Educause Security Discussion mailing list archives
Re: Cell phone security policy
From: "Spransy, Derek" <dsprans () EMORY EDU>
Date: Wed, 2 May 2012 18:26:00 +0000
Hi Matt, Emory has begun enforcing security requirements for all devices (personally and institutionally owned) that connect to our Exchange environment via ActiveSync and BES. You can read our policy at http://policies.emory.edu/5.14. User documentation is here: http://it.emory.edu/security/smart_device The policy requires the following specifically: * A non-trivial numeric device passcode with a minimum required length of four characters. Passcodes consisting of additional character sets or greater lengths are allowed. * An inactivity timeout to automatically lock the device after a maximum of fifteen minutes * Data storage encryption (when supported by the device) * Automatic data wiping after ten failed passcode entry attempts * Enable the ability to remotely wipe data from lost/stolen devices * Prohibit users from modifying or disabling security safeguards We're not enforcing encryption (i.e denying access to devices that can't be encrypted) requirements, but devices that can't support encryption are prohibited by policy to store sensitive data. We don't have any technical capability to enforce this though. AV also isn't a requirement at this point as nearly 3/4 of our smart device are iOS based, and there isn't a lot in the way of AV for that platform. There would also be a cost associated with requiring AV, and we're implementing what we can without any expenditure outside of operational costs. Thanks, Derek Derek Spransy Information Security Office of Information Technology Emory University & Healthcare ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Matt Marmet [matt.marmet () ARMSTRONG EDU] Sent: Wednesday, May 02, 2012 9:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cell phone security policy Good Morning Everyone, There has been some interest here at Armstrong in moving towards a cell phone stipend model. We have discussed the pros and cons with our various carrier reps and seem to have a clear understanding of them. However, there is one concern that we have and that is security. If we move to this model, all of the cell phones would be personal along with the billing plans. Our initial reaction is to have something in place to be able to wipe the devices clean in case of termination or a lost device. That way all email and potentially other institutional data can be deleted. We use Google mail for email and have heard of some options with that. I have 2 questions for the list: 1) What in particular are you doing about institutional information on a private device (encryption, antivirus, etc.)? 2) Do you have something in a policy about cell phone security and the ability to wipe a device clean that I can take a look at? I want to be able to set appropriate expectations for users so there is no shock later when their device gets wiped or “reset”. Thanks all. Have a great day. Matt ---- Matt Marmet Director of IT Security, CISO Armstrong Atlantic State University 11935 Abercorn Street Savannah, GA 31419 Desk: (912) 344-3528<tel:%28912%29%20344-3528> Cell: (912) 414-0684<tel:%28912%29%20414-0684> Security Tip: No matter how authentic the request appears, if you are asked in an email or via the phone to provide your password - it is a SCAM. ******* The ITS Team will NEVER, EVER, EVER ----- EVER ask for your username and password via Email. Don't respond to any requests for this information ****** "The lesson here is that anything that holds any data of any value must be protected." ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).
Current thread:
- Cell phone security policy Matt Marmet (May 02)
- Re: Cell phone security policy Spransy, Derek (May 02)
- Re: Cell phone security policy Matt Marmet (May 02)
- Re: Cell phone security policy Spransy, Derek (May 02)
- Re: Cell phone security policy Matt Marmet (May 02)
- Re: Cell phone security policy Spransy, Derek (May 02)