Use of University Mobile Devices, Personal Devices, and Accounts Policy
Created March 23, 2021
Table of Contents
.010 Policy Statement
The purpose of this policy is to define the controls when using mobile devices. It mitigates the following risks:
- Loss or theft of mobile devices, including the data on them
- Compromise of protected information such as: CUI, FERPA, or KORA through observation by the public
- Introduction of viruses and malware to the network
- Damage to reputation
It is important that the controls set out in this policy are observed at all times in the use and transport of mobile devices.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of the University’s information assets, and protects the interest of the University, its customers, personnel, and business partners.
Mobile computing is an increasing part of everyday life, as devices become smaller and more powerful, the number and complexity of tasks that can be achieved away from the office grows. As the capabilities increase so, too, do the risks. Security controls that have evolved to protect the static desktop environment are easily bypassed when using a mobile device outside of the confines of a building.
Mobile devices include, but not limited to items such as:
- Tablet devices
- Smart phones
- Smart watches
Unless specifically authorized, only mobile devices provided by Kansas State University may be used to hold or process University records. Use of personal devices may open the device/account to litigation in the case of a Kansas Open Records Request (See PPM 3060: Kansas Open Records Act)
Note: Access vs. storage on personal devices – for example accessing and viewing records through a cell phone app or web browser such as Outlook client, OneDrive client, Microsoft Teams client, etc. would not be a violation of this policy as no data is actually ‘living’ on the device. Downloading/storing data and/or records to devices or unapproved systems would be a violation of this policy.
Employees who elect to participate in the use of personal devices and accounts accept the following risks, liabilities, and disclaimers:
- At no time does the University accept liability for the maintenance, backup, or loss of data on a personal device. It is the responsibility of the equipment owner to backup all software and data to other appropriate backup storage systems before requesting assistance from IT. (see PPM 3090: Retention of Records and PPM 3433: Data Classification and Security Policy)
- Persons violating this policy may also be held personally liable for resulting damages and civil or criminal charges. Kansas State University will comply with any applicable laws regarding data loss or breach notification and may also refer suspected violations of applicable laws to appropriate law enforcement agencies.
- The University shall not be liable for the loss, theft, or damage of personal devices. This includes, but is not limited to, when the device is being used for University business, on University time, or during business travel.
- Kansas State University Information Technology reserves the right to implement technology such as mobile device management to enable the removal of Kansas State University owned data.
- Personal devices are not a University maintained space for storage and does open up personal accounts to review to determine whether those accounts contain documents subject to the Kansas Open Records Act.
If an employee is required to make use of mobile equipment, the employee is provided with an appropriate device which is configured to comply with the University’s policies. Support provided by the IT Department may at times require access to the university issued device for problem resolution and maintenance purposes. Kansas State University has implemented security measures to protect its critical information during mobile device usages. See the acceptable use policy for all university owned devices: PPM 3420: Information Technology Usage Policy, for more information.
The following are the definitions relevant to the policy:
All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
All data owned or licensed by the University.
Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.
The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented and reviewed and approved by the Director of Information Security, or equivalent officer.
All breaches of information security, actual or suspected, must be reported to and investigated by the Director of Information Security, or equivalent officer.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.