Mobile Device Policy

Mobile Device Policy

Purpose

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement, and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of audience, purpose, or how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system.

Mobile devices are a way of life where working on the go is now common. Mobility in business terms means being able to get the job done and stay connected regardless of location, device, or time of day. Accessing business information on mobile devices, exposes SLAM information to serious security risks as portability allows access to the information outside the building, campus, even country.

Definition

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Users: SLAM staff, Board of Directors, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
• Systems: Information Technology systems (e.g., networks, operating systems, applications, and databases)
• Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures.
• BYOD: Bring Your Own Device.  Use of a privately-owned device which accesses SLAM information through email, calendaring, filesharing, virtual desktops, or cloud-based applications.
• Mobile Device: Laptop computers, tablets, smartphones.

Policy

Mobile computing requires added security controls to protect digital information and staff. These controls can be complicated, requiring purpose-built solutions such as Mobile Device Managers (MDM) and new security process controls.

This policy provides guidelines for the safe and productive use of mobile devices by staff. It includes requirements for Users and requirements for the IT group responsible for supporting and administering mobile devices.

SLAM may issue mobile devices to Users on occasion for organization related initiatives. The Mobile devices are for the SLAM related initiatives for which they are authorized. These devices are the property of the Saint Louis Art Museum and maybe revoked at any time.

Receiving a SLAM-issued mobile device is voluntary. Before receiving a SLAM-issued mobile device, Users must receive, read, and formally agree to comply with this policy to ensure the User is aware of the risks and requirements associated with this privilege.

The IT group must install and maintain a Mobile Device Management (MDM) solution on SLAM issued mobile devices. The security solutions should have the ability to monitor, detect, and mitigate security issues on the remote device. Capabilities should include remote wipe in the event the device is lost, stolen, or revoked.

Users representing the SLAM online and in social media are expected to adhere to the Guidelines for Professional Practice and the Employee Handbook. The transmission of anything that could be construed as harassment of others based on their race, color, religion, national origin, sex, age, disability, pregnancy, genetic information, sexual orientation, veteran status, or other legally protected status is prohibited.

Users are expected to take reasonable precautions to guard against theft, loss, and/or damage to mobile devices. Should the device be lost, damaged, or stolen the issue should be reported to IT group immediately and the user may be held responsible for repair or replacement of the device at their own expense.

Users assigned the use of SLAM issued mobile devices do not have, nor should they expect privacy when using the devices. The organization reserves the right to monitor, review, audit, and enter relevant accounts or revoke the device without notice. In addition, under Missouri Sunshine law, most electronic communications, including text messages, may be made public upon request.

User understands and accepts the risk of having personal data, files, and/or applications on the SLAM issued mobile device that could be deleted by the IT group if required to address security needs. This could include if the device is lost or stolen, the IT group may remotely wipe the device to protect SLAM systems and information.

SLAM reserves the right to utilize geolocation services to locate the device for security or administration needs.

All authorized mobile devices must comply with the following requirements:

• Devices be secured using a PIN or other password protection.
• Automatic lockout must be enabled for 5 or fewer minutes of inactivity

• Software version must be kept up to date.
• If you lose it or it's stolen, report it immediately
• Don't connect to public Wi-Fi networks
• Backup your device

Approval and Ownership

Revision History