Re: Cell phone security policy

["Spransy, Derek" <dsprans () EMORY EDU>]

Hi Matt,

Emory has begun enforcing security requirements for all devices (personally and institutionally owned) that connect to 
our Exchange environment via ActiveSync and BES. You can read our policy at http://policies.emory.edu/5.14. User 
documentation is here: http://it.emory.edu/security/smart_device  The policy requires the following specifically:

  *   A non-trivial numeric device passcode with a minimum required length of four characters. Passcodes consisting of 
additional character sets or greater lengths are allowed.
  *   An inactivity timeout to automatically lock the device after a maximum of fifteen minutes
  *   Data storage encryption (when supported by the device)
  *   Automatic data wiping after ten failed passcode entry attempts
  *   Enable the ability to remotely wipe data from lost/stolen devices
  *   Prohibit users from modifying or disabling security safeguards

We're not enforcing encryption (i.e denying access to devices that can't be encrypted) requirements, but devices that 
can't support encryption are prohibited by policy to store sensitive data. We don't have any technical capability to 
enforce this though. AV also isn't a requirement at this point as nearly 3/4 of our smart device are iOS based, and 
there isn't a lot in the way of AV for that platform. There would also be a cost associated with requiring AV, and 
we're implementing what we can without any expenditure outside of operational costs.

Thanks,
Derek

Derek Spransy
Information Security
Office of Information Technology
Emory University & Healthcare
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Matt Marmet 
[matt.marmet () ARMSTRONG EDU]
Sent: Wednesday, May 02, 2012 9:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cell phone security policy

Good Morning Everyone,

There has been some interest here at Armstrong in moving towards a cell phone stipend model. We have discussed the pros 
and cons with our various carrier reps and seem to have a clear understanding of them. However, there is one concern 
that we have and that is security. If we move to this model, all of the cell phones would be personal along with the 
billing plans. Our initial reaction is to have something in place to be able to wipe the devices clean in case of 
termination or a lost device. That way all email and potentially other institutional data can be deleted. We use Google 
mail for email and have heard of some options with that. I have 2 questions for the list:


1)      What in particular are you doing about institutional information on a private device (encryption, antivirus, 
etc.)?

2)      Do you have something in a policy about cell phone security and the ability to wipe a device clean that I can 
take a look at?

I want to be able to set appropriate expectations for users so there is no shock later when their device gets wiped or 
“reset”.

Thanks all. Have a great day.

Matt


----
Matt Marmet
Director of IT Security, CISO
Armstrong Atlantic State University
11935 Abercorn Street
Savannah, GA 31419
Desk: (912) 344-3528<tel:%28912%29%20344-3528>
Cell:  (912) 414-0684<tel:%28912%29%20414-0684>

Security Tip: No matter how authentic the request appears, if you are asked in an email or via the phone to provide 
your password - it is a SCAM.

******* The ITS Team will NEVER, EVER, EVER ----- EVER ask for your
username and password via Email. Don't respond to any requests for
this information ******

"The lesson here is that anything that holds any data of any value must be protected."


________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).