Policy Number: 12-020
Mobile Computing and Storage Devices
Category: Information Technology
Responsible Executive: Vice President and Chief Information Officer
1. Purpose
To ensure secure, reliable, and accountable use of mobile computing and storage devices with University of Florida Restricted Data. This policy establishes unified management, and formally assigns roles and responsibilities for these devices.
2. Applicability
This policy applies to all mobile computing and storage devices used by the University of Florida constituency in the performance of their duties, and to all University of Florida Restricted Data when accessed through, or stored on, mobile computing and storage devices, regardless of the device’s ownership. University of Florida Restricted Data may not be released for storage on, or access through, devices that do not meet these requirements.
3. Definitions
Mobile Computing Devices means small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:
- Laptop, notebook, netbook and similar portable personal computers
- Smartphones and PDAs (Android, Blackberry, iPhone, and others)
Mobile Storage Devices means media that can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:
- Magnetic storage devices (diskettes, tapes, USB hard drives).
- Optical storage devices (CDs, DVDs, magneto-optical disks).
- Memory storage devices (SD cards, thumb drives, etc).
- Portable devices that make nonvolatile storage available for user files (cameras, MP3 and other music players, audio recorders, smart watches, cell phones).
Restricted Data means data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.
4. Policy Statement
All mobile computing and storage devices that access the University of Florida Intranet and/or store University of Florida Restricted data must be compliant with University of Florida Information Security Policies and Standards.
- Restricted Data stored on mobile computing and storage devices must be encrypted.
- Any and all mobile computing devices used within the University of Florida information and computing environments must meet all applicable UF encryption standards. Mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must also be recorded in the unit’s information assets inventory.
- University of Florida information security policies applicable to desktop or workstation computers apply to mobile computing devices.
Additional Resources
Mobile Computing and Storage Devices Standard
Standard Number: SEC-TS-05.01
Standard Family: Information Security
Standard Category: Technical Security
Purpose
To establish standards for the use of mobile computing and storage devices, and to specify minimum configuration requirements for them at the University of Florida consistent with the Mobile Computing and Storage Devices Policy.
Standard
All mobile computing and storage devices that access, store, process or transmit University Data, regardless of ownership, must be compliant with University of Florida Information Security Policies and Standards.
- Encryption of data
- a) All persistent storage within mobile computing devices will be encrypted
- i) The encryption passphrase will meet or exceed University of Florida password strength roles, must not be shared, and not stored in a visible or plaintext form on or with the device. Small portable computing devices where keyboard entry is cumbersome (ex. Smartphones) may use reduced password complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
- ii) The encryption system will include a management component that provides key recovery and proof that the device is encrypted.
- iii) Whenever possible, devices will include the ability to remotely wipe stored data in the event the device is lost or stolen.
- b) All portable storage devices must be fully encrypted. The following exceptions apply:
- i) Specific uses where no Restricted Data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Restricted Data.
- ii) Specific uses in which devices are used for marketing and public relations, no Restricted Data will be stored, and the intended recipient is not a member of the UF Community. Devices used in this way must be clearly marked as not for use with Restricted Data.
- c) The encryption and key management methods used must have the approval of the UF Chief Information Security Officer or designee.
- d) Restricted Data must be protected by encryption during transmission over any wireless network and any non-University of Florida
- a) All persistent storage within mobile computing devices will be encrypted
- Authentication
- a) The portable computing device must be configured to require a strong password of its user and administrator, consistent with or exceeding UF password complexity requirements. Small portable computing devices where keyboard entry is cumbersome (ex. Smartphones) may use reduced password complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
- b) The portable computing device must be configured with an inactivity timeout of not more than 30 minutes, which requires re-authentication before use. Shorter timeout durations should be implemented when appropriate based on risk and usage.
- Disposal
- Disposal of mobile computing and storage devices must be in compliance with the University of Florida Information Security IT Worker Reuse and Disposal Standards.
- Backup
- Users must maintain a backup or copy of data needed for UF activities, including research, teaching and business processes, when UF data are stored on a mobile computing or storage device.
- Physical Security
- a) The mobile computing device must have a durable physical or electronic label with contact information sufficient to facilitate an expedient return in the event that a lost device is found.
- b) Mobile computing and storage devices must be used and stored in a manner that deters theft.
- c) Devices should use tracking and recovery software to facilitate return if lost or stolen.
Standard References
NIST Special Publication 800-53 revision 3: AC-19
SEC-AC-002.02 Password Complexity Standard
SEC-TS-05 Mobile Computing and Storage Devices Policy
IT Worker Reuse and Disposal Standards
Standard Revisions
March 1, 2013: Original
March 10, 2015: Removed deadlines for encryption, consolidated encryption requirements, minor clarifications.
August 7, 2024: Administrative Revision
More Information
History
Policy History: New 3-1-2013, Administrative Revision 8-7-2024