Re: Cell phone security policy

[Matt Marmet <matt.marmet () ARMSTRONG EDU>]

Wow Derek,



This is great information. Thanks for taking the time. A few questions, how
do you verify that passcodes and timeouts are on devices? How do you handle
lost phones or terminated employees that have email and info on them? Do
you wipe the personal device to factory default?



Thanks,



Matt





---
Matt Marmet
Director of IT Security, CISO
Armstrong Atlantic State University
11935 Abercorn Street
Savannah, GA 31419
Desk: (912) 344-3528
Cell:  (912) 414-0684



Security Tip: No matter how authentic the request appears, if you are asked
in an email or via the phone to provide your password - it is a SCAM.


******* The ITS Team will NEVER, EVER, EVER ----- EVER ask for your

username and password via Email. Don't respond to any requests for
this information ******



"The lesson here is that anything that holds any data of any value must be
protected."



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Spransy, Derek
*Sent:* Wednesday, May 02, 2012 2:26 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Cell phone security policy



Hi Matt,



Emory has begun enforcing security requirements for all devices (personally
and institutionally owned) that connect to our Exchange environment via
ActiveSync and BES. You can read our policy at
http://policies.emory.edu/5.14. User documentation is here:
http://it.emory.edu/security/smart_device  The policy requires the
following specifically:

   - A non-trivial numeric device passcode with a minimum required length
   of four characters. Passcodes consisting of additional character sets or
   greater lengths are allowed.
   - An inactivity timeout to automatically lock the device after a maximum
   of fifteen minutes
   - Data storage encryption (when supported by the device)
   - Automatic data wiping after ten failed passcode entry attempts
   - Enable the ability to remotely wipe data from lost/stolen devices
   - Prohibit users from modifying or disabling security safeguards



We're not enforcing encryption (i.e denying access to devices that can't be
encrypted) requirements, but devices that can't support encryption are
prohibited by policy to store sensitive data. We don't have any technical
capability to enforce this though. AV also isn't a requirement at this
point as nearly 3/4 of our smart device are iOS based, and there isn't a
lot in the way of AV for that platform. There would also be a cost
associated with requiring AV, and we're implementing what we can without
any expenditure outside of operational costs.



Thanks,

Derek



Derek Spransy

Information Security

Office of Information Technology

Emory University & Healthcare
------------------------------

*From:* The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Matt Marmet [
matt.marmet () ARMSTRONG EDU]
*Sent:* Wednesday, May 02, 2012 9:32 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Cell phone security policy

Good Morning Everyone,



There has been some interest here at Armstrong in moving towards a cell
phone stipend model. We have discussed the pros and cons with our various
carrier reps and seem to have a clear understanding of them. However, there
is one concern that we have and that is security. If we move to this model,
all of the cell phones would be personal along with the billing plans. Our
initial reaction is to have something in place to be able to wipe the
devices clean in case of termination or a lost device. That way all email
and potentially other institutional data can be deleted. We use Google mail
for email and have heard of some options with that. I have 2 questions for
the list:



1)      What in particular are you doing about institutional information on
a private device (encryption, antivirus, etc.)?

2)      Do you have something in a policy about cell phone security and the
ability to wipe a device clean that I can take a look at?



I want to be able to set appropriate expectations for users so there is no
shock later when their device gets wiped or “reset”.



Thanks all. Have a great day.



Matt





----
Matt Marmet
Director of IT Security, CISO
Armstrong Atlantic State University
11935 Abercorn Street
Savannah, GA 31419
Desk: (912) 344-3528
Cell:  (912) 414-0684



Security Tip: No matter how authentic the request appears, if you are asked
in an email or via the phone to provide your password - it is a SCAM.


******* The ITS Team will NEVER, EVER, EVER ----- EVER ask for your

username and password via Email. Don't respond to any requests for
this information ******



"The lesson here is that anything that holds any data of any value must be
protected."




------------------------------


This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).