Mobile device security
An increasing number of K-State students and faculty are taking advantage of wireless networks. Not only around campus, but at Manhattan's hotspots and beyond. As a result, more of us are using mobile devices to do our computing.
The fact that we can pick up our laptops, tablets, and mobile devices and carry them around with us also leaves the door open for thieves to take them when we aren't paying attention. The guidelines below were devised to help all K-Staters have some tips to keeping their mobile devices from being carried away.
In addition to the physical security of these mobile devices we also need to be sure that we are keeping the data secure on them. The links below will provide you some additional tips on how to do that as well.
Guidelines for K-State
These guidelines reflect best practices for securing mobile devices, such as laptop computers, and sensitive information stored on those devices. They were reviewed by the Information Resource Management Council (IRMC) and provide interim guidance to K-State faculty, staff, and students while more comprehensive data classification and security policies and standards are developed.
The major recommendations are:
- Sensitive information, to the greatest extent possible, should not be stored on mobile devices.
- Sensitive information, if stored on mobile devices, should be:
- Securely encrypted
- A copy -- not the only instance of the data
- Sensitive information should always be transmitted in a securely encrypted format.
- Portable devices and storage media with sensitive information should be destroyed or erased so there is no possibility of subsequent data recovery.
Numerous security breaches are reported, many involving laptops, and many involving sensitive data held by universities. For more information see the Privacy Rights Clearinghouse's Data Breaches page.
Mobile devices capable of storing or accessing huge quantities of data are now ubiquitous -- most students, faculty, and staff personally own and use portable data storage devices daily. This unprecedented proliferation implies that almost anyone with access to sensitive data could copy that data to a mobile device and thereby expose sensitive data to additional risks such as theft, loss, unauthorized access, or unintended disclosure.
Compromises of sensitive data can have very serious consequences, such as:
- Criminal, civil, or administrative penalties
- Loss of external funding
- Costs of notifying affected parties
- Costs of remediation for losses, identity theft
- Damaged reputation and loss of public confidence
Furthermore, Kansas state law requires notification of victims in the event of a security breach or suspected breach of personal identity information.
Consequently, Kansas State University has developed these guidelines to help faculty, staff, and students protect sensitive information on mobile devices.
- Sensitive information
- Information whose use is governed by local, state, or federal regulatory control or information that has been deemed non-public, classified, or restricted by the University. Examples of sensitive information include, but are not limited to:
- Student information governed by the federal Family Educational Rights and Privacy Act (FERPA). See K-State's Student Confidentiality page for more information.
- Protected health information as defined by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996
- Financial information (governed by the Gramm-Leach-Bliley Act, for example)
- Documents or email relating to student, staff or faculty disciplinary proceedings
- Personnel records
- Information covered by confidentiality or non-disclosure agreements
For simplicity, the terms sensitive information and sensitive data will be used interchangeably.
- Mobile device
- Any electronic device that is portable and contains or has the ability to contain sensitive information or provides the ability to access or transmit sensitive information. Examples of mobile devices include, but are not limited to:
- Laptop or tablet PCs
- Smart phones such as an iPhone or Android device
- Portable storage media such as USB flash drives, or SD or CompactFlash memory cards
- Any peripherals connected to a mobile device that may contain sensitive information or allow access to sensitive information, like an external USB hard drive
- Tape, floppy disks, Zip disks and other traditional storage media
- The process of obscuring information to make it unreadable (i.e., "scrambling" the information) without special knowledge. That special knowledge is often a "key" that is used to decrypt the information so it can be read. One might think of the key as a password used to gain access to the protected information, although that is not technically accurate.
Risks to sensitive information fall into three broad categories:
- Confidentiality -- disclosure to anyone not authorized to access the data.
- Integrity -- corruption of the data by, for example, unauthorized malicious or accidental changes.
- Availability -- making the data unavailable for its intended use. Examples include partially or fully deleting it, maliciously encrypting it, or preventing access by a denial-of-service attack.
Due to these risks, mobile devices should be considered insecure and therefore require protection according to the following guidelines:
- Storing Sensitive Information: To the greatest extent possible, sensitive information should not be stored on or accessed from mobile devices. This simple rule will do much to reduce risk.
- Data Encryption: If sensitive information must reside on a mobile device, it should be encrypted. The decryption key should be entered manually; this step should not be automated. A means should exist to recover encrypted data when the decryption key is lost.
- Multiple Copies of the Data: Sensitive information residing on mobile devices should not be the only copy. Make sure there is another copy on a more secure device such as a server that is backed up regularly.
- Data Transmission: Any sensitive information transmitted to or from the mobile device should be encrypted and/or transferred with asecure data transfer utility. Use a secure connection or protocol, such as SSL, that guarantees end-to-end encryption of all data sent or received. Devices with wireless capability pose an additional risk of unauthorized access and tampering. These capabilities should be disabled, secured, or protected with a firewall. Note that Wireless Equivalency Privacy (WEP) is inadequate protection for a wireless device transmitting sensitive information.
- Data Destruction: The normal process for deleting data from a hard drive, USB flash drive, cell phone memory, etc., does not completely delete the data. Tools are readily available to easily recover deleted data, and even fragments of files, from these devices. Even if the data is encrypted, it has to be decrypted for use and may therefore exist unknowingly in decrypted form in a temporary file that can be recovered even after deletion. Consequently, sensitive data should be destroyed or erased so there is no possibility of subsequent data recovery.
