This Practice Directive provides support to CSU Information Technology Security Policy stated in:
8045.S400 Mobile Device Management Standard
8050.00 Configuration Management
8060.S0 Access Control - Appendix A
8065.S02 Information Security Data Classification
8075.0 Information Security Incident Management
8105.0 Responsible Use Policy
This practice directive explains how to secure university and personally-owned mobile computing devices that access or store SF State sensitive data. It must be followed to protect university data and ensure compliance with Federal, State, CSU and SF State regulations governing security of information.
Mobile device: Portable computing devices, including but not limited to smartphones, laptops and tablet computers
Sensitive data (Levels 1 and 2): Campus data is classified according to its potential risk which is governed by federal and state laws. Sensitive data includes confidential (Level 1) and internal use (Level 2) data classifications. See the Confidential Data Practice Directive for more information. (http://policiesandpracticedirectives.sfsu.edu/content/confidential-data-...)
Confidential data (Level 1 - Encryption Required): Level 1 data is considered confidential must be appropriately secured. If Level 1 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require a formal breach notification to impacted individuals under state and federal law.
Internal Use data (Level 2 - Encryption Recommended): Level 2 data is for internal use and may only be released under prescribed conditions. If Level 2 data is lost, stolen or accessed by unauthorized individuals, it must be reported and may require formal breach notification under state and federal law.
User Practice for Securing Devices
Sensitive data (Levels 1 and 2) must not be accessed or stored from mobile devices unless:
1. there is a documented business need for the sensitive data to be accessed or stored by the mobile device,
2. effective security measures have been implemented to protect the data, and
In the case of storing confidential (Level 1) data:
3. an Associate Vice President, Dean, or equivalent University leadership and the campus Information Security Officer have provided approval.
Required Mobile Device Security Measures
General device security measures for mobile devices used for university business:
· Follow the security incident response procedure if a mobile device containing SF State Sensitive Data is compromised, lost or stolen.
· Frequently check for and install any available operating system and application security updates
· Only download apps from official app stores (Apple App Store, Google Play, etc.)
· Remove or refrain from downloading non-essential apps
· Do not leave unencrypted mobile devices unattended
· Regularly backup the mobile device to protect data in the event of loss, theft, or lockout
Password Security Measures
· Configure laptops to follow the SF State Password Practice Directive
· Smart phone and tablet devices that access or store sensitive data must be locked using a passcode, or password, that satisfies the following requirements:
1. Must be a minimum of six characters
2. Must not contain the user's first name, last name, account name, or phone number
· Biometric functionality (e.g. facial recognition, fingerprint scanner) and complex passcodes must be enabled if available.
Required Sensitive Data Security Measures
Sensitive data security measures apply to mobile devices that access or store data classified as confidential level 1 and internal use level 2. Note: Confidential level 1 data has additional requirements shown below:
· Use public, untrusted wireless networks with caution, preferably in conjunction with SF State VPN
· Use wireless networks that support reliable encryption (802.1x)
· Auto-wipe device after 10 failed login attempts; Use a backup to restore the device if inadvertently wiped
· Configure device to be remotely wiped in the case it is lost or stolen
· Wipe or securely delete data from mobile devices before disposing, reselling, or trading them in.
Required High Risk Confidential (level 1) Data Security Measures
Security measures for securing mobile devices that access or store confidential level 1 data:
· Conduct a formal risk assessment before installing applications that are not part of the device’s base distribution
· Limit access to the device to those that need to access the confidential data
· Confirm device is encrypted
· Disable Bluetooth and wireless access when not needed
· Use SF State’s VPN when accessing confidential (level 1) data
· Approval is required for storing confidential (level 1) data on a mobile device.
Requesting Approval to store Confidential Level 1 Data on a Mobile Device:
To request approval to store confidential (level 1) on a mobile device the requester must:
1. Complete the “Request to store confidential data on a mobile device” form.
2. Obtain approval from Associate Vice President, Dean, or equivalent University leadership.
3. Obtain approval from the Information Security Officer
Requests will be reviewed within ten business days.
Annual reviews of mobile device confidential data storage approvals shall be conducted to determine if that data storage is still required and that the device is appropriately secured.
Responsibility for implementing this Practice Directive will rest with ITS and Information Technology (IT) departments across campus. Submit any apparent violation of Password Practice Directives to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to email@example.com.
Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.
mobile device, compliance, security, accessibility