Security of Mobile Devices
- As outlined in Westerns Data treatment standards. All laptops and mobile devices storing Sensitive or Confidential data must utilize whole disk encryption.
- The encryption passphrase must meet or exceed Western Universities password strength rules as laid out by WTS (secure_passwords.html), must not be shared, and not stored in a visible or plaintext form on or with the device.
- The encryption system must include a management component that provides key recovery and proof that the device is encrypted.
- All smartphones and PDAs that access Western University data must be configured to encrypt any Sensitive or Confidential Data in persistent storage. In addition, any smartphones and PDAs purchased after August 17, 2011 must utilize encryption. All other smartphones and PDAs shall have encryption installed by August 17, 2013.
- All smartphones and PDAs must include the ability to remotely wipe stored data in the event the device is lost or stolen.
- All portable storage devices must include built-in encryption. The following exceptions apply:
- Specific uses where no Sensitive or Confidential Data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Sensitive or Confidential Data.
- Specific uses in which devices are used for marketing and public relations, no Sensitive or Confidential Data will be stored, and the intended recipient is not a member of the UWO Community. Devices used in this way must be clearly marked as not for use with Sensitive or Confidential Data.
- The encryption and key management methods used must have the approval of the Information Security Officer or designee.
- Sensitive or Confidential Data must be protected by encryption during transmission over any wireless network and any non-Western University wired network.
- The portable computing device must be configured to require a strong password of its user and administrator, consistent with or exceeding password requirements. Small portable computing devices where keyboard entry is cumbersome (ex. Smartphones) may use reduced password complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
- The portable computing device must be configured with an inactivity timeout of not more than 30 minutes, which requires re-authentication before use.
- The mobile computing device must have a durable physical or electronic label with contact information sufficient to facilitate an expedient return in the event that a lost device is found.
- Mobile computing and storage devices must be used and stored in a manner that deters theft.
- Devices should use tracking and recovery software to facilitate return if lost or stolen.
Published on and maintained in Cascade CMS.