- Password Protection: Access to the mobile device should be protected by the use of a password that meets K-State's Security for Information, Computing and Network Resources policy requirements.
- Password Storage: User IDs (such as your eID) and passwords which allow access to the Kansas State University network or its systems should never be stored in "plain text" (i.e., unencrypted so they can be easily read) on mobile devices.
- Password Automation: On mobile devices, do not automate the supplying of passwords or other security credentials needed to access sensitive data (for example, automatically authenticating to an application or database that contains sensitive information, or having Microsoft Windows store passwords to these systems). Likewise, any software installed on mobile devices that uses script files (a series of commands that are run when the script file is executed) should not contain a user ID or password.
- Physical Protection: Reasonable care should be taken when using mobile devices in public places, meeting rooms, or other unprotected areas to avoid the unauthorized access to or disclosure of the information stored on or accessed by the device. Similar precautions should be taken when using K-State's wireless network.
- Special care should be taken in crowds, meetings, and security-screening areas to maintain control over the device. Do not let it out of your sight.
- Mobile devices owned or issued by the University should not be left unattended and, where possible, should be physically locked away or secured.
- Mobile devices should be transported as carry-on luggage whenever traveling by commercial carrier unless the carrier requires otherwise.
- All mobile devices should be kept out of sight and covered when stored in a locked vehicle.
- All University-owned mobile devices should be permanently marked as University property and indicate a method of return in case the device is lost.
- Virus Protection: Any mobile device capable of using antivirus software should have the software installed and configured to provide real-time protection and maintain updated virus signatures. The antivirus software should meet K-State''s antivirus requirements. See the Protection From Malicious Software and Intrusions section in K-State's Security for Information, Computing and Network Resources policy.
- Security Updates: A procedure should be established and implemented to ensure that all security patches and updates relevant to the device or installed applications are promptly applied. The patching process should be automated whenever possible. The system should be rebooted immediately after patching if required for the patch to take effect.
- Firewall Protection: Whenever available for a mobile device, firewall software should be installed and used. Microsoft Windows, Apple Mac OS X, and Linux operating systems all have built-in firewall software that meets this guideline. Trend Micro OfficeScan security software also includes a firewall.
- Disabling Unused Services: Any services on the mobile device that are not needed, especially those that involve communications like 802.11 wireless, infrared, Bluetooth, remote access, FTP, or other connection functions, should be turned off.
- Termination of University Relationship: All University-owned mobile devices should be returned to Kansas State University immediately upon termination of the assigned user's relationship with the University. If the mobile device contains sensitive information and the device will not be re-used immediately by someone authorized to access the information, the sensitive information should be removed in a manner that prevents recovery.
- Mobile Device Sanitization: Mobile devices and other electronic equipment that contain or access sensitive information, or have been used to access sensitive information in the past, should be processed to ensure all data is permanently removed in a manner that prevents recovery before they are disposed of as surplus equipment or returned to the vendor.
- Tracking Software: All University-owned laptop computers containing sensitive information should use tracking and recovery software, such as "Computrace" by Absolute Software Corp. (www.absolute.com), to aid in the recovery of the laptop if it is stolen or lost. Even laptops that do not contain sensitive information should consider using tracking software.
- Notification of Security Breach: State law in Kansas requires prompt investigation and subsequent notification of victims should personal identity information be involved in a security breach, or if it was "reasonably likely" to have been involved in the breach.
You must notify the appropriate security/network administrator and the K-State IT Security Officer (firstname.lastname@example.org) immediately if a mobile device containing sensitive information for which K-State has responsibility is lost, stolen, or compromised in any manner.
This notification needs to occur even if you are not completely sure there was a breach, and even if you think the device may only be temporarily misplaced and will show up soon. This is necessary for compliance with state law and to provide appropriate stewardship for data entrusted to our care.
Communication and Education
Implementing effective mobile device security guidelines requires regular training and communication with the users. Educating users about best practices for protecting the devices and the information they hold can help reduce risks dramatically.
At a minimum, user education programs and policies should:
- Give users some accountability. Users should know the reasons they need to follow agency policies and guidelines, not circumvent or ignore security policies, and observe common sense precautions. Users should be made aware that failure to follow University policies may result in disciplinary action.
- Make it clear what is at stake, including the user's own information. Losing a device with sensitive information on it can lead to liability issues, damage the University's reputation, and create other security hazards. Many users also store personal information, such as credit card numbers, on mobile devices, which provides additional incentive to protect the information. Losing a laptop or even a PDA can be extremely disruptive.
- Give users the necessary tools and instruction for securing the devices. Make certain that tools are available and easy to use. For example, passwords and other authentication mechanisms should be easy to configure and use; encryption, if needed, should occur without unnecessary user intervention or decision-making.
- Raise awareness by demonstrating real security risks. Training sessions should show users how susceptible mobile devices are to theft and loss, and the steps they can take to reduce risks. Real-world examples should be used to illustrate risk.
- Notify users of any changes to the policies, guidelines, IT provisioning, and support.
- University of Kansas Medical Center Operational Protocol: Sensitive Information in Electronic and Paper-based Systems
- Information Technology Resource Management Council of Idaho: Enterprise Guidelines - G500 Security Procedures : Category: G540 - Mobile Devices
- Restrictions on Transmission, Transportation and Use of, and Access to, VA Data Outside VA Facilities VA Directive 6504 June 7, 2006
Any questions or comments about these guidelines should be directed to IT support staff, the IT Help Desk, or the K-State IT Security Officer:
Chief Information Security Officer