Educause Security Discussion mailing list archives

Re: Smartphone Policies.

From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Mon, 27 Apr 2009 10:29:04 -0700

Great question, Matt.

My recommendation would be to develop a "Mobile Device Usage"
policy/procedure.  Within that, you would address whether encryption and
model/brand is a requirement.  Also, what may/may not reside in memory
storage on the device and for what purpose the device may be used.
Then, require that the acquisition of such devices needs a form (you
designed) be signed by the supervisor and submitted to HR to be stored
with their regular non-disclosure agreement which you have them sign
after their annual awareness training.  

(Lots of assumptions about the extent of your security practices on my
part, of course.) ;)

Best,
Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie
Sent: Monday, April 27, 2009 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Smartphone Policies.

Long ago, perhaps back in the Pleistocene, a phone could be trusted to
make and receive phone calls and otherwise leave well enough alone.

Now, of course, with iPhones and Blackberries everywhere, people want to
read their mail, check their calendars, and otherwise manipulate College
data using their handheld devices.

Like many places, I'm sure, we've been lax in addressing this, so we've
got departments going off on their own, buying random products, and then
asking ITS to make them work.

Does anyone have some sage advice -- or even better, written policies --
for containing this? Have you standardized on a particular phone OS,
manufacturer, model, etc.?

From almost any perspective -- security, warranty, support, inventory

control -- we need to get a handle on this.

--Matt

-- 
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

Smartphone Policies. Matthew Gracie (Apr 27)
- <Possible follow-ups>
- Re: Smartphone Policies. Plesco, Todd (Apr 27)
- Re: Smartphone Policies. Tupker, Mike (Apr 27)
- Re: Smartphone Policies. Leon DuPree (Apr 27)
- Re: Smartphone Policies. Maloney, Michael (Apr 27)
- Re: Smartphone Policies. Cal Frye (Apr 27)
- Re: Smartphone Policies. Cal Frye (Apr 27)
- Re: Smartphone Policies. Adam Stone (Apr 27)
- Re: Smartphone Policies. Caroline Couture (Apr 27)
- Re: Smartphone Policies. Connie Sadler (May 14)
- Re: Smartphone Policies. Chris Green (May 14)
- Re: Smartphone Policies. Adam Carlson (May 15)