable disk drives.
Remote Access – The act of using a computing device to access another computer/network from outside of its established security realm (e.g, authentication mechanism, firewall, or encryption).
Policy:
The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this policy are implemented.
The intended audience is all users of SFA information resources regardless of the portable devices ownership.
Risk Mitigation Measures:
- Portable computing devices, containing confidential information shall be protected from unauthorized access by passwords or other means.
- Any confidential information stored on portable computing or storage devices shall be encrypted with an appropriate encryption technique.
- All remote access to confidential information from a portable computing device shall utilize encryption techniques, such as virtual private network (VPN), secure file transfer protocol (SFTP), or secure sockets layer (SSL).
- Confidential information shall not be transmitted via wireless connection to, or from, a portable computing device unless encryption methods that appropriately secure wireless transmissions, such as virtual private network (VPN), encrypted Wi-Fi, or other secure encryption protocols are utilized.
- Unattended portable computing or storage devices, containing confidential information, shall be kept physically secure using means appropriately commensurate with the associated risk.
- Where appropriate, keep portable computing devices patched/updated, and install anti-virus software and a personal firewall.
Cross Reference:Family Educational Rights and Privacy Act of 1974 (FERPA), 20 U.S.C. § 1232g; Tex. Gov’t Code Ch. 552; 1 Tex. Admin. Code §§ 202.1-.2, .70-.78
Responsible for Implementation: Provost and Vice President for Academic Affairs
Contact for Revision: Provost and Vice President for Academic Affairs
Forms: None
Board Committee Assignment: Academic and Student Affairs