About WUSTL

Compliance & Policies

Mobile Device Security

This guideline covers security for mobile devices on the Danforth Campus.

Summary

The following are recommendations for securing particular types of mobile devices, such as smart phones and tablets. Laptops are specifically excluded from the scope of this guideline because the security controls available for laptops today are quite different than those available for smart phones, tablets, and other mobile device types. Mobile devices with minimal computing capability, such as basic cell phones, are also out of scope because of the limited security options available and the limited threats they face.

A mobile device security policy should define which types of mobile devices are permitted to access the organization’s resources, the degree of access that those devices may have, and how provisioning should be handled. The mobile device security policy should be documented in the system security plan. To the extent feasible and appropriate, the mobile device security policy should be consistent with and complement security policy for non-mobile systems.

Defining Mobile Device Characteristics

Mobile device features are constantly changing, so it is difficult to define the term “mobile device”. However, as features change, so do threats and security controls, so it is important to establish a baseline of what constitutes a mobile device. The following hardware and software characteristics collectively define the baseline for the purposes of this guideline:

  • A small form factor
  • At least one wireless network interface for Internet access (data communications). This interface uses Wi-Fi, cellular networking, or other technologies that connect the mobile device to network infrastructures with Internet connectivity.
  • Local built-in (non-removable) data storage
  • An operating system that is not a full-fledged desktop or laptop operating system
  • Applications available through multiple methods (provided with the operating system, accessed through web browser, acquired and installed from third parties)
  • Built-in features for synchronizing local data with a remote location (desktop or laptop computer, organization servers, telecommunications provider servers, other third party servers, etc.)

The list below details other common, but optional, characteristics of mobile devices. These features do not define the scope of devices included in this guideline, but rather indicate features that are particularly important in terms of security risk. This list is not intended to be exhaustive, and is merely illustrative of common features of interest as of this update.

  • Network services:
    • One or more wireless personal area network interfaces, such as Bluetooth or near-field communications
    • One or more wireless network interfaces for voice communications, such as cellular
    • Global Positioning System (GPS), which enables location services
  • One or more digital cameras
  • Microphone
  • Storage:
    • Support for removable media
    • Support for using the device itself as removable storage for another computing device

High-Level Threats and Vulnerabilities

There are a number of ways that mobile devices may be attacked, or ways in which they might expose Washington University’s networks or data to risk. These include:

  • Lack of Physical Security Controls
  • Use of Untrusted Mobile Devices
  • Use of Untrusted Mobile Devices
  • Use of Applications Created by Unknown Parties
  • Interaction with Other Systems
  • Use of Untrusted Content
  • Use of Location Services

Mobile Policy

For Washington University mobile devices, whether provided by the university, its schools, or brought by a user, should be secured in the following manner:

  • Any connection by the device to university or school provided email should prompt the user to accept security protocols related to wiping the data from the device in the event of loss or theft. Email connectivity should not be provided on devices without user granted permission to remotely wipe the device in case of loss or theft.
  • All email systems on campus should have the capability to push such a security regime to the user’s device.
  • All users should be encouraged to use a “pin number” or other security mechanism to lock the screen of their devices. Schools will have the option of requiring this.

Updated April 1, 2013.

Leading Together: the Campaign for Washington University