Mobile Device Security
An increasing number of Kansas State University students and faculty are taking advantage of
wireless networks around not only campus but Manhattan's hotspots and beyond. As a result more
of us are using mobile devices to do our computing. Something that we always need to keep in mind
when using these devices is that their blessing is also their curse.
The fact that we can pick up our laptop computers, iPods, Internet enabled mobile phones and
PDAs and carry them around with us also leaves the door open for thieves to take them
while we aren't paying attention. To that end the guidelines below were devised to help all
K-Staters have some tips to keeping their mobile devices from being carried away.
In addition to the physical security of these mobile devices we also need to be sure that we are
keeping the data secure on them. The links below will provide you some additional tips on how
to do that as well.
Guidelines for Kansas State University
By the Security Incident Response Team (SIRT)
Effective Date: January 16, 2007
These guidelines reflect best practices for securing mobile devices, such as laptop computers,
and sensitive information stored on those devices. They were developed by a SIRT committee and
reviewed by the Information Resource Management Council (IRMC) during fall 2006 and provide interim
guidance to K-State faculty, staff, and students while more comprehensive data classification and
security policies and standards are developed.
The major recommendations are:
- Sensitive information, to the greatest extent possible, should not be stored on mobile devices.
- Sensitive information, if stored on mobile devices, should be:
a. Securely encrypted.
b. A copy -- not the only instance of the data.
- Sensitive information should always be transmitted in a securely encrypted format.
- Portable devices and storage media with sensitive information should be destroyed or erased so there
is no possibility of subsequent data recovery.
Numerous security breaches have been reported in 2006, many involving laptops, and many involving
sensitive data held by universities (see http://www.privacyrights.org/ar/ChronDataBreaches.htm). One of the most egregious occurrences was
the May 2006 theft of a U.S. Department of Veterans Affairs laptop containing names, Social Security
numbers, and dates of birth of 26.5 million veterans and 2.1 million active and reserve service members.
Estimates of the number of laptop computers stolen in the U.S. annually range from 600,000 to 750,000
per year and the FBI says 97 percent of those stolen laptops are never recovered.
Mobile devices capable of storing or accessing huge quantities of data are now ubiquitous -- most
students, faculty, and staff personally own and use portable data storage devices daily. This unprecedented
proliferation implies that almost anyone with access to sensitive data could copy that data to a mobile
device and thereby expose sensitive data to additional risks such as theft, loss, unauthorized access,
or unintended disclosure.
Compromises of sensitive data can have very serious consequences, such as:
- Criminal, civil, or administrative penalties
- Loss of external funding
- Costs of notifying affected parties
- Costs of remediation for losses, identity theft
- Damaged reputation and loss of public confidence
Furthermore, state law went into effect in Kansas on January 1, 2007, that requires notification of
victims in the event of a security breach or suspected breach of personal identity information (http://www.kslegislature.org/bills/2006/196.pdf).
Consequently, Kansas State University has developed these guidelines to help faculty, staff, and students protect sensitive
information on mobile devices.
Sensitive information: information whose use is governed by local, state, or federal regulatory control or
information that has been deemed non-public, classified, or restricted by the University. Examples of sensitive information
include, but are not limited to:
- Student information governed by the federal Family Educational Rights and Privacy Act (FERPA - see http://www.k-state.edu/registrar/ferpa/index.htm)
- Protected health information as defined by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996
- Financial information (governed by the Gramm-Leach-Bliley Act, for example)
- Documents or email relating to student, staff or faculty disciplinary proceedings
- Personnel records
- Information covered by confidentiality or non-disclosure agreements
For simplicity, the terms sensitive information and sensitive data will be used interchangeably.
Mobile device: any electronic device that is portable and contains or has the ability to contain sensitive information
or provides the ability to access or transmit sensitive information. Examples of mobile devices include, but are not limited to:
- Laptop or tablet PCs
- Personal digital assistants (PDAs) like various Palm models, the HP iPAQ, etc.
- "smart" phones such as the RIM BlackBerry or Palm Treo
- Portable storage media such as USB flash drives, or SD or CompactFlash memory cards
- Any peripherals connected to a mobile device that may contain sensitive information or allow access to sensitive information,
like an external USB hard drive
- Tape, floppy disks, Zip disks and other traditional storage media
Encryption: the process of obscuring information to make it unreadable (i.e., "scrambling" the information) without
special knowledge. That special knowledge is often a "key" that is used to decrypt the information so it can be read. One might
think of the key as a password used to gain access to the protected information, although that is not technically accurate.
Risks to sensitive information fall into three broad categories:
- Confidentiality -- disclosure to anyone not authorized to access the data.
- Integrity -- corruption of the data by, for example, unauthorized malicious or accidental changes.
- Availability -- making the data unavailable for its intended use. Examples include partially or fully deleting it,
maliciously encrypting it, or preventing access by a denial-of-service attack.
Due to these risks, mobile devices should be considered insecure and therefore require protection according to the following
Notification of a security breach
State law in Kansas requires prompt investigation and subsequent notification of victims should personal identity information
be involved in a security breach, or if it was "reasonably likely" to have been involved in the breach. You must notify
the appropriate security/network administrator and the K-State IT Security Officer
(email@example.com) immediately if a mobile device containing sensitive information
for which K-State has responsibility is lost, stolen, or compromised in any manner. This notification needs to occur even if you
are not completely sure there was a breach, and even if you think the device may only be temporarily misplaced and will show up soon.
This is necessary for compliance with state law and to provide appropriate stewardship for data entrusted to our care.
- Storing Sensitive Information: To the greatest extent possible,
sensitive information should not be stored on or accessed from mobile devices. This simple rule will do much
to reduce risk.
