Mobile Communication Devices
710.500 MOBILE COMMUNICATION DEVICES POLICY
Mobile computing devices are standard equipment in today’s computing environments. However, the portability offered by these devices increases the risk that information stored or transmitted from them will be exposed. Wenatchee Valley College (WVC) allows personal mobile devices to be used for business purposes as long as those devices adhere to the guidelines as stated below.
The purpose of this policy is to establish best practices, procedures and protocols for the safe, secure and responsible use of mobile devices on Wenatchee Valley College networks. This policy is necessary to preserve the integrity, availability and confidentiality of Wenatchee Valley College data and its associated communications networks. This policy addresses privacy, records retention, and stewardship of confidential state information by enhancing security and establishing employee responsibility and accountability in the use of mobile devices to access, transmit college data.
All communications records, documents, data, photos, etc. used to conduct college business and made via personally owned devices, are subject to records retention requirements and public disclosure requests. The owner of a personal device may be required to surrender their device, including personal and business-related information, if it falls within scope of a Freedom of Information Act request (FOIA) or other types of litigation holds.
This policy applies to all mobile devices that connect to any Wenatchee Valley College data networks and related services to conduct legitimate business activities.
- College Owned: This policy applies to all staff, faculty and students who operate a Wenatchee Valley College owned mobile device that communicates with Wenatchee Valley College data networks, downloads, stores data from Wenatchee Valley College data storage systems and services.
- Personally Owned: This policy applies to Wenatchee Valley College staff, faculty, students and 3rd parties who utilize personal devices that hold/transmit Wenatchee Valley College data.
There are no exemptions to this policy unless for valid business reasons.
- Exemptions approvals requirements:
- Exemption approvals require authorization by the WVC President, Vice President, Deans or department designee.
- Exemptions are documented, reviewed at least annually for validity and relevancy.
Staff members found in policy violation may be subject to blacklisting of their personal devices, loss of computing privileges, disciplinary action up to and including termination.
This policy is to be distributed and readily accessible to all Wenatchee Valley College employees, students, contractors, volunteers, etc.
Renamed/revised and approved by the president’s cabinet: 9/16/08, 1/6/09, 2/5/13,
Adopted by the board of trustees: 10/10/01, 11/19/08, 2/18/09, 2/20/13, 11/16/22
Last reviewed: 11/16/22
Policy contact: Technology
Related policies, procedures and related references
1710.500 Mobile Communication Devices Procedure
Public Records Act RCW 42.56
Washington State Office – Chief Information Officer
1710.500 MOBILE COMMUNICATION DEVICES PROCEDURE
Wenatchee Valley College (WVC) mobile communications devices, and associated telecommunications contracts, and services, are managed by the technology department.
Mobile devices owned by Wenatchee Valley College or personally owned that access WVC data networks, systems, applications, services or data repositories, hosted by college systems or hosted in college managed cloud services, or third- party cloud service providers, are governed by this procedure. Applications, including cloud storage software/services, used by staff on their own personal devices are also subject to this procedure. Mobile devices purchased by Wenatchee Valley College will be automatically registered with technology department college mobile device enrollment services. Personal mobile devices that require access to college data and networks must abide by these procedures.
The following general procedures and protocols apply to the use of all mobile devices:
- All mobile devices must be protected with a password, PIN code, biometric method (facial recognition, fingerprint) at the time the device is enrolled into WVC mobile device enrollment services and continue as long as the device has access to WVC data.
- Mobile device passwords/PIN codes must meet the requirements outlined in the Wenatchee Valley College Access Control and Password Policy.
- All college data stored on mobile devices shall be encrypted.
- All mobile devices will utilize the most secure wireless encrypting standards; security and access protocols shall be used with all wireless network connections.
- All mobile device users shall refrain from using public or unsecured network connections to transmit/receive college data. All mobile devices used to connect to college networks shall be registered with the appropriate mobile device management (MDM) role approved by the WVC Technology Department.
- All mobile computing devices that access WVC networks shall have active and up-to-date anti-malware/virus protection and firewall protection software installed.
- All mobile devices shall have locations services enabled. All lost, stolen, destroyed
or compromised mobile devices or mobile devices that have been identified as threats
to WVC networks or data will lose access to college data and networks.
- Temporary loss – device must be remediated and meet device health baselines.
- Permanent loss – employee separation, risk management assessment or other circumstances.
