Mobile Device Security Requirements and Recommendations

Resource: See Securing the Human’s Mobile Device video

There are both required and recommended (optional) elements of a secure mobile device. The required elements of security (denoted throughout as “Requirement”) apply to any device—whether it’s personally-owned or university-owned or issued—that accesses university data, including email.

Securing Your Device

  1. Password protection / lock
    Requirement – see specific implementation guidelines for further details

    • Use password protection on all mobile devices.
    • Follow the guidelines for establishing passwords as allowed by your device.
    • Configure devices to require a password for access after power on prior to initial use, and again after a short period of inactivity.
    • Configure devices to lock out further access after a number of failed password attempts.
    • Change your mobile device password at least once a year.
    • Use two-factor authentication on the device if available.
    • When an application requests permission to use features or data on your device, consider whether or not that application should have those permissions before granting them. This will help protect your device from malware.
  2. Loss or theft protection
    1. Prevention
      • Requirement
        1. Document the serial number of your device.
      • Recommendation
        1. Take appropriate physical security measures to prevent theft of mobile devices.
        2. Never leave your mobile device unattended in a non-secure location.
    2. If the device is lost/stolen
      • Requirement
        1. Report loss or theft of any mobile device (regardless of ownership) to your department and wireless carrier (if applicable).
        2. For university-owned devices, follow the procedure for reporting lost/stolen assets: (link)
        3. Immediately change any passwords saved on the device unless stored only in a secure password keeper application.
      • Recommendation
        1. Initiate a remote wipe of the device if it has not been recovered in a reasonable time period to reduce the risk of exposure to university data as well as personal data.
    3. Recovery/Tracking Recommendation Include appropriate contact information on the device. For example, put “If found, please call [include number]” on the lock screen or engrave the information on the device. Set up your device specific lost/stolen location services (e.g. GPS tracking) to assist in the recovery of the device.
  3. Antivirus protection
    • Requirement
      1. Install antivirus software on the device, if available.
      2. Configure antivirus software to auto-update definitions in a timely manner and verify that the update mechanism is functioning correctly.
  4. Device updates
    • Requirement
      1. Use vendor-supported versions of your operating system and any installed applications.
      2. Apply updates and patches in a timely manner.
    • Recommendation
      1. Configure the device and the applications on it to automatically apply updates.
      2. Remove applications that are no longer being used.

Securing Your Data

  1. Access and storage
    • Requirement
      1. Comply with the data security restrictions applicable to the data you are accessing from or storing on your mobile device.
  2. Encryption
    • Requirement
      1. Use encryption software or built-in encryption options on the device to protect sensitive University data.
  3. Backup
    • Recommendation
      1. Regularly backup all data on your mobile device. Consider using multiple backup mechanisms. If you travel, have a portable backup device that you can take with you (carried separately and similarly secured).
      2. Make regular backups of your important data from your mobile device to a server, preferably university-managed.
  4. Password storage
    • Recommendation
      1. Disable remembering of passwords on your device unless required for syncing or connecting to wireless networks.
      2. Use a secure password keeper application if storing passwords on your mobile device.
  5. Data retention
    • Recommendation
      1. Consider whether it is necessary to store data on your mobile device for the long-term.
      2. Remove any university data no longer being used from the device.

Securing Your Communications

  1. Wireless network access
    • Requirement
      1. Disable auto-join of newly discovered wireless networks.
    • Recommendation
      1. Disable any wireless networking features not currently in use (Wi-Fi, Bluetooth).
      2. Use VPN (https://vpn.ncsu.edu) when accessing university data over any non-university or non-secure network. This includes cable modem, DSL, 3G/4G/WiMax, off-campus Wi-Fi, and the current non-secure NOMAD wireless network.
  2. Bluetooth devices
    • Requirement
      1. Set a new value for the PIN or password when establishing a connection with a Bluetooth device instead of using the default/zero/null value if possible.
    • Recommendation
      1. Secure all other wireless communications used by your device, such as infrared.
  3. Sharing/ tethering Internet connections over WiFi/Bluetooth
    • Requirement
      1. Disable Internet sharing/tethering when not in use.
      2. Set a strong password (not your Unity password) for access when tethering other devices to your mobile device over WiFi/Bluetooth.

Emerging Technologies

There are always new features being developed for mobile devices that have security concerns, such as Apple’s Airplay that allows a user to share content with multimedia presentation devices over the wireless network. Requirements and guidelines will need to evolve along with the technology to ensure safety and security. As a result, additional requirements may be in effect if needed.