Purpose
The purpose of this policy is to outline the requirements and user expectations for reading and manipulating institutional data on mobile devices. In addition, this policy outlines expectations with respect to the general use of privately-owned mobile devices on the university campus or at university activities.
Policy
The use of a mobile device to access institutional data by an authorized user must be accomplished via secure and encrypted means if the mobile device is not directly connected to the university network. Unauthorized access to institutional data utilizing an mobile device is prohibited. In addition, individuals utilizing the university’s network(s) are prohibited from using mobile devices to violate copyrights including, but not limited to, copyrighted music, movies, software and publications.
Mobile devices shall not be used in a manner that causes disruption in the classroom, library, or within any Lynn University owned or operated facility. Abuse of mobile devices with photographic and videotaping capabilities for purposes of photographing test questions or other notes and materials is prohibited and considered a violation of the university’s academic honesty policy. Photographing or videoing individuals in secured areas such as bathrooms, locker rooms, residential halls or other areas where there is a reasonable expectation of privacy, and/or taking photographs of an individual against their will is strictly prohibited. Electronic transmission of photographs of any person without express permission is strictly prohibited. Please refer to the university’s photography and videography policy for additional information. Moreover, photographing or videoing confidential or sensitive university information (e.g., business plans, strategies, customer information, non-directory student records, or other proprietary information belonging to Lynn University or its customers not otherwise available to persons or firms outside the university to individuals) is strictly prohibited.
Definitions
Authorized user(s)-are all users of technology resources including, but not limited to, employees, temporary employees, faculty, students, alumni, campus visitors, contractors, vendors, consultants and their related personnel, and other users authorized by the university to access its systems and networks.
Mobile device—any handheld or portable computing device including running an operating system optimized or designed for mobile computing.
Information technology resources-are assigned computer accounts, email services, and the shared university network(s), which includes resources, staff and facilities operated by the university, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including mobile devices) and telephone equipment, voice mail, SMS, desktop laptop computers, electronic devices, hardware, software, networks, computing laboratories, databases, files, information, software licenses, computing-related contracts, network bandwidth, usernames, passwords, documentation, disks, CD-ROMs, DVDs, magnetic tapes, and other electronic media or storage devices. Email, chat, facsimiles, mail, any connection to the university's network(s) or use of any part of the university’s network(s) to access other networks, connections to the internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of university work or associated activities.
Institutional data - is any information, including directory information, PII, and student and employee financial information, and public information that can be linked to any individual, including but not limited to, students, faculty, staff, patients, or contractors. Institutional data and all applications storing and transmitting such data, regardless of the media on which they reside, are valuable assets, which the university has an obligation to manage, secure, and protect.
Employee financial information—that information the university has obtained from an employee in the process of offering a benefit or service. Offering a benefit or service includes all university sponsored benefit plans and university financial services such as flexible spending accounts, and personal payroll services. Examples of employee financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
Student financial information—that information the university has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.
Remote wipe—the ability to erase all data on a device when the user and the device are physically separated. This is most often done through a service that the manufacturer provides via a website.
Procedures/Guidelines
I. Mobile device precautions
The following security requirements govern the use of any mobile devices that are used on the university’s network(s), regardless of whether the mobile device was purchased or leased with university funds:
Remote access to the university’s nonpublic-facing systems will be protected via secure or encrypted protocols. Only those employees and contractors whose job duties require this level of access will be granted remote access; all mobile devices accessing the university’s network(s) must be updated to the latest device operating system with the latest security patches and anti-virus software; all applications must be updated with the latest security patched; mobile device users may not allow someone who is not authorized access to the university network to use their devices if the device has been used to store, access and/or process institutional data; all devices that have been used to store, access and/or process institutional data must delete the data stored on their devices immediately after the work with it is completed; all mobile devices must be configured with a PIN, passcode, or password-enabled lock screen configured to activate at no more than 5 minutes of inactivity; all mobile devices with built-in encryption capability must have the device’s encryption enabled; all mobile devices must have “remote wipe” enabled through a third party application or the manufacturer’s website; all mobile devices that have been used to store, access and/or process institutional data must be wiped to remove such data before they are transferred to someone else through sale or gifting; in the event that a mobile device which has been used to store, access and/or process institutional data becomes lost, stolen or compromised, the owner must contact the information technology; rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the university’s network(s).
II. Consent
Users of personally-owned mobile devices may access information through the university’s portal. In accessing the portal with a personal mobile device, the user understands and agrees that the university will not reimburse or otherwise compensate the user for any costs associated with accessing the university network with a personal electronic device. Such costs may include, but are not limited to, monthly call and data plans, long distance calling charges, additional data or roaming fees, charges for excess minutes or usage, equipment, surcharges and any applicable fees or taxes. The user also understands that he/she may be held liable for any criminal and/or civil penalties that may result from loss, theft or misuse of the institutional data accessed and/or stored on the mobile device.
Upon termination of affiliation with the university, users agree: (a) to immediately delete all institutional data stored on the mobile device; and (b) to remove the university email account and wi-fi settings from the mobile device. Failure to complete the above may result in the mobile device being remote wiped by Department of Information Technology (IT).
III. Initial configuration
To ensure proper initial configuration of electronic devices, users should consult with IT before purchasing a new device to verify its suitability for the university’s network environment. For allowed university-owned/leased devices, IT will configure the device to access the campus email and calendar resources. A brief orientation session on proper use of the mobile device can be scheduled with IT. For allowed personal devices, IT will provide written procedures for configuring devices to access campus resources. It is the responsibility of the owner to configure the mobile device properly, and should they need assistance, contact their service provider for further assistance.
IV. Support
For university-owned/leased mobile devices, users should contact the IT Department for assistance. Information technology will handle all technical issues on behalf of the university. For allowed personal mobile devices, users should contact their service provider for troubleshooting assistance.
V. Student use of mobile devices in the classroom
Mobile devices may not be used in a manner that causes disruption in the classroom or library. Moreover, the university does not allow the use of such mobile devices to photograph or video any classes without instructor permission. Abuse of mobile devices with photographic or video capabilities for purposes of photographing test questions or materials is a violation of university’s academic honesty policy.
VI. Use of mobile devices in vehicles
The university is committed to promoting highway safety by encouraging the safe use of mobile devices by its students, faculty, administrators, and staff while operating a vehicle on campus or in the performance of university business or a university sanctioned activity. If a university student or employee needs to use a mobile device under these circumstances, the individual is strongly encouraged to find a proper parking space and park the car before using the device. Parking on the side of the road is not recommended, except in the case of a genuine emergency. Students, faculty, administrators, and staff are expected to comply with applicable state laws including those laws requiring the use of hands-free functions. Violations of this policy may result in disciplinary action.
VII. Risks/liabilities/disclaimers
While the university will take every precaution to prevent an authorized user’s personal data from being lost in the event it must remote wipe a mobile device, it is the mobile device user’s responsibility to take additional precautions, such as backing up notes, documents, application data, etc. The university reserves the right to disconnect mobile devices or disable services form its network without notification.
Users are personally liable for all costs associated with a non-university issued mobile device and assumes full liability for risks including, but not limited to, the partial or complete loss of institutional data and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the mobile device unusable.
VIII. Sanctions
Student and employee violators of this policy are subject to appropriate corrective action, including, when appropriate, suspension, dismissal, or expulsion. Visitors and others third party users who violate the provisions of the policy are subject to loss of access to the university’s technology resources.
For more information about this policy, contact Information Technology.