Business Policies and Procedures Manual
Chapter 87: Information Security
Mobile Device Management—Personally-Owned Devices
For more information contact:
Information Technology Services
Personally-owned devices used to conduct University business are required to operate in a way that complies with University policies and appropriately protects institutional data. This policy defines appropriate use and procedures for the use of mobile devices (e.g., cellular telephones, “smart” telephones, and tablets) by University workforce members who access institutional information systems and data.
This policy applies to all University business units, workforce members, and institutional information systems that collect, store, process, share, or transmit institutional data.
WSU is responsible for ensuring the confidentiality, privacy, integrity, and availability of institutional data under its care, including information created, collected, stored, processed, accessed, shared, or transmitted on mobile devices.
Workforce members who use mobile devices to access institutional data or conduct University business are responsible for complying with all applicable University, state, and federal policies and laws, to include data security and privacy policies and regulations that govern the use and handling of institutional data.
Public Records Responsibility
WSU and its workforce members are obligated to preserve and provide information an employee creates, collects, uses, and/or receives in the conduct of University business in response to legal and public records requests (e.g., documents, texts, phone calls, voicemail, email, instant messaging, calendars, photos, and video).
Development of Procedures
Information owners are accountable for developing appropriate procedures for the implementation of this policy.
Important! Information owners must develop procedures to implement this policy (BPPM 87.11) in a reasonable amount of time, not to exceed 12 months after this policy goes into effect.
Use of Personally-owned Mobile Devices
Information owners may allow the use of personally-owned mobile devices to access institutional information system resources in accordance with this policy. Use of a personally-owned mobile device on WSU networks is a privilege and may be revoked by the appropriate business unit in the event of misuse or for any reason.
Without Mobile Device Management Solution
Business units may allow employees to use their personally-owned mobile devices, that are not managed by a mobile device management solution, for business purposes such as:
- Accessing self-service and public web pages; and
- Responding to communication requests by voice, text, and approved e-mail solutions.
Operating Systems and Software
Personally-owned mobile devices allowed to connect to institutional information systems and data are to do so in accordance with all applicable University policies and procedures. When accessing institutional information systems and data, all workforce members must have an up-to-date operating systems, applications, and appropriate security software installed and running on their mobile devices. Compromised devices are removed from the WSU network.
Mobile devices used to collect, access, share, store, process, or transmit institutional data must be configured to:
- Lock when not in use;
- Unlock with the use of a secure authentication method, e.g.:
- PIN (personal identification number);
- NFC (near-field communication) token;
- Biometric authentication, such as fingerprint, facial recognition, etc.; and
- Remotely wipe institutional data stored on the device.
All mobile devices must be configured with whole-disk or system encryption. Encryption methods must be in accordance with WSU System Data Policies (EP8).
Institutional internal, confidential, and regulated data are allowed to be collected, stored, processed, accessed, shared, or transmitted on a personally-owned mobile device, only if:
- The mobile device is used as part of a University or regulatory compliant solution;
- The mobile device and institutional data are appropriately managed by a mobile device management solution; and
- Institutional data are maintained and backed up to WSU managed systems.
Where operationally feasible, centrally managed, University-wide solutions should be leveraged.
Security or Policy Bypass Prohibited
“Jailbreaking” or actions taken to bypass WSU policies and/or manufacturer’s security mechanisms, are prohibited.
WSU licenses computer software from a variety of outside companies or other third parties. WSU does not own this software or its related documentation, and this software is usually protected by license agreements. Users are to adhere to all software licenses and agreements when using or copying software to or from their mobile devices for business purposes. For additional information, see BPPM 35.30.
Lost, Stolen, or Compromised Device
WSU is responsible for supporting only the connectivity to, and any WSU-controlled applications and data installed on personally-owned mobile devices. The University is not liable for the loss, theft, or compromise of personally-owned mobile devices. It is the responsibility of the owner of the device to rebuild their personally owned mobile device if necessary.
If an employee’s mobile device contains institutional data and has been lost or stolen, the employee must immediately notify:
- Their supervisor; and
- The ITS Security Operations Center (telephone 509-335-0404); or
- The WSU Chief Information Security Officer (CSIO).
A visiting supplier requiring access to institutional networks with a mobile device must obtain authorization to do so from the appropriate business unit. Prior to connecting a visiting supplier to WSU managed networks, the business unit must submit an Exceptions Request form to Information Security Services to request a security authorization.
See further information regarding the Exceptions Request process.
If there is an urgent request for immediate access, the business unit submits an Exceptions Request for security authorization as a follow-up. This requirement is intended for access to WSU-managed networks and not for access to the guest wireless network which provides visitors’ general access to the internet.
In circumstances where institutional confidential or regulated data are discovered on a noncompliant mobile device, users must immediately notify the CSIO and/or the Office of the Chief Information Officer (CIO).
Mobile device users must be especially careful to keep physical possession of their devices and not leave their mobile devices unattended in public places. Mobile devices are to be carried as hand luggage when traveling, subject to federal and other applicable guidelines.
Many countries do not respect the personal privacy of individuals and monitor personal communications. When traveling internationally and potentially traveling to one of these countries, employees must not use their personally-owned mobile devices to access institutional information systems and data. If employees require access to institutional information systems and data, business units should issue temporary devices to them, which are to be used only for the duration of their international travel.
Users should not store and/or maintain institutional data on a mobile device when traveling internationally. When the employee returns from their trip, they must return the temporary device, which must be reimaged prior to being issued to another user.
See the following websites for security tips for international travel:
- Office of Research and Support Operations Export Control Regulations
- Office of Research Assurances Export Control Regulations
- Information Technology Services Electronic Device Security Tips for International Travel (PDF)
At no time does the University accept liability for the maintenance, backup, or loss of data on a personal device. It is the responsibility of the equipment owner to backup all personal software and data to other appropriate backup storage systems. Institutional data should be backed up to WSU-managed storage systems and services.
When the use of a personally-owned device is no longer required or the user leaves WSU, all institutional data on the device must be backed up to WSU-managed storage systems, and then securely wiped from the device. Institutional data is retained and disposed of in accordance with University records retention and disposition (BPPM 90.01) requirements and the WSU System Data Policies (EP8).
Data and Communications Ownership
All data and communications created, sent, received, and stored on personally-owned mobile devices are the property of WSU.
Training and Acceptable Use
University Information Technology Services (ITS) personnel and information system users are to:
- Receive the appropriate training that is applicable to their role(s) regarding the provisioning, implementation, maintenance, and use of mobile devices according to this policy; and
- Follow WSU acceptable use and social media policies, in accordance with EP4.
The Office of the CIO is responsible and has the authority for enforcing compliance with this policy.
Persons determined to have violated this policy are subject to sanctions imposed using the procedures set forth in applicable University or state policies and handbooks (e.g., the WSU Faculty Manual, the Administrative Professional Handbook, WAC 357-40 (civil service employees), applicable collective bargaining agreements, or the WSU Standards of Conduct for Students,
Exceptions Exceptions to this policy must be approved by the Office of the CIO, under the guidance of the University Chief Information Security Officer (CSIO).
The Office of the CIO must document and maintain all policy exceptions in writing for the life of the exception. Approvals for policy exceptions are effective for a specified period of time and must be reviewed by the Office of the CIO on a periodic basis.
The Office of the CIO is to review this policy every three years or on an as-needed basis due to changes to technology environments, business operations, legal, or regulatory requirements.
Revisions: June 2020 – new policy (Rev. 549)