IS-1004 Mobile Devices

Administration

Release Date: 08/26/97
Revision 3: 01/21/04
Revision 4: 08/03/04
Revision 5: 06/04/09
Revision 6: 01/31/11
Revision 7: 09/11/13
Revision 8: 02/20/20

Supporting Policy

Administrative Directive

1.0  Purpose

The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business uses for connecting mobile device to CNM’s secure network and data. This mobile device policy applies, but is not limited to, all devices and accompanying media that fit the following classifications:

  • Smartphones
  • Other mobile/cellular phones
  • Tablets
  • E-readers
  • Portable media devices
  • PDAs
  • Portable gaming devices
  • Laptop/notebook/ultrabook computers
  • Any other mobile device capable of storing institutional data and connecting to a network

The policy applies to any mobile hardware that is used to access institutional resources, whether the device is owned by the user or by the organization.

The overriding goal of this policy is to protect the integrity of the restricted student and institutional data that resides within CNM’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it could potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications, loss of revenue, and damage to the institution’s public image. Therefore, all users employing a mobile device connected to CNM’s secure network, and/or capable of backing up, storing, or otherwise accessing institutional data of any type, must adhere to institution-defined processes for doing so.

2.0 Applicability

This policy applies to all CNM employees, including full and part-time employees, contractors, freelancers, and other agents who use a mobile device to access, store, back up, or relocate any institution or student-specific data. Such access to this restricted data is a privilege, not a right, and forms the basis of the trust CNM has built with its students, vendors, and other constituents. Consequently, association with CNM does not automatically guarantee the initial or ongoing ability to use these devices to gain access to secure networks and information.

The policy addresses a range of threats to enterprise data, or related to its use, such as:

Threat Description
Device Loss Devices used to transfer or transport work files could be lost or stolen.
Data Theft Sensitive or restricted institutional data is deliberately stolen and sold by an employee or unsanctioned third party.
Malware Viruses, Trojans, worms, spyware, malware, and other threats could be introduced to or via a mobile device.
Compliance Loss or theft of financial and/or personal and restricted data could expose the enterprise to the risk of non-compliance with various identity theft and privacy laws.

Addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of ITS. Non-sanctioned use of mobile devices to back up, store, and otherwise access any enterprise-related data is strictly forbidden.

This policy is complementary to any previously implemented policies dealing specifically with data access, data storage, data movement, and connectivity of devices to any element of the enterprise network.

3.0 Mobile Devices - General Guidelines

Responsibilities

The Executive Director of the Office of Data Strategy (ODS) of CNM is responsible for the overall classification of institutional data.

The Executive Director of Information Technology Services (ITS) is responsible for the execution and maintenance of information technology and information systems, as well as the availability and integrity of electronic information.

Other staff under the direction of the Executive Director, ITS, are responsible for following the procedures and policies within information technology and information systems.

All CNM employees are responsible to act in accordance with institutional policies and procedures, including this Administrative Directive.

Affected Technology

Connectivity of all mobile devices to CNM’s secure wireless network will be centrally managed by CNM’s IT department and will use authentication and strong encryption measures. Although IT will not directly manage personal devices purchased by employees, end users are expected to adhere to the same security protocols when connected to non-institutional equipment. Failure to do so may result in immediate suspension of all network access privileges so as to protect the institution’s infrastructure.

Policy and Appropriate Use

It is the responsibility of any employee of CNM who uses a mobile device to access institutional resources to ensure that all security protocols normally used in the management of data (See IS - 1014 Data Classification and Handling) on the conventional storage infrastructure are also applied here. It is imperative that any mobile device that is used to conduct CNM business be used appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user’s account. Based on this requirement, the following rules must be observed:

Access Control

  1. ITS reserves the right to refuse, by physical and non-physical means, the ability to connect mobile devices to institutional and institutional-connected infrastructure. ITS will engage in such action if such equipment is being used in a way that puts the institution’s systems, data, users, and students at risk.
  2. End users who wish to connect such devices to non-institutional network infrastructure to gain access to enterprise data must employ, for their devices and related infrastructure, security measures deemed necessary by the ITS department. Enterprise data is not to be accessed on any hardware that fails to meet CNM’s established enterprise ITS security standards, as defined below.
  3. All personal mobile devices attempting to connect to the institutional secure network through the Internet may be inspected using technology centrally managed by CNM’s ITS department. Devices that are not approved by ITS, are not in compliance with ITS' security policies, or represent any threat to the institutional network or data may not be allowed to connect.

