This guideline covers security for mobile devices on the Danforth Campus.
The following are recommendations for securing particular types of mobile devices, such as smart phones and tablets. Laptops are specifically excluded from the scope of this guideline because the security controls available for laptops today are quite different than those available for smart phones, tablets, and other mobile device types. Mobile devices with minimal computing capability, such as basic cell phones, are also out of scope because of the limited security options available and the limited threats they face.
A mobile device security policy should define which types of mobile devices are permitted to access the organization’s resources, the degree of access that those devices may have, and how provisioning should be handled. The mobile device security policy should be documented in the system security plan. To the extent feasible and appropriate, the mobile device security policy should be consistent with and complement security policy for non-mobile systems.
Mobile device features are constantly changing, so it is difficult to define the term “mobile device”. However, as features change, so do threats and security controls, so it is important to establish a baseline of what constitutes a mobile device. The following hardware and software characteristics collectively define the baseline for the purposes of this guideline:
The list below details other common, but optional, characteristics of mobile devices. These features do not define the scope of devices included in this guideline, but rather indicate features that are particularly important in terms of security risk. This list is not intended to be exhaustive, and is merely illustrative of common features of interest as of this update.
There are a number of ways that mobile devices may be attacked, or ways in which they might expose Washington University’s networks or data to risk. These include:
For Washington University mobile devices, whether provided by the university, its schools, or brought by a user, should be secured in the following manner:
Updated April 1, 2013.