- Data Encryption: If sensitive information must
reside on a mobile device, it should be encrypted. The decryption key should be entered manually; this step
should not be automated. A means should exist to recover encrypted data when the decryption key is lost.
- Multiple Copies of the Data: Sensitive information
residing on mobile devices should not be the only copy. Make sure there is another copy on a more secure device
such as a server that is backed up regularly.
- Data Transmission: Any sensitive information
transmitted to or from the mobile device should be encrypted and/or transferred with asecure data transfer
utility. Use a secure connection or protocol, such as SSL, that guarantees end-to-end encryption of all data
sent or received. Devices with wireless capability pose an additional risk of unauthorized access and tampering.
These capabilities should be disabled, secured, or protected with a firewall. Note that Wireless Equivalency
Privacy (WEP) is inadequate protection for a wireless device transmitting sensitive information.
- Data Destruction: The normal process for deleting data from a hard drive, USB flash drive, cell phone memory, etc., does not
completely delete the data. Tools are readily available to easily recover deleted data, and even fragments of files, from these
devices. Even if the data is encrypted, it has to be decrypted for use and may therefore exist unknowingly in decrypted form in a
temporary file that can be recovered even after deletion. Consequently, sensitive data should be destroyed or erased so there is no
possibility of subsequent data recovery.
- Password Protection: Access to the mobile device should be protected by the use of a password that meets Kansas State University's
- Password Storage: User IDs (such as your eID) and passwords which allow access to the Kansas State University network or its systems
should never be stored in "plain text" (i.e., unencrypted so they can be easily read) on mobile devices.
- Password Automation: On mobile devices, do not automate the supplying of passwords or other security credentials needed to access
sensitive data (for example, automatically authenticating to an application or database that contains sensitive information, or
having Microsoft Windows store passwords to these systems). Likewise, any software installed on mobile devices that uses script files (a series of commands that are run
when the script file is executed) should not contain a user ID or password.
- Physical Protection: Reasonable care should be taken when using mobile devices in public places, meeting rooms, or other unprotected
areas to avoid the unauthorized access to or disclosure of the information stored on or accessed by the device. Similar precautions
should be taken when using K-State's wireless network.
- Special care should be taken in crowds, meetings, and security-screening areas to maintain control over the device. Do not let it out of your sight.
- Mobile devices owned or issued by the University should not be left unattended and, where possible, should be physically locked away or secured.
- Mobile devices should be transported as carry-on luggage whenever traveling by commercial carrier unless the carrier requires otherwise.
- All mobile devices should be kept out of sight and covered when stored in a locked vehicle.
- All University-owned mobile devices should be permanently marked as University property and indicate a method of return in case the device is lost.
- Virus Protection: Any mobile device capable of using antivirus software should have the software installed and configured to
provide real-time protection and maintain updated virus signatures. The antivirus software should meet Kansas State University's
antivirus requirements (see the section "Protection From Malicious Software and Intrusions" in
- Security Updates: A procedure should be established and implemented to ensure that all security patches and updates relevant
to the device or installed applications are promptly applied. The patching process should be automated whenever possible. The system
should be rebooted immediately after patching if required for the patch to take effect.
- Firewall Protection: Whenever available for a mobile device, firewall software should be installed and used. Microsoft
Windows, Apple Mac OS X, and Linux operating systems all have built-in firewall software that meets this guideline. Trend Micro
OfficeScan security software also includes a firewall.
- Disabling Unused Services: Any services on the mobile device that are not needed, especially those that involve communications
like 802.11 wireless, infrared, Bluetooth, remote access, FTP, or other connection functions, should be turned off.
- Termination of University Relationship: All University-owned mobile devices should be returned to Kansas State University
immediately upon termination of the assigned user's relationship with the University. If the mobile device contains sensitive
information and the device will not be re-used immediately by someone authorized to access the information, the sensitive information
should be removed in a manner that prevents recovery.
- Mobile Device Sanitization: Mobile devices and other electronic equipment that contain or access sensitive information, or
have been used to access sensitive information in the past, should be processed to ensure all data is permanently removed in a manner
that prevents recovery before they are disposed of as surplus equipment or returned to the vendor.
- Tracking Software: All University-owned laptop computers containing sensitive information should use tracking and recovery
software, such as "Computrace" by Absolute Software Corp. (www.absolute.com), to aid in the recovery of the laptop if it is stolen
or lost. Even laptops that do not contain sensitive information should consider using tracking software.
- Notification of Security Breach: See the section "Notification of a Security Breach" above.
Communication and Education
Implementing effective mobile device security guidelines requires regular training and communication with the users. Educating
users about best practices for protecting the devices and the information they hold can help reduce risks dramatically.
At a minimum, user education programs and policies should:
- Give users some accountability. Users should know the reasons they need to follow agency policies and guidelines,
not circumvent or ignore security policies, and observe common sense precautions. Users should be made aware that failure
to follow University policies may result in disciplinary action.
- Make it clear what is at stake, including the user's own information. Losing a device with sensitive information on it can
lead to liability issues, damage the University's reputation, and create other security hazards. Many users also store personal
information, such as credit card numbers, on mobile devices, which provides additional incentive to protect the information.
Losing a laptop or even a PDA can be extremely disruptive.
- Give users the necessary tools and instruction for securing the devices. Make certain that tools are available and easy to use.
For example, passwords and other authentication mechanisms should be easy to configure and use; encryption, if needed, should occur
without unnecessary user intervention or decision-making.
- Raise awareness by demonstrating real security risks. Training sessions should show users how susceptible mobile devices are to
theft and loss, and the steps they can take to reduce risks. Real-world examples should be used to illustrate risk.
- Notify users of any changes to the policies, guidelines, IT provisioning, and support.
Any questions or comments about these guidelines should be directed to your
IT support staff, the IT Help Desk, or the K-State IT Security Officer.