Security

  1. Employees using mobile devices and related software for network and data access will, without exception, use secure data management procedures. All mobile devices must be protected by a password or PIN. All data stored on the device should be encrypted using strong encryption. Employees agree never to disclose their CNM passwords to anyone for any reason.
  2. All users of mobile devices must employ reasonable physical security measures. End users are expected to secure all such devices against being lost or stolen, whether or not they are actually in use and/or being carried
  3. Any non-institutional computers used to synchronize or back up data on mobile devices will have installed up-to-date anti-virus and anti-malware.
  4. Passwords and other restricted or sensitive data, as defined by CNM’s policies, are not to be stored unencrypted on mobile devices.
  5. Any mobile device that is being used to store CNM data must adhere to the authentication requirements (See IS-1005 System Access) of CNM’s ITS department.
  6. ITS will manage security policies, network, application, and data access centrally using whatever technology solutions it deems suitable. Any attempt to contravene or bypass that security implementation will be deemed an intrusion attempt and will be dealt with in accordance with CNM’s policies and directives.
  7. Employees, contractors, and temporary staff will follow all enterprise-sanctioned data removal procedures to permanently erase company-specific data from such devices once its use is no longer required.
  8. As part of completing the Employment Separation Process, the employee's supervisor is required to recover all CNM equipment, including Mobile Devices, software, and/or accessories, from the separating or transferring employee.
  9. In the event of a lost or stolen mobile device which might contain CNM institutional data, it is incumbent on the user to report the incident to CNM Security at (505) 224-3002 and ITS (505) 224-4357 immediately.

Hardware and Support

  1. ITS reserves the right, through policy enforcement and any other means it deems necessary, to limit the ability of end users to transfer data to and from specific resources on the enterprise network.
  2. Users will make no modifications to the hardware or software that change the nature of the device in a significant way (e.g. replacing or overriding the operating system, jailbreaking, rooting) without the express approval of CNM’s ITS department.
  3. ITS will allow the connection of mobile devices to institutional resources. On personally owned devices, ITS will not support hardware issues or non-institutional applications.

Organizational Protocol

  1. ITS can and will establish audit trails, which will be accessed, published, and used without notice. Such trails will be able to track the attachment of an external device to the institutional network, and the resulting reports may be used for investigation of possible breaches and/or misuse. The end user agrees to and accepts that access and/or connection to CNM’s networks may be monitored to record dates, times, duration of access, etc. in order to identify unusual usage patterns or other suspicious activity. The status of the device, including the tracking of application presence or usage, jailbreak detection, data usage, and/or operating system version may also be monitored. This monitoring is necessary in order to identify accounts/computers that may have been compromised by external parties or users who are not complying with CNM’s policies.
  2. The end user agrees to immediately report any incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of company resources, databases, networks, etc. to the supervising manager and CNM’s ITS department.
  3. Any questions relating to this policy should be directed to the Information Security and Compliance Officer in ITS, at 224-4696 or infosec@cnm.edu. A copy of this policy, and related policies and procedures, can be found on The Source (login required).

4.0 Wireless Phones Provided by CNM

CNM Provided Wireless phones are the property of Central New Mexico Community College (CNM) and are assigned to designated employees for business use.  The Purchasing Department makes the final determination on the selection of the vendor and available service plans.  The Business Office reviews the cellular phone billings and makes payments for cellular phones.

4.1 Approval of Purchase

4.1.1 The purchase of a cellular phone must be approved in advance by the appropriate vice president. Approval is contingent upon the requestor submitting documentation justifying the need to conduct CNM business.

4.2 Responsible Employee

4.2.1 The appropriate vice president appoints one employee as the individual responsible for the phone. This employee is responsible for approving detailed billings, and reporting lost or malfunctioning cellular phones.

4.3 Procurement of Phone and Carrier Service

4.3.1 The department making the cellular phone purchase is responsible for making the purchasing arrangements through the Purchasing Department.  Cellular telephone purchases are made with commodity code CCCPP to enable the purchase to be tracked as a fixed asset.  Commodity code CCC03 is used for the purchase of cellular telephone service.

