Nov 21, 2024  
Policies and Procedures Manual 
    
Policies and Procedures Manual

08:08:04 Mobile Device E-mail Security


Revision Responsibility: Executive Director of Information and Educational Technologies & Chief Information Officer
Responsible Executive Officer: Vice President for Business & Finance

Purpose

Tennessee State Code 47-18-2901 defines that the institution must have safeguards and procedures to ensure that confidential information is protected on laptops and other mobile devices. Currently, all personally assigned institutionally owned laptops have enterprise drive encryption enabled by IET when the device is received. This policy is intended to ensure the integrity of institutional data that might be stored on other mobile devices whether institutional property or personal property.


Policy

I. Definitions

  • Mobile Device: A computational device that can connect to a wired or wireless network and exchange data with institutional servers. This can include tablet computers and smart phones. Most of these devices are used to connect to the institutional email server for calendar, contact and email information.
    To view a list of compliant operating systems and devices go to http://helpdesk.ws.edu. Devices that are not compliant will be unable to access the institutional email system from the mobile device.

II. Procedures to Enforce Mobile Device Security

Any other mobile device that connects to the institutional email server must respect the current Exchange Active Sync Server requirements. These software requirements require specific security be present and active on the mobile device before communication with the server is allowed. These are:

  1. Password Requirements: The device must have a password placed on it that is of sufficient complexity to protect data resident on the device. For a mobile device, this will not be required to be the same as the users Active Directory password. The minimum size will be 4 characters and/or numbers. The password will not expire but can be changed by the user at any time.
     
  2. Idle device locking: After a period of inactivity, the device will lock and not display data. The user will be required to enter their device password before it can be used.
     
  3. Remote erasure: If a device is lost or stolen, the instituion and/or user will have the ability to erase the mobile device remotely. The owner can log in to the Outlook Web Access (OWA) web site using their Active Directory credentials and choose the option to erase the device. This will erase institutional synced data along with all other information on the device. IET will also be able to assist users with this if they are unable to successfully execute the remote erasure.

1.     User are required to notify the IET helpdesk when a device is missing or stolen

2.     IET reserves the right to initiate remote erasure upon a device when it is known to be missing, stolen, or in possession of an at-risk person

02/13; 09/17

Supplemental Information
Link to Tennessee State Code Annotated 47-18-2901: http://www.michie.com/tennessee/lpExt.dll?f=templates&eMail=Y&fn=main-h.htm&cp=tncode/17630/18746/18c4e/18c50