Skip navigation

Guidelines for Securing Mobile Computing Devices

Information Security Office » Secure Computing » Guidelines for Securing Mobile Computing Devices

Introduction

Smart phones, tablets, laptop computers, USB memory (aka thumb drives) are convenient and easy to use. They also introduce risk to personal privacy and University data. This document outlines guidelines regarding the use of these mobile devices in the Stanford computing environment.

Risks of Mobile Computing

Mobile computing devices can store large amounts of data, are highly portable and are frequently unprotected: They are easy to steal or lose, and unless precautions are taken, an unauthorized person can gain access to the information stored on them or accessed through them. Even if not stolen or lost, intruders can sometimes gain all the access they need if the device is left alone and unprotected, if data is "sniffed out of the air" during wireless communications, or if malware is installed. The results can include crippled devices, personal data loss, disclosure of non-public University data, and disciplinary actions for the device owner.

Mobile computing devices are of concern both because of the data that might be stored on them, and because they may provide access to other services that store or display non-public data. This access may be enabled because the mobile device contains passwords or security certificates that identify the device or its user to the email system, Virtual Private Networks (VPNs), or other applications.

Data Security Restrictions

The best way to protect University data is to remove unnecessary data from your computer. In particular, Prohibited data should not be stored on your system or device unless you have explicit permission from the Data Governance Board to do so. Prohibited data includes items such as Social Security Numbers, credit card numbers, or checking account numbers. Information about Stanford non-public data and the requirements associated with it can be found in the Stanford Data Classification Guidelines.

Mobile Computing Guidelines

The following guidelines are intended to help mobile computing device users protect the data the devices contain. These guidelines are easy to implement and use and can protect your privacy and Stanford's data in the event that the device becomes compromised, lost or stolen.

Mobile Phones and Tablets

  • Label your device with your name and a phone number where you can be reached to make it easy to return to you if it is lost.
  • Configure a passcode to gain access to and use the device. This helps prevent unauthorized individuals from gaining access to your data.
  • Set an idle timeout that will automatically lock the phone when not in use. This also helps prevent unauthorized individuals from gaining access to your data.
  • Keep all software up to date, including the operating system and installed "Apps". This helps protect the device from attack and compromise..
  • Do not "jailbreak" or "root" your device. "Jailbreaking" and "rooting" removes the manufacturer's protection against malware.
  • Enroll your device in a managed environment. This helps you configure and maintain your security and privacy settings.
  • Enroll your device in Find My iPhone or an equivalent service. This will help you locate your device should it be lost or stolen.
  • If your device supports it, ensure that it encrypts its storage with hardware encryption. In conjunction with a management service or "Find My iPhone," this can allow data to be removed quickly in the event that the device is lost or stolen.

Portable Storage Devices

Portable Storage Devices are usually large capacity drives that are easily moved from place to place (e.g., USB memory sticks, removable hard drives, etc).

  • Configure a username/password combination to access the data/device.
  • Devices which are used to store and/or transport Prohibited or Restricted data must be encrypted.
    Stanford ITS offers encryption services at https://itservices.stanford.edu/service/encryption/wholedisk
  • Devices encrypted by one of the services offered by ITS will add additional authentication and management to the device.

Portable Computers

  • Configure the system to require a password whenever a user logs in.
  • Set a screensaver timeout and enable the password lock-out feature so a password is required when returning from screensaver mode.
  • Laptops used to access Prohibited and Restricted data are required to be encrypted with Stanford's Whole Disk Encryption (SWDE).
  • Physical locks should be used whenever the system is in a stationary location for extended periods of times.

Supported Mobile Devices in a Managed Environment

The ISO evaluates mobile devices based on the availability and effectiveness of their security controls, includng the ability of the platform to encrypt data stored on it, its ability to encrypt data communications, its relative vulnerability to malware, its ability to be managed, and its ability to be audited.

Approved for Non-Public data:

  • No mobile devices that are "rooted", "jailbroken", or have their security mechanisms disabled or circumvented may access or store Restricted data, even if they are managed.
  • Apple iOS devices running iOS version 4 or newer software that have hardware encryption capability have been approved for accessing Restricted data if they are managed in the Information Technology Services (ITS) Mobile Device Management (MDM) service using a profile approved for Restricted data.
  • Blackberry smart phones have been approved for accessing Restricted data if they are managed in the ITS Blackberry Enterprise Server (BES) environment.
  • Android mobile devices are not yet approved for accessing Restricted data, pending availability of a management environment.