Acceptable Use-Personal Device

Policy: 

Purpose, Scope, and Responsibilities 

In general, it is strongly recommended that employees use equipment owned and managed by Clarkson College to perform college-related work. The exception would be for adjunct faculty and casual employees who are not provided a college-issued device.  

Personally owned computing devices are increasingly being used to access College technology resources and/or store College data. A security breach when using a personal device could result in loss or compromise of College data, damage and/or unauthorized access to College technology resources, and/or financial harm to the College. 

The purpose of this standard is to establish minimum security requirements and expectations for personally owned devices that connect to College technology resources and/or access College data. This standard does not apply to College-owned devices.  

Individuals who elect to utilize a personal device, including but not limited to smartphones, tablets, laptops, notebooks, and netbooks, to access College technology resources are responsible for the following: 

  • Abiding by the requirements identified within this document; 
  • Configuring personal device(s) to be able to connect to College technology resources; 
  • Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a College technology resource; and, 
  • All transactions made under their authentication to a College technology resource. 

The College is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices, including loss, theft, or damage.

The Chief Information Security Officer (“CISO”) is responsible for the implementation and enforcement of this standard. Information Technology (“IT”) is responsible for Clarkson College authentication systems, verifying authentication credentials provided, troubleshooting authentication issues, and performing vulnerability scans of the campus network. IT is not responsible for configuring the use of personal devices to connect to Clarkson College technology resources.

Procedure: 

Personal Device Use 

Individuals who elect to utilize a personal device to access Clarkson College technology resources, whether for personal use, Clarkson College business, on Clarkson College time, or during business travel, must: 

  • Abide by the College Computing Policy (IT-2); 
  • Maintain and back up the personal data stored on the device; 
  • Ensure the physical security of the device to prevent loss, theft, and/or damage; 
  • Report lost or stolen devices that contained College Data to their supervisor and IT; and, 
  • Ensure the device meets the security requirements identified within Section 3 of this document. 

A personally owned device must never disrupt the use or function of the campus network and/or the College information system to which it is connected. The College will ban or prevent any device from accessing the campus network that continually causes disruptions to College technology resources. 

Personally owned devices must never be used as a College server or networking device, including use as a router or hotspot to connect other College technology resources physically connected to the campus network. 

Personally owned devices must never be used in order to circumvent security controls put in place by IT. 

Device Security 

To prevent others from obtaining unauthorized access, the device must remain under the owner’s Effective Control at all times. 

All devices that connect to College technology resources and/or access College data must meet the following security requirements: 

  • Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint;
  • Passwords/passphrases must meet the minimum requirements: 
    • Devices that accept multiple-character passwords: 
      • Must contain at least 16 characters. 
      • Characters must be a mixed case of letters, numbers, and symbols (consider using 4-7 random words). 
      • Must be unique and used for only one account. 
    • Devices that only accept a pin code: 
      • Must have at least a 6-digit pin.
  • Have an anti-virus software installed and running real-time scanning and/or scan the device regularly to prevent, detect, and remove malware.
  • Be configured to lock or logout and require a user to re-authenticate if left unattended for more than 5 minutes. Devices that do not support this capability must be secured alternatively, such as restricting access in a locked room; 
  • Run a supported operating system that is patched and updated regularly; and, 
  • Be configured to allow the owner to remote wipe in the event the device is lost or stolen.  
  • Must support and have encryption enabled. 

Devices that are jailbroken, rooted, or have been subject to any other method of changing built-in protections must not be used to access College technology resources.

The device must support WPA3 and AES. 

Conducting College Business 

Pursuant to the Computing Policy (IT-2) and Risk Classification Guide, the College provides the use of College technology resources, including devices, which must be used by authorized Individuals as the primary means to create, store, send, or receive College data.

  • De minimis use of personally owned devices is permitted to access College data and/or conduct College business provided the device meets the security requirements identified within Section 3 of this Standard. 
  • Use of a personal device as the primary means to create, store, send, or receive College data is prohibited. 

Employees who access sensitive data for their job must primarily use a College Device. If a College Device is not available, a personally owned device may be used only if it has been pre-approved by the CISO and is utilizing an approved College remote access solution to access sensitive data.  

Software licensed to the College must never be downloaded to a personally owned device unless specifically permitted by the license (e.g., Microsoft Office). 

College data is subject to document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders) stored on a personally owned device, and must be produced upon the request of the College. 

The College may at any time request the return and/or deletion of any College data stored on a personally owned device.

Any College data downloaded to a personally owned device must be destroyed, removed, or returned to the College once the individual: 

  • Is no longer employed by the College; 
  • No longer requires access to the College data due to changing job responsibilities; or, 
  • Is no longer the owner or primary user of the device. 

Exceptions 

Antivirus software is not required on mobile devices such as cell phones and tablet computers. 

Definitions 

  • “Authentication” means verifying the identity of a user, process, or device to allow access to a College Technology Resource. 
  • "Effective Control” means when a traveler either retains physical possession of the device or secures the device in an environment such as a hotel safe, a bonded warehouse, or a locked and guarded exhibition facility. 
  • “Jailbroken” means the process of modifying an iOS device, such as an iPhone or iPad, to bypass restrictions imposed by Apple to allow the owner to modify the operating system, install non-approved applications, and grant the user elevated administration-level privileges. 
  • “Real-Time Scanning” means the anti-virus software is always on and checks files in real time when they are created, opened, or copied. 
  • “Remote Wipe” means a security feature that allows data on a device to be deleted without physically possessing the device. 
  • “Rooted” means the process of allowing Android users to attain privileged control over subsystems to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user. 
  • “Supported Operating System” means the entity providing the Operating System (OS), be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS. 
  • “College Data” means anything that contains information regarding the College made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items. See EC-2 Record Retention Policy and Schedule. 
  • “College Technology Resources” means College-owned hardware, software, and network/communications equipment, technology facilities, and other relevant hardware and software items, as well as personnel tasked with the planning, implementation, and support of technology. College Technology Resources can be broken into the following categories: 
    • Campus Network means the wired and wireless components and College Technology Resources connected to the network managed by the College. 
    • Device means a server, computer, laptop, tablet, or mobile device used to enter or access College Data from a College Information System. 
    • College Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the College, whether operated and managed by the College or a third-party vendor.