UMGC Policy X-1.25 Mobile Device

Purpose

The purpose of this policy is to establish information security standards for the use of Mobile Devices to access University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Mobile Device

The University will identify and implement appropriate Mobile Device technologies and processes for the security of University Information Technology Resources and Data.

1. Mobile Device Configuration
   1. All UMGC-owned Mobile Devices will be configured and managed by the University.
   2. UMGC Users who wish to use a Personal Mobile Device to access University Information Resources must comply with the following security standard:
      1. Submit a request to the UMGC Service Desk for approval to use Personal Mobile Device to access, store, or process University Data. Approvals must be obtained from the applicable University supervisor.
2. Personal Mobile Devices must have software installed (Mobile Device Management (MDM) that allows the University to remotely manage the device to adhere to University policies and USM IT Standards. If a User suspects that their Personal Mobile Device has been compromised (e.g., hacked), the User must cease all University related activity immediately on that device and notify the service desk.
3. Users must comply with the UMGC X-1.11 Remote Access Policy to minimize the risk of Data transmissions between a mobile device and organizational resources being logged, intercepted, or changed.
4. Reporting a Lost or Stolen Mobile Device
   1. The theft or loss of a Mobile Device or suspected breach of University Data must be immediately reported to a Supervisor, and to the UMGC Service Desk.
   2. Report the Mobile Device theft and details of the incident to the Police.
5. Disposing of a Mobile Device
   1. UMGC- owned Mobile Devices: Return the UMGC-owned mobile device to the University for disposal.
   2. Personal Mobile Devices: Prior to disposing of a Personal Mobile Device, University Data should only be backed up onto another University system (e.g., University assigned laptop, University cloud service provider). University Data must not be stored on personal external storage devices or personal cloud storage.
6. Support for Personal Mobile Devices is limited to configuration of security settings and connectivity to resources. The User assumes all responsibility for the Personal Mobile Device including maintenance, connectivity, and data plans.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

1. UMGC X-1.02 Data Classification
2. UMGC X-1.04 Information Security
3. UMGC X-1.05 Information Security Awareness and Training
4. UMGC X-1.11 Remote Access
5. UMGC X-1.12 Acceptable Use