Mobile Device Security and Usage Guideline
This document contains the following sections:
This document describes the security guidelines that Computing Services has developed for mobile devices. Like desktop computers, mobile devices (such as iPads, Android tablets, mobile phones, PDAs, and laptop computers) must be appropriately secured to prevent sensitive data from being lost or compromised, to reduce the risk of spreading viruses, and to mitigate other forms of abuse to Carnegie Mellon’s computing infrastructure.
This guideline applies to all campus affiliates. This includes students, faculty and staff members as well as guest account holders.
Purpose of the Guideline
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to mobile devices.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
In order to secure information stored in a mobile device, the campus community should adhere to some general "best practices" when using mobile devices. Additional measures may be possible and appropriate for securing your specific device.
User Responsibilities and Procedures
Password-protect your mobile device: Physical security is a major concern for mobile devices, which tend to be small and easily lost or misplaced. If your mobile device is lost or stolen, a device password may be all that stands in the way of someone reading your email and other sensitive data.
- Choose a strong password. The security of your system is only as strong as the password you select to protect it. Review ISO guidelines for selecting a secure password.
- It may be difficult to type especially complex passwords on the small keypad of some devices, but it is important that you try to choose a strong, effective password that is not easily guessed. See the Managing Your Password document for tips on selecting the best possible password.
Use anti-malware app. Mobile devices can be just as susceptible to malware and viruses as desktop computers. This is new terrain for hackers, but industry analysts expect viruses, Trojans, spam, and all manner of scams to grow as the mobile device market grows. A couple of examples encountered to date include malicious versions of well-known apps like "Angry Birds", bitcoin mining software that consumes the battery and your data plan, and malware that silently installs other apps and backdoors.
A number of vendors offer antivirus and anti-spam solutions. Avast, F-Secure, Lookout, Sophos, Symantec and Trend Mobile are a few examples of vendors that offer mobile security apps.
Encrypt your device if this is possible. Mobile devices are easier to steal and to lose. Their convenience makes it more likley that they'll be carried everywhere, put down, and lost. Your mobile device might be configured with important passwords that would enable the thief to access your e-mail, credit card information, or most importantly, CMU's institutional data.
Encryption automatically comes with the iPhone/iPad 3 and later, and Android phones/tablets that run Gingerbread 2.3.4 and later OS versions.
Promptly report a lost or stolen device: In some cases, as in the case of Carnegie Mellon’s mobile ActiveSync service, a device can be remotely deactivated thus preventing email or other sensitive data from being exposed. Understand what options are available to you and exercise them promptly when necessary. Also, consider documenting the serial number of and/or engraving your device.
Verify encryption mechanisms: Your accounts and passwords should never travel unencrypted over a wireless network. Wireless network traffic can be easily sniffed. Therefore, any sensitive data, especially login information, should always be encrypted. Carnegie Mellon’s VPN service provides encryption for some device types.
Sensitive documents, if stored on the device, should be encrypted if possible (keeping in mind that some devices encrypt stored documents by default).
Disable options and applications that you don't use: Reduce security risk by limiting your device to only necessary applications and services. You won't need to manage security updates for applications you don't use and you may even conserve device resources like battery life. Bluetooth and IR are two examples of services that can open your device to unwelcome access if improperly configured.
Regularly back up your data: Be sure to have a back up copy of any necessary data in case your mobile device is lost or damaged. Consider using multiple backup mechanisms and if you travel, have a portable backup device that you can take with you.
Follow-up safe disposal practices: When you are ready to dispose of your device, be sure to remove all sensitive information first. Some services, like Computing Services' BlackBerry service, can help by remotely clearing the device.
Keep your operating system up-to-date: To mitigate security threats, you need to accept updates and patches to your mobile device's operating software by enabling automatic updates, or accept updates when prompted by the device manufacturer, operating system provider, service provider or application provider.
Avoid jailbreaking: Tampering with your mobile device factory security setting makes it more susceptible to attacks, or makes it more likely that your device will attack other systems.
Verify applications before downloading: Some apps could be harmful to your mobile device, either by carrying malware or by directing you to a malicious website that may collect your sensitive information (e.g. credit card information). To protect yourself and your device, run a search about the app you plan to download to assess the legitimacy of the app and people's experience with it. Also, make sure that you download apps from a well-known trusted source.
Register the device in Netreg: Computing Services Network Registration System (NetReg) allows you to register your mobile device under your name, which is helpful to identify your device is lost or stolen then, reused on campus.