4.3.2 The Purchasing Department makes the final determination on the vendor and service plan selection.

4.4 Conditions of Use

4.4.1 Cellular phones should be used to conduct CNM business. Personal use is discouraged, but if personal calls are made, it is the employee's responsibility to pay the cost for personal calls. This responsibility is typically fulfilled by the employee reimbursing CNM for individual personal calls itemized on the cell phone bill. However, in certain circumstances when approved by a Vice President or higher, this responsibility can be fulfilled by the employee paying one-half of the total monthly bill.

4.4.2 Smartphones have the ability to connect to CNM’s Wi-Fi network.  Therefore, Smartphones are subject to all current and future CNM Policy and Directives, including IS-1002 Information Technology Use Policy (ITUP).

4.5 Inventory Requirements

4.5.1 Cellular phones purchased by CNM are tagged and included in the equipment inventory and subject to all inventory reporting structures.

4.6 Definitions

4.6.1 Personal Calls - Any calls not pertaining directly to CNM business.

4.6.2 Wi-Fi – wireless access to CNM’s ITS network.

5.0  Laptop Computers provided by CNM

In order to support a variety of work schedules, job assignments, and special projects, and to increase accessibility to current technology, Central New Mexico Community College (CNM) provides a number of laptop computers for check-out by CNM employees. This policy establishes guidelines for administering this equipment, provides procedures for checking out or otherwise obtaining a laptop computer, and suggests guidelines for handling the equipment while it is out of the department. This policy applies to all CNM-owned laptops, software, books, and/or accessories.

5.1 Security Provisions

5.1.1 Because of the high dollar value and portable nature of laptop computers, all departments and employees are encouraged to make adequate provisions to ensure that laptops are protected at all times.

5.1.2 Where possible, employees are encouraged to make use of alternative resources to avoid potential loss to the College. For instance, CNM's Instructional Media Resources department or the computer equipment available for use at business conferences provide alternatives to checking out a laptop.

5.1.3 To protect the financial interests of employees and the College, privileges can be revoked if negligent behavior leads to recurring loss.

5.2 Check-out Eligibility
Regular, temporary, and casual full-time and part-time CNM employees are eligible to check out laptop computers. Selected Contractors are also eligible as required for the execution of contracted services.  For the purposes of this policy, "employees" does include selected Contractors but does not include student employees.

5.3 Check-out Guidelines for CNM-owned Laptops
Laptops are available for check-out from several departments. Check with the person identified for managing the laptops in that area regarding laptop availability. Although departments may establish their own laptop check-out procedures, the following requirements and recommendations are in place to ensure consistency throughout the College.

Requirements:

5.3.1 Each department loaning and/or assigning laptops must have a responsible person identified for managing the laptops in that area and for providing a specific check-out procedure and check-out agreement form.

5.3.2 Laptops may be checked out for instruction, demonstration, research, and general CNM support directly associated with authorized College activity. Laptops may not be checked out for personal use.

5.3.3 Each employee must read, sign, and agree to comply with the department's check-out agreement, this policy, and CNM's Technology Use Policy prior to checking out a laptop from any CNM department. These policies are in place to protect the employee and CNM.

Recommendations:

5.3.4 Laptops should be reserved 24 hours in advance.

5.3.5 Laptops should be checked out for the shortest time possible to allow for maximum availability.

5.4 Financial Responsibility

5.4.1 On rare occasions, when a laptop is damaged, lost, or stolen as the result of employee or department negligence, the appropriate Vice President reviews the circumstances under which the damage, loss or theft occurred and makes a determination of financial responsibility. All employees who have short- or long-term use of laptops are responsible for following the Guidelines for Use.

5.5 Long-term Assignments
A laptop may be assigned to an employee on a permanent or long-term basis with the approval of the appropriate Vice President. The need for a permanent or long-term assignment is evaluated on a case-by-case basis. Employees and departments should take their initial request to their immediate supervisor.

5.6 Purchasing Department-owned Laptops
The immediate supervisor, department head, and appropriate Vice President must approve the purchase of a new department-owned laptop for department use at CNM. Employees and departments should take their initial request to their immediate supervisor.

5.7 Laptop Software

5.7.1 Each ITS laptop is configured with the appropriate software for that model.

5.7.2 If the software that is available on the laptop is not adequate for the project or assignment, ITS will work with the employee to determine whether another software package can be installed. If so, the employee should bring the original software and license to the ITS Helpdesk / Software department for installation.

