Educause Security Discussion mailing list archives
Re: iPad / mobile device security and policy
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Wed, 2 Feb 2011 15:56:32 +0000
We're developing a tiered configuration policy for end user devices based on risk. That is, based on the type of accounts and data accessible to the person using the device and the damage the University or constituents may suffer if compromised. The idea being that with the proliferation of end user devices and access methods, security controls and policy should be based on risk, not on platform. If a platform cannot meet a risk based policy then someone has to sign off on the acceptance of risk associated with the exception. A simplified version looks like this: RED -Devices used to access or process large volume of highly confidential information about other people, access highly privileged accounts, or perform financial transactions over a set amount. -No general internet access from computer enforced with external network access controls. -Whitelist of accessible sites. -Location based application whitelisting. -No administrator accounts -No local control of computer configuration without explicit approval and terms and conditions. With large volumes of highly confidential data and high potential damages to the university or constituents, we don't want end users to be performing risk assessments of configuration changes and unplanned software installations by themselves. ORANGE -Devices used to access or process large volume of sensitive information about other people. -Whitelist of trusted sites in browser. -Location based application whitelisting. -No administrator accounts -No local control of computer configuration without explicit approval and terms and conditions. With large volumes of sensitive data and high potential damages to the university or constituents, we don't want end users to be performing risk assessments of configuration changes and unplanned software installations by themselves. YELLOW -Devices used to access or process large volume of non-public information, manage high level public facing communications, manage infrastructure, or remotely access ORANGE or RED devices. -Location based application whitelisting -Operated with regular user account GREEN -Devices whose compromise would have little effect on other people's data or services. -Baseline security policies for platform We recently had the opportunity to configure some university purchased iPhones for use in a sensitive application. We used the iPhone configuration tool to lock down the device so apps could not be downloaded after the one needed to perform the business function and disabled unnecessary functionality. The main issue with mobile devices is the inability to control internet access as required for RED applications. -----Original Message----- From: "Semmens, Theresa" <theresa.semmens () NDSU EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Wed, 2 Feb 2011 06:20:26 -0800 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] iPad / mobile device security and policy
Lewis, I see a case study and best practices white paper with your suggestion...... Theresa Semmens, CISA Chief IT Security Officer North Dakota State University IACC 210D PO Box 6050 Fargo, ND 58108 Phone: 701-231-5870 Cell Phone: 701-212-2064 Fax: 701-231-8541 Theresa.Semmens () ndsu edu Security is a process, privacy is a consequence Security is action, privacy is a result of successful action Security is the strategy, privacy is the outcome Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope ~ Kevin Beaver & Rebecca Herold -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Watkins, Lewis Sent: Tuesday, February 01, 2011 10:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] iPad / mobile device security and policy I'm looking for model policies and processes for managing iPad use in campus environments? Does your institution have iPad specific policies, or are iPads included in a broader mobile device policy? How do your faculty and administrators currently use iPads? Are any limits place on their use? Do you have specific configuraiton requirements or recommendations? How concerned are you about the security of iPads, particularly for use with confidential information? Thank you for any guidance, advice, or references you can provide. Lewis ____________________________ Lewis Watkins, CISO University of Texas System
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description:
Current thread:
- iPad / mobile device security and policy Watkins, Lewis (Feb 01)
- Re: iPad / mobile device security and policy Semmens, Theresa (Feb 02)
- Re: iPad / mobile device security and policy Flynn, Gary - flynngn (Feb 02)
- Re: iPad / mobile device security and policy Marty Manjak (Feb 02)
- Re: iPad / mobile device security and policy Flynn, Gary - flynngn (Feb 02)
- Re: iPad / mobile device security and policy Julian Y. Koh (Feb 02)
- Re: iPad / mobile device security and policy Webb, Justin (Feb 02)
- Re: iPad / mobile device security and policy SCHALIP, MICHAEL (Feb 02)
- Re: iPad / mobile device security and policy Webb, Justin (Feb 02)
- Re: iPad / mobile device security and policy Flynn, Gary - flynngn (Feb 02)
- Re: iPad / mobile device security and policy Semmens, Theresa (Feb 02)
- <Possible follow-ups>
- Re: iPad / mobile device security and policy Barron Hulver (Feb 02)