Mobile Device Security Standard

1 PURPOSE

The purpose of this standard is to provide acceptable use and security guidance to the University System of New Hampshire (USNH) employees for protecting USNH data stored on or accessed through personal or institutionally provided mobile devices such as smartphones, tablets, and laptops. This standard does not apply if the mobile device is used to browse public information without authentication on USNH’s websites. 

2 SCOPE

This standard applies to all USNH business and academic units and USNH-owned information systems that collect, store, process, share or transmit institutional data. Personally owned devices connecting to the University Campus Network must meet the Bring Your Own Device standard requirements. 

3 STANDARD

3.1 Do not store Restricted or Protected USNH data (including sensitive student data, Protected Health Information and Social Security Numbers, etc.) on personal mobile devices.  

  • 3.1.1 Mobile device users who do have a valid business need to store non-public data must seek guidance regarding additional controls from appropriate Data Stewards or ET&S Cybersecurity. 
  • 3.1.2 Additional protection may include data encryption, passwords, automatic logoffs, and secure Internet transmissions. USNH employees are expected to secure devices to prevent unauthorized access when left unattended. 

3.2 USNH employees should notify the campus Help Desk as soon as possible if a device containing university data is lost or stolen. 

  • 3.2.1 Mobile devices should have at least a 4-digit PIN to authenticate and an inactivity timeout of 15 minutes. 
  • 3.2.2 Whenever possible, USNH mobile devices will be able to remotely wipe stored data if the device is lost or stolen. 
  • 3.2.3 All persistent storage within mobile devices will be encrypted. 

3.3  Disposal of University Mobile Devices are required to follow the SEED Process. 

  • 3.3.1 Data stored on mobile devices should be properly purged of all USNH information before the device is disposed of, donated, or an employee’s relationship with the University is terminated. 

DOCUMENT HISTORY

  • Approved by: Thomas Nudd, Chief Information Security Officer, August 24, 2022 
  • Reviewed by: Dr. David Yasenchock, Directory Cybersecurity GRC, August 24, 2022
  • Revision History: 
    • V 1.0 Cybersecurity GRC Working Group - August 24, 2022, 
    • V 1.1 Cybersecurity GRC Working Group - February 1, 2024 
    • May 30, 2024, K SWEENEY, Revised formatting