1608 PR.01 Security Standards for Mobile Devices and External Devices

    Revision Date: 
    September 4, 2014

    Overview

    The following standards, requirements, procedures and processes are to be enforced whenever doing so is technically feasible.

    Mobile devices are now an integral part of institutional processes at Yale. External devices are also being used to meet a need within the Yale Community. Changes in information technology (IT) and information security over the last few years have made it necessary for Yale to take additional steps to protect the Yale community from the newest threats to data, devices and networks. This procedure outlines the steps that must be taken to ensure Yale is able to provide the best protection for you, your peers and your colleagues as you access and make use of Yale’s IT resources. Many changes, such as device encryption are steps Yale is making in an attempt to “catch up” with the security already found in the consumer electronics market. Other changes, such as the use of mobile device management software (MDM) are proactive steps Yale is taking to provide a better level of service to the Yale community while making the Yale network a safer place to learn, conduct research and otherwise contribute to this institution.

    Device Security Standards

    Users connecting mobile devices to the Yale network or accessing Yale data from mobile devices must ensure the following configuration standards are met:

    1. External mobile devices
      1. The device shall be enrolled in the Yale Mobile Device Management (MDM) program by
        1. downloading the appropriate MDM software package (currently IBM Endpoint Manager) which is available at Mobile Device Enrollment.
        2. registering the device using the user’s individual yale.edu email address and network credentials
          and
        3. ensuring the software remains installed on the device.  
      2. Yale requires that antivirus and anti-malware software be installed and maintained on all External mobile devices where technically feasible.
      3. Device owners should take steps to regularly back up the data on their personal devices to ensure data availability in the event of loss, theft or device failure. 
    2. All mobile devices
      1. Users may NOT take steps to circumvent the security policies put in the place by the MDM software.
      2. A password-protected lock screen shall be enabled on the device. The timeout period for the lock screen must not exceed 10 minutes.
      3. Encryption must be enabled for internal data storage. This storage may be decrypted to facilitate system or device upgrades as necessary.
      4. Encryption must be enabled for internal storage expansion devices (e.g. SD cards or secondary internal hard drives) used to augment internal storage. This storage may be decrypted to facilitate system or device upgrades as necessary.
      5. External hard drives, USB thumb drives, network attached storage devices (“NAS”) and similar devices are not within the scope of this procedure- please see Policy 1609 for guidance on how these devices should be configured.
      6. Local storage of email on the device must either store no more 400 messages on the device or set to store no more than 14 days of mail.
      7. Where the feature is available (as is the case within many smartphone operating systems such as Android, Blackberry or iOS), a feature that allows remote wiping of data in the event a device is lost or stolen must be enabled on the device.
    3. Software on mobile devices
      1. Applications that create, store, access, send or receive ePHI must meet Yale security standards. Please contact hipaa.security@yale.edu for additional information.
      2. Custom developed applications used to access Yale data on mobile devices must undergo a Security Design Review (see, http://its.yale.edu/services/web-and-application-services/security-design-review).
      3. Applications and the device’s operating system must be kept up-to-date. Critical system and application updates must be applied within 30 days of their release.
      4. In some cases you may not be able to install certain applications (e.g. unsigned applications, or software to “root” or “jailbreak” your device) on your mobile device once it is configured for use at Yale.

    Network and Network Resource Access

    1. Devices failing to meet the standards outlined in Section 1.a -1.c may be denied access to Yale network resources or denied access to specific Yale IT resources. System and service owners may require that additional security standards be met before connection to a specific system or service is allowed.
      1. You may or may not be notified at the time access to Yale network resources is denied.
    2. Access to the guest network (for guests of Yale affiliates) is governed by different standards. Yale employees are not to conduct Yale business on the guest network barring a specific business need (such as testing access to applications from an off-campus location).

    Basic Device Usage

    Users are responsible for understanding the basic usage of external mobile devices that they purchase. ITS will maintain a list of common resources where users can find basic usage instructions for configuring common mobile device platforms for use with University resources. This list will be refreshed at least once every fiscal year.

    Support and Services Provided by ITS

    1. ITS support staff will:
      1. Assist users in configuring access to the Yale network if the mobile device hardware and software are compatible with the systems and technologies currently in use on campus.
      2. Assist users in adding passwords to secure mobile devices.
      3. Where software licensing requirements permit and mobile device compatibility allows, assist in the installation of software provided by the University for office productivity, email, antivirus protection, and secure network access (VPN, email access, antivirus and office software will not be available for all mobile devices.). 
      4. Where not certified to repair hardware, direct users to the appropriate resource for service and repair (most commonly the manufacturer or other external service provider), and
      5. Assist users in joining an External mobile device to the domain when the following conditions are met 
        1. The user has an active NetID which can be used as a primary or secondary login,
        2. Either ITS supported software is available to allow the mobile device to join the domain or the mobile device has a built-in capacity to join a Windows domain;
        3. ITS managed antivirus software is first installed on the device, or an exception is obtained from Information Security; and
        4. Yale VPN software is installed on the machine for secure access to Yale resources. 
    2. ITS support staff WILL NOT:
      1. Provide support for mobile devices not used to conduct university business or access University resources.
      2. Instruct users in the basic use of the External mobile device they have purchased unless part of a larger training initiative.
      3. Provide users with methods by which to circumvent university security controls, procedures or practices.
      4. Assist users in violating any copyright, intellectual property, or other law.

    Exceptions

    Any variance to these procedures must be documented and approval obtained from IT Compliance (exceptions will not be given without a well-articulated business reason and departmental support). IT Compliance may be contacted via it.compliance@yale.edu.