Policy Statement

To ensure secure, reliable, and accountable use of mobile computing and storage devices with University of Florida Restricted Data. This policy establishes unified management, and formally assigns roles and responsibilities for these devices.

Applicability

This policy applies to all mobile computing and storage devices used by the University of Florida constituency in the performance of their duties, and to all University of Florida Restricted Data when accessed through, or stored on, mobile computing and storage devices, regardless of the device’s ownership. University of Florida Restricted Data may not be released for storage on, or access through, devices that do not meet these requirements.

Definitions

  • Mobile Computing Devices:Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:
    • Laptop, notebook, netbook and similar portable personal computers
    • Smartphones and PDAs (Android, Blackberry, iPhone, and others)
  • Mobile Storage Devices: Media that can be easily carried by a single person and provide persistent storage.  New products with these characteristics appear frequently.  Current examples include, but are not limited to, the following types of products:
    • Magnetic storage devices (diskettes, tapes, USB hard drives).
    • Optical storage devices (CDs, DVDs, magneto-optical disks).
    • Memory storage devices (SD cards, thumb drives, etc).
    • Portable devices that make nonvolatile storage available for user files (cameras, MP3 and other music players, audio recorders, smart watches, cell phones).
  • Restricted Data:Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

Policy Specifics

All mobile computing and storage devices that access the University of Florida Intranet and/or store University of Florida Restricted data must be compliant with University of Florida Information Security Policies and Standards.

  • Restricted Data stored on mobile computing and storage devices must be encrypted.
  • Any and all mobile computing devices used within the University of Florida information and computing environments must meet all applicable UF encryption standards. mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must also be recorded in the unit’s information assets inventory.
  • University of Florida information security policies applicable to desktop or workstation computers apply to mobile computing devices.

Review and Adjudication

The University of Florida Information Security and Compliance Office will establish standards to govern the secure use of all mobile computing and storage devices at the University of Florida.

  • The University of Florida Office of the Vice President and Chief Information Officer will provide guidance to assist units in complying with these requirements.
  • All University of Florida deans, directors and department chairs, in conjunction with their IT support teams, are responsible for migrating all existing uses of mobile computing and storage devices within their areas of responsibility to devices and services that are compliant with university policies and standards.
  • All members of the University of Florida constituency who are currently using personally owned mobile computing and storage devices that access the University of Florida Intranet and/or store University of Florida Restricted Data are required to bring their personal device into compliance with the University of Florida Information Security Standard for Mobile Computing and Storage Devices.
  • All members of the University of Florida constituency will report the loss or theft of a mobile computing or storage device to their departmental Information Security Manager (ISM) immediately upon detection of the loss. The UF Privacy Office must be immediately notified of theft or loss of any portable computing device or media that contains Restricted Data.

Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.

History

Revision DateDescription
March 1, 2013   Policy originally adopted
  Policy updated