Research Instruction & Information Technology Group

Mobile Device Policy: SCB–MD–01

1.0 Purpose

The purpose of this policy is to establish security requirements for mobile devices to prevent sensitive or confidential data from being lost or compromised. A wide variety of mobile devices contain electronically stored data including, but not limited to: computer systems (laptop, tablet pc, netbook etc.), personal desktop assistants, smart phones, removable storage devices such as USB storage devices, diskettes and magnetic tape.

2.0 Scope

This policy applies to all the Smeal College of Business employees, contractors, consultants, temporary personnel, and other workers responsible for or utilizing portable devices or media to store Penn State data.

3.0 Policy

All mobile devices used to store or transport Non-Public Penn State or Smeal College of Business data must be appropriately secured to prevent sensitive or confidential data from being lost or compromised.

Whenever possible, all mobile devices must be password or biometrically protected. In accordance with College and University password policies, choose and implement a strong password – preferably eight (8) characters or more in length.

If a mobile device is lost or stolen, promptly report the incident to your department contact or the RIIT Group and proper authorities. Also, be sure to document the serial number of your device now, for reporting purposes, in the event that it is lost or stolen. If available, use the remote wipe feature to remove any data from a lost or stolen device. Most mobile devices synchronizing email with the Smeal College of Business Exchange email server have this feature available.

Sensitive or confidential documents should be encrypted if possible. Mobile device options and applications that are not in use should be disabled. Sensitive and confidential information must be removed from the mobile device before it is returned, exchanged or disposed. Whenever possible all mobile devices should enable screen locking and screen timeout functions.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action by their Administrative unit, the College, or the University.

6.0 Revision History

06/04/2007 - Initial modification from COE policies, used with permission in conjunction with the Penn State IPAS project.

Printable PDF available.