Mobile Device Security and Usage Guideline
This document contains the following sections:
This document describes the security guidelines that Computing Services has developed for mobile devices. Like desktop computers, mobile devices (such as Blackberry devices, PDAs, and laptop computers) must be appropriately secured to prevent sensitive data from being lost or compromised, reduce the risk of spreading viruses, and mitigate other forms of abuse of Carnegie Mellon’s computing infrastructure.
This guideline applies to all campus affiliates. This includes students, faculty and staff members as well as guest account holders.
Purpose of the Guideline
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to mobile devices.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
In order to secure information stored in a mobile device, the campus community should adhere to some general "best practices" when using mobile devices. Additional measures may be possible and appropriate for securing your specific device.
User Responsibilities and Procedures
Password-protect your mobile device: Physical security is a major concern for mobile devices, which tend to be small and easily lost or misplaced. If your mobile device is lost or stolen, a device password may be all that stands in the way of someone reading your email and other sensitive data.
- Choose a strong password. The security of your system is only as strong as the password you select to protect it. Review ISO guidelines for selecting a secure password.
- It may be difficult to type especially complex passwords on the small keypad of some devices, but it is important that you try to choose a strong, effective password that is not easily guessed. See the Managing Your Andrew Password [PDF] document for tips on selecting the best possible password.
Use antivirus software: Mobile devices can be just as susceptible to viruses as desktop computers. This is new terrain for hackers but, industry analysts expect viruses, Trojans, spam, and all manner of scams to grow as the mobile device market grows. A couple of examples encountered to date include the 911 virus which caused 13 million i-mode users to automatically place a call to Japan’s emergency phone number and the PalmOS/LibertyCrack, a known Trojan horse that can delete all applications on a Palm PDA.
A number of vendors offer antivirus and anti-spam solutions. Airscanner, F-Secure, and Trend Mobile are a few examples.
Promptly report a lost or stolen device: In some cases, as in the case of Carnegie Mellon’s BlackBerry service, a device can be remotely deactivated thus preventing email or other sensitive data from being exposed. Understand what options are available to you and exercise them promptly when necessary. Additionally, consider documenting the serial number of and/or engraving your device.
Verify encryption mechanisms: Your accounts and passwords should never travel unencrypted over a wireless network. Wireless network traffic can be easily sniffed. Therefore, any sensitive data, especially login information, should always be encrypted. Carnegie Mellon’s VPN service provides encryption for some device types.
Sensitive documents, if stored on the device, should be encrypted if possible (keeping in mind that some devices encrypt stored documents by default).
Disable options and applications that you don't use: Reduce security risk by limiting your device to only necessary applications and services. You won't need to manage security updates for applications you don't use and you may even conserve device resources like battery life. Bluetooth and IR are two examples of services that can open your device to unwelcome access if improperly configured.
Regularly back up data: Be sure to have a back up copy of any necessary data in case your mobile device is lost or damaged. Consider using multiple backup mechanisms and if you travel, have a portable backup device that you can take with you.
Follow-up safe disposal practices: When you are ready to dispose of your device, be sure to remove all sensitive information first. Some services, like Computing Services' BlackBerry service, can help by remotely clearing the device.
Other Precautions: Keep power to your device. If it loses power, all stored information may be erased.
Guideline Modified: October 18, 2005
Guideline Established: March 1, 2005