P02.07.066. Mobile Device Security.
A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for the university data stored, processed or transmitted via that computer or mobile device and for following the security requirements set forth in this policy and other applicable information resources policies and regulations regardless of whether that device is the property of the university or the individual.
B. The use of unprotected mobile devices to access, store, manipulate or transmit university non-public information as defined in R02.07.094 is prohibited regardless of whether or not such equipment is owned or managed by the university.
C. The chief information technology officer is responsible for coordinating with the
campuses in the development of consistent measures and business practices for ensuring the security of non-public data on mobile devices.
Reference: Alaska Statutes Chapter 45.48 Personal Information Protection Act R02.07.066. Mobile Device Security
A. Protection of Non-Public Information
1. The proper personnel within the university need to be made aware of the loss of university non-public information accessed through, stored within, manipulated by, or transmitted to, its information resources. In some instances the University has a duty to report loss of information to third parties. Therefore faculty, staff, students, affiliates, and others with access to university information resources are required to protect non-public information to which they have access and report any loss of control of that information. 2. Every user of computer equipment, including laptop computers or other mobile devices (e.g. portable hard drives, USB flash drives, smartphones, tablets) must use reasonable care to protect university non-public information, as outlined in the Regents’ Policy Chapter 02.07 – Information Resources, which details examples of non-public
information and the requirements for securing this data during transmission and at rest. 3. Protection of non-public information against physical theft or loss, electronic invasion, or unintentional exposure requires a variety of measures, including both user care and a combination of technical protections, such as authentication and encryption, working together to secure data and devices against unauthorized access.
guidance as to enabling the security measures for that equipment, particularly if the equipment being used is not university-owned or operated. Regents’ Policy Chapter 02.07 – Information Resources details requirements for securing this data during transmission and at rest.
B. Reporting Loss/Theft of Equipment or Data
Any university faculty, staff, students, affiliates, or others utilizing computer equipment, including any mobile device, to access, store, manipulate or transmit university non-public data are expected to secure that equipment at all times, including measures to protect data if the equipment is left unattended. The university does not reimburse for lost or stolen personally owned laptop computer(s) or other mobile device(s).
In the event any university-owned or managed laptop computer or mobile device is lost or stolen, the user should:
1. Immediately report the theft or loss to the respective campus support center/helpdesk and to the respective campus University Police Department or local law enforcement. 2. Contact the statewide or campus Office of Information Technology to report the
incident and provide details to the chief information security officer to facilitate a risk assessment
3. Contact the statewide or campus Risk Management Office to file the appropriate report or claim.
In the event any computer equipment or mobile device containing university non-public information is lost or stolen, even if that equipment is not university-owned or managed, or if passwords or other system access control mechanisms protecting university non-public data are lost, stolen or disclosed, or are suspected of being lost, stolen or disclosed, all users have a duty to notify the chief information security officer within the Statewide Office of Information Technology immediately.
C. Use of Personal Mobile Devices
The use of personal laptops and other mobile devices to conduct university business involving non-public data is not encouraged but is allowed when other means are not available. Any use of personal computer equipment to access, store, manipulate or transmit university non-public data shall comply with regents’ policy and university regulation.
Individuals are expected to ensure the personal computer and/or mobile device is in good order: ● The device has the latest and all necessary critical security updates installed;
● The user is using a suitable internet connection firewall (where appropriate); ● The user is using an appropriate anti-virus with up-to-date virus definitions (where appropriate);
● The user is using an appropriate anti-spyware/malware program (where appropriate) and schedule scans regularly;
appropriate action to disinfect the machine/device before its reconnection to the network.
Faculty, staff, students, affiliates, and others with access to university information resources acknowledge that utilization of any personally owned computer equipment, including laptop computers and mobile devices, to access, store manipulate, or transmit non-public university data or resources leads to a reduced expectation of privacy with respect to that equipment, and that the equipment is subject to inspection by the university in the event that equipment has been compromised or otherwise may have exposed non-public university data, or has been utilized in furtherance of a violation of regents’ policy or university regulation, or may contain evidence relevant to a determination of whether or not such compromise, exposure, or violation may have occurred. Such inspection or examination will be limited to that degree necessary to determine whether and to what extent such compromise, exposure or violation has occurred; what
safeguards were not in place or otherwise failed to prevent the occurrence; what remediation steps are appropriate; and what preventive steps will be necessary to avoid recurrence. A request for the employee to consent to the inspection of a personal device can be made by any
information resources personnel. A user unwilling to cooperate in the inspection may request an immediate review by the chief information security officer or designee, who will make the final determination whether an inspection under this section is to be conducted.
