Mobile Security Guidelines

The Iowa State Code of Computer Ethics and Acceptable Use establishes a general policy for the use of computing, telephone, and information resources. The purpose of these guidelines is to establish acceptable practices that support the policy as it applies to mobile devices. These guidelines are enforced for all mobile devices supported through Iowa State IT and apply to all campus affiliates who are using a mobile device connecting to the Iowa State IT Exchange e-mail system. When a specific guideline is not outlined, the general computing policy applies.

Securing Your Device

Password Protection / Lock

Requirement – see specific implementation guidelines for further details

  • Use password protection on all mobile devices
  • Establish passwords as allowed by your device
  • Configure devices to require a password for access after:
    • Power on prior to initial use
    • A short period of inactivity
  • Configure devices to lock out further access after a number of failed password attempts
  • Change your mobile device password at least once a year
  • Use two-factor authentication on the device if available
  • To protect from malware, consider if an application should have permissions before granting them

Loss or theft protection

To prevent loss/theft:

Requirement

  • Document the serial number of your device.

Recommendation

  • Take appropriate physical security measures to prevent theft of mobile devices.
  • Never leave your mobile device unattended in a non-secure location

If the device is lost/stolen

Requirement

  • Report loss or theft of any mobile device (regardless of ownership) to IT Security team and wireless carrier (if applicable).
  • For university-owned devices, Promptly report lost or stolen devices to ITS.
  • Immediately change any passwords saved on the device unless stored only in a secure password keeper application.

Recommendation

  • Initiate a remote wipe of the device if it has not been recovered in a reasonable time period to reduce the risk of exposure to university data as well as personal data.

Recovery/Tracking:

Recommendation

  • Include appropriate contact information on the device. E.g. put “If found, call [phone number]” on the lock screen or engrave the information on the device.
  • Set up your device specific lost/stolen location services (e.g. GPS tracking) to assist in the recovery of the device.

Antivirus protection

Requirement

  • Install antivirus software on the device, if available
  • Configure antivirus software to auto-update definitions in a timely manner and verify that the update mechanism is functioning correctly

Device updates

Requirement

  • Use vendor-supported versions of your operating system and any installed applications
  • Apply updates and patches in a timely manner

Recommendation

  • Configure the device and the applications on it to automatically apply updates
  • Remove applications that are no longer being used

Securing Your Data

Access and storage

Requirement

  • Comply with the data security restrictions applicable to the data you are accessing from or storing on your mobile device

Encryption

Requirement

  • Use encryption software or built-in encryption options on the device to protect sensitive University data

Backup

Recommendation

  • Regularly backup all data on your mobile device. Consider using multiple backup mechanisms. If you travel, have a portable backup device that you can take with you (carried separately and similarly secured)
  • Make regular backups of your important data from your mobile device to a server, preferably university-managed

Password storage

Recommendation

  • Disable remembering of passwords on your device unless required for syncing or connecting to wireless networks
  • Use a secure password keeper application if storing passwords on your mobile device

Data retention

Recommendation

  • Consider whether it is necessary to store data on your mobile device for the long-term
  • Remove any university data no longer being used from the device

Securing Your Communications

Wireless network access

Requirement

  • Disable auto-join of newly discovered wireless networks

Recommendation

  • Disable any wireless networking features not currently in use (Wi-Fi, Bluetooth)

Bluetooth devices

Requirement

  • Set a new value for the PIN or password when establishing a connection with a Bluetooth device instead of using the default/zero/null value if possible

Recommendation

  • Secure all other wireless communications used by your device, such as infrared

Sharing/ tethering Internet connections over WiFi/Bluetooth

Requirement

  • Disable Internet sharing/tethering when not in use
  • Set a strong password for access when tethering other devices to your mobile device over WiFi/Bluetooth

Emerging Technologies

There are always new features being developed for mobile devices that have security concerns. Requirements and guidelines will need to evolve along with the technology to ensure safety and security. As a result, additional requirements may be in effect if needed.