Fayetteville Policies and Procedures  936.0 

Mobile Device Security

1.  Overview
   This policy establishes requirements for how faculty and staff use mobile technology to access sensitive university data and university data resources.
   
   
2. Purpose
   The University of Arkansas implements necessary controls, technologies, and devices to secure information systems and sensitive data. Mobile devices are often used to perform business-related activities and provide access to university data. However, mobile devices may not be equipped with security controls to keep university systems and data secure. This policy sets out requirements that reflect best practices to secure individual devices, university systems, and data.
   
   
3. Scope
   This policy applies to every mobile device—university-owned or personal—accessing University of Arkansas systems and data to perform university business by university employees.
   
   
4. Definitions
   
   1. Highly Sensitive Data, Sensitive Data or Restricted Data: For these definitions, please see the university’s Data Classification policy, Fayetteville Policies and Procedures 921.0.
   2. Mobile Devices: Mobile devices are smartphone or tablet devices that typically run Apple or Android mobile operating systems. These portable devices include some form of internet connectivity (Wi-Fi and/or cellular) and are used to perform various functions such as reading and responding to emails, accessing university applications, and interacting with university data.
      
      
5. Policy
   When using mobile devices, University employees must follow all security requirements listed below. Employees using devices that do not comply with these requirements must not access university systems or data from their mobile devices.
   1. To ensure compliance with laws, regulations, and university policies, employees using mobile devices to perform university business, functions, and tasks, or accessing or processing university data, must implement the following security best practices and device settings to protect the security of such devices and university data:
      1. Restricted or highly sensitive data must not be stored, outside of an updated, university-authorized application, on a mobile device. For exemptions, please see the Exemption policy.
      2. Full encryption of data on the mobile device, which is the default setting on most new phones (requiring pass codes, touch, or face ID to access the phone), must be enabled on all devices that support the function.
      3. Applications must be installed from official application repositories.
      4. Automatic updates must be enabled for the mobile device’s operating system and all applications installed on the device.
      5. Device screen must be locked with a passcode, fingerprint, face recognition, or similar method.
      6. Device auto-lock must be enabled.
      7. If the device supports “Remote Wipe,” this functionality must be enabled to permit the end-user to remove data from a lost or stolen device.
   2. All devices accessing the university email system must use the university approved email application (Outlook) or webmail.
   3. Some mobile devices provide additional security features that may be beneficial to end-users, such as “Find My Device (Phone).” The University of Arkansas encourages end-users to weigh the benefits of enabling such capabilities (such as recovering a lost device). The university does not use these additional features for administrative oversight on personally owned devices.
   4. University-owned mobile devices are required to enroll in the university’s Mobile Device Management (MDM) system to safeguard university data and monitor compliance with these best practices.
   5. Users uncertain whether their devices are compliant with these requirements or those that have further questions should contact the IT Help Desk.
   6. Attempting to knowingly circumvent the security best practices and device settings mandated in this policy may result in revocation of access, suspension of accounts, and disciplinary action up to and including termination.
      
      
6. Reporting and Addressing Suspected Violations
   Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.
   
   
7. Enforcement
   Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu)
   
   
8. Exemptions 
   Exemptions from this policy must be approved. Any questions about the contents of this policy, or the applicability of this policy to a particular situation, should be referred to the Office of the CISO. Please see the Exemption policy. 

June 27, 2022