Should the chief information security officer determine that an inspection is necessary, any subsequent inspection and investigation will comply with all applicable regents’ policies, university regulations, state, and federal laws.
D. Securing Information on Mobile Devices
The CITO will coordinate the establishment of appropriate guidelines for securing mobile devices and will promulgate these as technology changes. For further information on reporting security incidents and implementing security practices see the Office of Information Technology website.
E. Encryption
Devices that do not support encryption must not be used to access, store, manipulate, or transmit non-public university information. Loss of encrypted data does not need to be reported. The loss of unencrypted university data must be reported to the CITO.
F. Additional Requirements.
In addition to appropriate information handling requirements determined by the general data classification under Regents’ Policy Chapter 02.07 – Information Resources and university regulation, sector-specific data (e.g., Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), etc.) may have additional
be required by sponsors, government agencies or other external entities. Users should check with the Statewide Office of Information Technology for assistance.
G. Requirements When Traveling Overseas
University personnel and students carrying university-issued laptops or mobile devices while traveling abroad, whether on business or for pleasure, must comply with data protection
measures in this regulation, with U.S. trade control laws, with University Regulation 10.07.035 – Export Control Licensing, and with the laws of the destination country. U.S. export control laws may prohibit or restrict such activities absent special U.S. government licenses. For current guidance on traveling abroad with a laptop or other mobile device, users should consult with the Statewide Office of Information Technology, the relevant funding agency, or institution chief information security officer.
H. Compliance
University faculty, staff, and students must understand the restrictions described here, and that failure to comply with this policy and regulation may lead to prohibition of any use of personal devices to access, store, manipulate or transmit non-public university data, or prohibition of all access to all university information resources, public or non-public, whether through personally-owned or university-personally-owned equipment, and may further result in disciplinary action as outlined in Regents’ Policy 02.07.060 – Protection and Enforcement, up to and including termination for employees and up to and including expulsion for students.
R02.07.094. Data Classification Standards: Categories
The Data Classification Categories table clarifies the nature of each data category and provides criteria for determining which classification is appropriate for a particular set of data. When using this table, a positive response for the most restrictive (highest risk) category in any row is sufficient to place that set of data into that category.
Data Classification Categories
Class Restricted Internal Use Public
Legal Requirements Protection of data is required by law or best practices
UA has best practice (due care) reasons to protect data
Data approved for general access by appropriate UA authority
Risk level High Medium Low
Consequences of Exposure
The University’s
reputation is tarnished by public reports of its failures to protect restricted records of students, employees, clients, or research. Such failure may subject the University to litigation.
Data is disclosed unnecessarily or in an untimely fashion, which causes harm to UA business interests or to the personal interests of an individual.
Examples of Specific Data
● HIPAA ● FERPA
● Research – EAR, export controls, ITAR, TCP, safeguarding confidential information ● Information required to be protected by contract ● Human subjects identifiable research data ● Trade secrets, intellectual property and/or proprietary research ● Attorney/client privileged records ● Payment Card Industry ● University banking records ● Restricted police records ● Computer account passwords ● Gramm-Leach-Bliley ● Certain affirmative action related data ● Alaska Personal Information Protection Act ● Library records confidentiality ● Employee Internet usage ● Specific technical security measures ● UA employee business-related email (including student employees, but only their work-related email)
● Location of assets ● Faculty promotion, tenure, evaluations ● Supporting documents for UA business functions ● Public research
● Supporting documents for UA business functions ● Aggregate human subjects research data ● Animal research ● Proposal records ● Campus promotional material ● Annual reports ● Press statements ● Job titles ● Job descriptions ● Employee work phone numbers (with special exceptions)
● University of Alaska business records ● Employee work locations (with special exceptions)
