Mobile Security Guidelines
The Iowa State Code of Computer Ethics and Acceptable Use establishes a general policy for the use of computing, telephone, and information resources. The purpose of these guidelines is to establish acceptable practices that support the policy as it applies to mobile devices. These guidelines are enforced for all mobile devices supported through Iowa State IT and apply to all campus affiliates who are using a mobile device connecting to the Iowa State IT Exchange e-mail system. When a specific guideline is not outlined, the general computing policy applies.
Securing Your Device
Password Protection / Lock
Requirement – see specific implementation guidelines for further details
- Use password protection on all mobile devices
- Establish passwords as allowed by your device
- Configure devices to require a password for access after:
- Power on prior to initial use
- A short period of inactivity
- Configure devices to lock out further access after a number of failed password attempts
- Change your mobile device password at least once a year
- Use two-factor authentication on the device if available
- To protect from malware, consider if an application should have permissions before granting them
Loss or theft protection
To prevent loss/theft:
- Document the serial number of your device.
- Take appropriate physical security measures to prevent theft of mobile devices.
- Never leave your mobile device unattended in a non-secure location
If the device is lost/stolen
- Report loss or theft of any mobile device (regardless of ownership) to IT Security team and wireless carrier (if applicable).
- For university-owned devices, Promptly report lost or stolen devices to ITS.
- Immediately change any passwords saved on the device unless stored only in a secure password keeper application.
- Initiate a remote wipe of the device if it has not been recovered in a reasonable time period to reduce the risk of exposure to university data as well as personal data.
- Include appropriate contact information on the device. E.g. put “If found, call [phone number]” on the lock screen or engrave the information on the device.
- Set up your device specific lost/stolen location services (e.g. GPS tracking) to assist in the recovery of the device.
- Install antivirus software on the device, if available
- Configure antivirus software to auto-update definitions in a timely manner and verify that the update mechanism is functioning correctly
- Use vendor-supported versions of your operating system and any installed applications
- Apply updates and patches in a timely manner
- Configure the device and the applications on it to automatically apply updates
- Remove applications that are no longer being used
Securing Your Data
Access and storage
- Comply with the data security restrictions applicable to the data you are accessing from or storing on your mobile device
- Use encryption software or built-in encryption options on the device to protect sensitive University data
- Regularly backup all data on your mobile device. Consider using multiple backup mechanisms. If you travel, have a portable backup device that you can take with you (carried separately and similarly secured)
- Make regular backups of your important data from your mobile device to a server, preferably university-managed
- Disable remembering of passwords on your device unless required for syncing or connecting to wireless networks
- Use a secure password keeper application if storing passwords on your mobile device
- Consider whether it is necessary to store data on your mobile device for the long-term
- Remove any university data no longer being used from the device
Securing Your Communications
Wireless network access
- Disable auto-join of newly discovered wireless networks
- Disable any wireless networking features not currently in use (Wi-Fi, Bluetooth)
- Set a new value for the PIN or password when establishing a connection with a Bluetooth device instead of using the default/zero/null value if possible
- Secure all other wireless communications used by your device, such as infrared
Sharing/ tethering Internet connections over WiFi/Bluetooth
- Disable Internet sharing/tethering when not in use
- Set a strong password for access when tethering other devices to your mobile device over WiFi/Bluetooth
There are always new features being developed for mobile devices that have security concerns. Requirements and guidelines will need to evolve along with the technology to ensure safety and security. As a result, additional requirements may be in effect if needed.