Policy Title | Personal Device Policy |
Policy Category | Information Technology |
Original Policy Approval Date | September 3, 2024 |
Policies Superseded | None |
Responsible Office/Vice President | Information Technology |
Related Policies | Acceptable Use Policy, Information Technology Policy |
Frequency of Review | 5 Years |
I. SCOPE
This Personal Device Policy (Policy) applies to all employees who use their own electronic device, not owned or provided by the University, to access Technology Resources owned, managed, or otherwise provided by the University. All capitalized terms within this Policy not defined within an applicable section are defined in Section IV below.
II. POLICY STATEMENT
The purpose of this Policy is to establish guidelines for when employees use personally owned or leased electronic devices not owned or provided by the University), to access and store University Data, whether on campus or remotely (“Personal Devices”). This Policy aligns with National Institute of Standards and Technology (NIST) best practices, Special Publication 800-171, to mitigate risks associated with non-University issued devices accessing Sensitive Information. Sensitive information is considered to be Level 1, 2, or 3 data classified per the Data Governance Policy and Data Handling Guidelines.
Specifically, this Policy aims to prevent: (1) loss or theft of mobile devices and data; (2) compromise of classified information through public observation; (3) introduction of viruses and malware to the network; and (4) damage to reputation. By implementing this Policy, the University seems to minimize these risks and protect its information and reputation.
III. POLICY
- Employee Responsibilities
The University provides laptop computers and/or other electronic devices to many of its employees, and strongly encourages all employees to use a University-issued device to conduct University business. Employees who utilize Personal Devices to access University Technology Resources are responsible for:
- Abiding by the requirements identified within this Policy for their Personal Devices.
- Any loss of data or breach of data resulting from the activities conducted on their Personal Devices while connected to a University Technology Resource.
- Removing all University Data from the device and return it to the manufacturers’ settings before selling, exchanging or disposing of the device.
- All transactions made from their Personal Devices while connected to a University Technology Resource.
- Following the University Data Handling Guidelines.
- Reporting lost or stolen Personal Devices that may contain University Data.
Any University Data protected or restricted per the University’s Data Governance Policy should not be stored on a Personal Device. Employees should not conduct sensitive University business on open (without a password) wireless networks (i.e coffee shop wireless or public wi-fi).
- Requirements for Personal Devices
Personal Devices used to access the University’s Technology Resources are required to have the following attributes enabled:
- Protection through a pin or password access control, multi-factor authentication if possible, and locked screen enabled when inactive.
- Updated antivirus and operating systems.
- Removal of any University Data stored on the device once the employee is finished using it, including deleting copies of attachments to emails, such as documents, spreadsheets and data sets.
- If the device is used by multiple users (i.e., others within the employee’s home), set up a separate account or profile to solely be used for accessing University Data.
- Use of the appropriate encryption for data in transit (i.e., sensitive email messages).
- Install and configure tracking and/or wiping services, such as Apple’s “Find My iPhone app,” or the corresponding features for the device. This is to assist with locating and/or wiping the Personal Device.
- University Access and Responsibility
By connecting a Personal Device to the University’s Technology Resources, an employee consents to the University’s access and ability to manage University Data on that device. This includes the ability to wipe University Data (but not the entire device or personal data) from the Personal Device. The University is not responsible or liable for the maintenance, backup, or loss of data on a Personal Device, including any loss, theft, or damage to any device. Employees are responsible for ensuring the security and integrity of their Personal Devices and data.
- Enforcement
Employees who violate this Policy may be subject to: (1) denial of access to the University’s Technology Resources or Data via a Personal Device; (2) disciplinary action and penalties, up to and including separation from the University; and (3) external investigation and/or prosecution by local, state, or federal authorities. The University may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so to protect the integrity, security, or functionality of the University’s or other Technology Resources or Data, or to protect the University from liability. By using University Technology Resources through Personal Devices, employees acknowledge that they understand they are assuming full liability—legal, financial, or otherwise—for their actions in violation of this Policy and other University policies.The University is not liable for the actions of individuals connected to the internet through the University’s Technology Resources.
IV. DEFINITIONS
Device refers to any computer, laptop, tablet, smartwatch, virtual reality or augmented reality devices, mobile phone/pda electronic device or any other electronic device used to access, store, or transmit university data to University systems.
Sensitive Information is considered to be Level 1, 2, or 3 data classified per the University’s Data Governance Policy and Data Handling Guidelines.
Technology Resources refers to assigned computer accounts, email services, and the shared University network which includes resources and facilities operated by the University, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including mobile devices) and telephone equipment, voice mail, SMS (text), mobile data devices, desktop and laptop computer, email, chat, facsimiles, mail, any connection to the University’s network or use of any part of the University’s network to access other networks, connections to the internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of University work or associated activities.
University refers to Arcadia University, its colleges, schools, affiliates, divisions, and subsidiaries.
University Data refers to any and all data and information acquired, generated, used or stored by the University.
V. EFFECTIVE DATE
This Policy is effective on the date that it is signed by the President.
VI. SIGNATURE, TITLE AND DATE OF APPROVAL
/s/ Ajay Nair
Ajay Nair, President
Date: September 3, 2024