Mobile Device Security Standard and Safeguards

Mobile Device Security Standard and Safeguards

School of Engineering and Technology

This Standard applies to all School of Engineering and Technology faculty, staff, affiliates, and student-employees who choose to use a mobile computing device, regardless of who owns the device, to access, store, or manipulate institutional data.  This policy will not supersede any Indiana University developed policies. 

Indiana University’s Mobile Device Security Standard, Policy IT-12.1 sets minimum standards for passcode/passphrase, encryption and other security measures intended to protect data on mobile devices such as laptops, tablets, and smart phones. Compliance with this policy is required for any device used to "access, store, or manipulate institutional data".  For example, if you use your mobile device to access your IU email, then you are subject to these security requirements.  

Standard

All mobile devices used by faculty, staff, affiliates, or student-employees to access, store, or manipulate institutional data must:

  • have appropriate safeguards applied to mitigate the risk of information exposure due to loss or theft (see table below).  These safeguards may be verified at the university's discretion and promoted via technical means.
  • be reported to it-incident@iu.edu if lost, stolen, or otherwise compromised.
  • be wiped before transferring ownership (e.g. sales or trade-ins).

Required Safeguards by Device Type

Handheld mobile device (i.e. smart phone, tablet, etc.)

  • Passcode and autolock - required minimum 4-character passcode using at least 2 unique characters and auto lock after a maximum of 15 minutes inactivity. 
  • Intrusion prevention – required lockout or wipe after 10 incorrect attempts
  • Encryption – recommended if supported by device and required for all use involving IU critical data 
  • Remote wiping – recommended if supported by device

Laptop/notebook computer

  • Passcode and autolock - required passphrase meeting IU requirements must be used when device boots and autolock after a maximum of 15 minutes of unattended inactivity.
  • Intrusion prevention – required lockout after 25 incorrect attempts after 2 hours
  • Encryption – required, full disk

Note: Mobile devices used to access IU critical data are subject to additional safeguards:

  • Written approval from the Dean or the Institutional Review Board confirming a critical business need, and
  • Encrypting the information on the device and in transit  
  • Devices that do not support encryption must not be used to access, store, or manipulate critical information.

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.