Guidelines for Securing Mobile Computing Devices
Smart phones, tablets, laptop computers, USB memory (aka thumb drives) are convenient and easy to use. They also introduce risk to personal privacy and University data. This document outlines guidelines regarding the use of these mobile devices in the Stanford computing environment.
Risks of Mobile Computing
Mobile computing devices can store large amounts of data, are highly portable and are frequently unprotected: They are easy to steal or lose, and unless precautions are taken, an unauthorized person can gain access to the information stored on them or accessed through them. Even if not stolen or lost, intruders can sometimes gain all the access they need if the device is left alone and unprotected, if data is "sniffed out of the air" during wireless communications, or if malware is installed. The results can include crippled devices, personal data loss, disclosure of non-public University data, and disciplinary actions for the device owner.
Mobile computing devices are of concern both because of the data that might be stored on them, and because they may provide access to other services that store or display non-public data. This access may be enabled because the mobile device contains passwords or security certificates that identify the device or its user to the email system, Virtual Private Networks (VPNs), or other applications.
Data Security Requirements
The best way to protect University data is to remove unnecessary data from your computer. In particular, Prohibited data must not be stored on your system or device unless you have explicit permission from the Data Governance Board to do so. Prohibited data includes items such as Social Security Numbers, credit card numbers, or checking account numbers. Restricted data is also subject to mandatory University-wide controls. The controls necessary for Confidential data are specified by its owner or custodian and may include those specified for Prohibited or Restricted data. Additional information about Stanford non-public data and the requirements associated with it can be found in the Stanford Data Classification Guidelines.
Approved for Non-Public data:
- Laptops which are used to store and/or transport Prohibited or Restricted data must be enrolled in the Information Technology Services (ITS) Stanford Whole Disk Encryption (SWDE) service.
- No mobile devices that are "rooted", "jailbroken", or have their security mechanisms disabled or circumvented may access or store Restricted data, even if they are managed.
- Many Android and Apple iOS devices that have encryption capability have been approved for accessing Restricted data if they are managed in the ITS Mobile Device Management (MDM) service using a profile approved for Restricted data. Not all mobile devices are approved; see the MDM program documentation for more information.
Mobile Computing Guidelines
The following guidelines are intended to help mobile computing device users protect the data the devices contain. They are not a substitute for the mandatory controls for non-public data described above. These guidelines are easy to implement and use and can protect your privacy and Stanford's data in the event that your device is compromised, lost or stolen.
Mobile Phones and Tablets
- Label your device with your name and a phone number where you can be reached to make it easy to return to you if it is lost, even if the battery is dead.
- Configure a passcode to gain access to and use the device. This helps prevent unauthorized individuals from gaining access to your data.
- Set an idle timeout that will automatically lock the phone when not in use. This also helps prevent unauthorized individuals from gaining access to your data.
- Keep all software up to date, including the operating system and installed "Apps". This helps protect the device from attack and compromise.
- Do not "jailbreak" or "root" your device. "Jailbreaking" and "rooting" removes the manufacturer's protection against malware.
- Obtain your apps only from trusted sources such as the Apple iTunes Store, Google Play, or the Amazon App Store for Android. This helps you avoid malware which is often distributed via illicit channels.
- Enroll your device in a managed environment. This helps you configure and maintain your security and privacy settings.
- Enroll your device in Find My iPhone or an equivalent service. This will help you locate your device should it be lost or stolen.
- If your device supports it, ensure that it encrypts its storage with hardware encryption. In conjunction with a management service or "Find My iPhone," this can allow data to be removed quickly in the event that the device is lost or stolen.
Portable Storage Devices
Portable Storage Devices are usually large capacity devices that are easily moved from place to place (e.g., USB memory sticks, removable hard drives, etc).
- Devices which are used to store or transport Prohibited or Restricted data must be encrypted. The Information Security Office recommends that you use the self-encrypting, FIPS 140-2 Level 3 qualified Aegis Secure Key flash drive. This device has an "Administrator PIN" feature and self-wipes if it is attacked. It is available from Stanford's SmartMart — search for "Apricorn Aegis Flash Drive" — and other popular vendors. Confirm that a non-trivial password has been set on your Aegis Secure Key prior to using it.