Information Technology Standard 02.9.0

Mobile Device Management Standard


Date of Current Revision or Creation: November 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to establish the responsibilities for mobile device users to promote the secure, reliable and accountable use of all mobile computing devices.

Definitions

Data Classification - In the context of information security, the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization.

Endpoint Security is the act of securing, protecting and preventing unauthorized access to a computing device.

Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.

Institutional Data - Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of University business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited to email, electronic databases, electronic files, paper, audio, video and images.

Mobile Computing and Storage Devices are defined as portable devices intended primarily for the access to or processing of data and/or to provide persistent storage. New products with these characteristics appear on the market frequently. Examples include, but are not limited to, laptops, tablet, smartphones, storage drives, memory cards, USB drives, smart watches, etc. In the context of this policy, a device may be personally or University owned.

User includes anyone who accesses and uses the Old Dominion University information technology resources.

Wipe is a security feature which allows a device administrator or device owner to send a command to a computing device to delete some or all data.

Vendor-Authorized security configurations are built-in limitations designed to secure devices that can be altered or removed to change the functionality of the device.

Standards Statement

Old Dominion University allows the use of mobile computing devices and storage devices, including University-owned and enabled devices, University-owned but personally enabled devices, and personally owned devices, to access IT resources as long as the devices are compliant with IT security standards and guidelines.

Access to all IT resources, including those available for use by mobile devices, is granted through account management process. Authorized users formally consent to the terms and conditions of use through the acknowledgment of the University's Acceptable Use Standard.

User Responsibilities

While using a mobile device on the University network or when using University data, users have the following responsibilities:

  • Device Security

    • Users are responsible for taking all endpoint security precautions to secure their device and to secure the University data on the device.
    • Users must configure a PIN or passcode to gain access to the device.
    • If a device does not provide protection via a PIN or passcode, users must password protect or encrypt the ODU data or ODU IT resource.
    • Users must set an idle timeout that will automatically lock the device after a period of time.
    • Users must keep all software, including the operating system and applications, up to date.
    • Users must maintain vendor-authorized security configurations.
    • It is recommended that users label devices with contact information to make the device easy to return if lost.
    • It is recommended that users enroll capable devices in a remote location-tracking service to help trace the device if misplaced.
  • Data Security and Storage
    • All institutional data is owned by Old Dominion University. As such, all members of the University community have the obligation to appropriately secure and protect the asset in all formats, including mobile devices.
    • Users must understand and follow the University's data administration and classification with respect to the access, transmission and storage of institutional data.
    • Users must accept and understand that University reserves the right to wipe some or all data from a mobile device in the event of employment separation or termination and/or the loss or replacement of a mobile device.
    • Users must accept and understand that mobile devices are subject to open records requests or audit processes. In such cases, the user must provide full access to a mobile device.
    • Users must accept, understand and surrender a mobile device to the University to ensure compliance with a litigation order. The user cannot delete or modify any information subject to this standard which is stored on the device after receiving the request.
  • Incident Reporting
    • Users must participate in required security awareness training programs provided by the University.
    • Users must immediately report lost or stolen devices to the ODU security team or by submission of the online Cyber Security Incident Reporting Form. Remote wipe services are available to users.
  • Technical Support
    • The University does not assume any liability or responsibility for technical support for a user's personally owned computing device.
  • Enforcement
    • Noncompliant devices may be disconnected from the IT infrastructure until the device is brought into compliance.
    • Users not in compliance with this standard may be denied access to IT resources and may be subject to ITS Standard - Disciplinary Action Standard.
    • Failure to cooperate with the production of information on the device when surrendered for litigation orders may result in the employee bearing the costs individually for failing to cooperate or for deleting or altering the material to the extent permitted by Virginia Code Section 2.2-3714.
  • Effective Date
    • All users currently using mobile computing and storage devices must bring the device in compliance with this policy effective January 1st, 2016.
  • Exceptions
    • The Information Security Officer or designee may approve exceptions to this policy.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
September 2013 IT Policy Office Created; replacement/merge of Portable Computer Management Standard and Remote Access Standard; BYOD committee review.
September 2015 IT Policy Office Updated for ITAC review; accepted by ITAC and published.
July 2018 IT Policy Office Definitions and links checked.
November 2021 IT Policy Office Definitions and links checked.