5.7.3 A non-ITS employee may not install additional software on an ITS-owned laptop.

5.7.4 To better support the customer, ITS requests one working day to install and test the software.

5.7.5 To ensure that the laptop remains in compliance with ITS software standards and to avoid problems for other employees using ITS laptops, a non-ITS employee may not change any of the standard software settings on the laptop.

5.7.6 To comply with College technology standards, department laptops are required to have the College's anti-virus software. ITS provides and installs this software at no charge to the department upon request. Contact ITS to request this software.

5.7.7 If additional software is needed on a CNM-owned laptop, the software can be installed by ITS with the originating department's approval. The department should provide ITS with the original software and proof of license.

5.7.8 Personal use software may not be installed on any CNM-owned laptop.

5.8 ITS Technical Support

5.8.1 All CNM-owned laptops are supported by ITS. CNM-owned software for laptops is provided and installed by ITS at no charge to the department. Contact ITS to request this software.

5.9 Maintenance and Warranties
ITS provides ongoing maintenance and holds the warranties for all ITS-owned laptops. Maintenance and warranties for department-owned laptops are the responsibility of each department.

5.10 Internal Audit
To ensure appropriate use and compliance with CNM policies and procedures, including the Technology Use Policy, all CNM laptops and their use are subject to audit by CNM's internal auditor.

5.11 Guidelines for Use
Employees are encouraged to follow these guidelines while a laptop is in their possession:

  • Keep the laptop in a locked and secured environment when not being used
  • Do not leave the laptop for prolonged periods of time in a vehicle, especially in extreme temperatures; if it must be left in the vehicle for a short time, secure it in a locked trunk
  • Keep foods and drinks out of the laptop work area
  • Do not leave the laptop unattended at any time in any location (an unlocked empty classroom, an unlocked office, etc.)
  • Keep the laptop in sight at all times (on public transportation, at airport security check points, in public places such as restaurants, etc.)
  • When leaving a hotel room, place the laptop out of sight or check it at the hotel's front desk

5.12 Definitions

  • Configured - Set up for operation in a specific way.
  • Negligence or Negligent Behavior - Failure to exercise the care that a prudent person usually exercises.
  • Networked - Set up according to CNM ITS supportable standards with a network interface card and connected to the CNM Network Infrastructure.
  • Software - The entire set of programs, procedures, and related documentation associated with a computer system.

6.0  Related Information


Administration

Release Date: 08/26/97
Revision 3: 01/21/04
Revision 4: 08/03/04
Revision 5: 06/04/09

Procedure

1. Cellular Telephone Request, Purchase, and Assignment

Cellular Telephone Requester

1.1 Submit a request for a cellular telephone to the appropriate vice president in a memorandum with a justification explaining the need for the cellular telephone.

Appropriate Vice President

1.2 Determine if the cellular telephone is justified. Return the approval or decline memorandum to the requester.

Cellular Telephone Requester

1.3 Submit the approval to the ITS Helpdesk.

ITS Helpdesk

1.4 Provide a recommendation of vendors that can be used to purchase the cellular telephone and service.

Requestor's Department

1.5 Complete a purchase arrangement through the Purchasing Department for the cellular telephone and service. Use commodity code CCCPP for the cellular telephone purchase and commodity code CCC03 for the service.  Purchasing makes the final determination on the vendor selection.

1.6 File a copy of the approved request naming the responsible employee (cellular telephone holder) in the memorandum.

Purchasing Department

1.7 Select vendor and complete the cellular telephone purchase.

CNM Property Management Personnel

1.8 Tag the cellular telephone and include it in the inventory reporting structure.

Vendor

1.9 Deliver the cellular telephone to the responsible employee and provide instructions in use, care, and responsibilities.

1.10 Notify the ITS Helpdesk of the cellular telephone number for tracking purposes

2. Billing Review

Cellular Telephone Holder

2.1 Send detailed monthly cellular billings (not summaries) to Accounts Payable in the Business Office. Indicate any personal calls and include a personal check covering the cost of those calls. However, if permission has been obtained from a Vice President or above and if personal calls have been made in the billing cycle, a personal check in the amount of one half of the bill must accompany the cellular bill along with a copy of the original approval from Vice President or above. It is the department control agent's responsibility to notify the Business Office if this approval is discontinued.

Accounts Payable Representative

2.2 Review the cellular telephone billing for reasonableness and accuracy.


Forms

Not Applicable

Support Materials

Not Applicable

Reference Materials