- WVC Technology Department reserves the right to terminate access to any device without prior notification to the device owner.
- All mobile devices and applications shall be kept up to date.
- Operating system and application patches shall be installed within 30 days of release.
B. USER DEVICE RESPONSIBILITIES
The following procedures and requirements shall be followed by all users of mobile devices:
- WVC employees shall immediately report any lost, stolen, destroyed or compromised device in any way or form to the Wenatchee Valley College Information Technology (IT) Helpdesk.
- Email the IT helpdesk at firstname.lastname@example.org or call 509-682-6550 for assistance
- Unauthorized access to a college owned or personal mobile device or unauthorized access to college data must be immediately reported to WVC IT Helpdesk.
- Personal mobile devices shall not be “rooted, jail broken” or have software/firmware installed that could pose a risk to college data stored on the device.
- Users shall not load illegal content or pirated software onto any mobile device accessing college networks or data.
- Only WVC IT approved applications are allowed on college owned mobile devices.
- College provided/approved applications will be updated on a regular basis per WVC IT policies and standards.
- Device security health baselines will be enforced on all devices.
- Users shall use WVC approved data sharing systems or services when sending or receiving WVC data.
- Users are responsible for ensuring all important files stored on the mobile devices are backed up on a regular basis.
- Users shall not modify or attempt configurations without express written authorization from WVC Technology staff.
C. ADMINISTRATIVE RESPONSIBILITIES
The Wenatchee Valley College Technology Department staff and/or Mobile Device Management Services or their designee are responsible for the following:
- Ensure employee/student personal data remains secure at all times.
- Reserves the right to block personal devices that are determined to pose a threat to college networks, services and data, pending remediation by the device owner, or that violate mobile device requirements.
- Reserves the right to permanently block a personal device if remediation efforts by the owner are not satisfactory, timely or technology staff determine the device continues to pose a security threat to college networks and data.
- Mobile device management (MDM) enterprise mobility software will be used to enforce
common security standards and configurations on devices such as:
- Auto-lock with PIN or passcode enforcement.
- PIN and passcode complexity enforcement.
- Remote wipe enabled to lock or wipe a lost or stolen device.
- Full wipe of college owned devices upon employee separation.
- Partial wipe on personal devices (college data, i.e., email, teams chats, etc.).
- Enforce use of secure communications protocols.
- Ensure college-owned apps are maintained and up to date.
- Application isolation.
- Device health and security baselines.
- Specific configuration settings shall be defined for malware protection software to ensure that that this software is not alterable by users of mobile and/or employee-owned devices.
- Annual security training is provided to users of mobile devices. The content and form of that training shall be decided by Wenatchee Valley College or designee. Periodic security reminders will be used to reinforce mobile device security procedures and other best practices.
- Mobile device management software is used to manage risk, limit security issues, and reduce costs and business risks related to mobile devices. The software shall include the ability to inventory, monitor (e.g., application installations), issue alerts (e.g., disabled passwords, categorize system software operating systems, rooted devices), and issue various reports (e.g., installed applications, carriers).
- Mobile device management software shall include the ability to distribute applications, data, and global configuration settings against groups and categories of devices.
- Perform yearly reviews at a minimum and updates of security standards and procedures used with mobile computing devices.
- Establish procedures, workflows, memorandum of understanding(s), to manage and document requests for exemptions and deviations from these procedures.
- Mobile device management software shall terminate device access when an employee separates and performs a data wipe of the device(s).
- Implement technical processes and measures to strictly limit and control access to sensitive data moving to and from mobile computing devices.
D. AUDIT CONTROLS AND MANAGEMENT
- Documented procedures and evidence of practices shall be available upon request for
this procedure and accessible as part of WVC policies and procedures website. Satisfactory
examples of evidence and compliance include:
- Documented quarterly spot user checks for compliance with mobile device computing policies.
- Readily available processes and procedures for staff use of mobile devices.
- Configuration and support guidelines and procedures for mobile devices.
- Communication and device logs of attached units showing appropriate management, compliance and monitoring protocols are in place.
- Anecdotal and archival communications showing regular implementation of the procedure.
Approved by the president’s cabinet: 9/16/08, 1/6/09, 2/5/13, 4/25/23
Last reviewed: 4/25/23
Procedure contact: Technology
Related policies and procedures
710.500 Mobile Communication Device Policy
College Access and Password Policy