Purpose

To establish standards for the use of mobile computing and storage devices, and to specify minimum configuration requirements for them at the University of Florida consistent with the Mobile Computing and Storage Devices Policy.

Standard

All mobile computing and storage devices that access, store, process or transmit University Data, regardless of ownership, must be compliant with University of Florida Information Security Policies and Standards.

  1. Encryption of data
  2.  Authentication
    1. The portable computing device must be configured to require a strong password of its user and administrator, consistent with or exceeding UF password complexity requirements. Small portable computing devices where keyboard entry is cumbersome (ex. Smartphones) may use reduced password complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
    2. The portable computing device must be configured with an inactivity timeout of not more than 30 minutes, which requires re-authentication before use. Shorter timeout durations shoold be implemented when appropriate based on risk and usage.
  3.  Disposal
  4.  Backup
    1. Users must maintain a backup or copy of data needed for UF activities, including research, teaching and business processes, when UF data are stored on a mobile computing or storage device.
  5. Physical Security

References

NIST Special Publication 800-53 revision 3: AC-19

SEC-AC-002.02 Password Complexity Standard

SEC-TS-05 Mobile Computing and Storage Devices Policy

IT Worker Reuse and Disposal Standards

Revisions

March 1, 2013: Original

March 10, 2015: Removed deadlines for encryption, consolidated encryption requirements, minor clarifications.

More Information