国产原创

>

BYOD Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes the expectations for personal computing devices, otherwise known as Bring Your Own Device (BYOD).

REASON FOR STANDARD

Personally owned computing devices are increasingly being used to access 国产原创 information technology (IT) assets and university data. A security breach when using a personal device could result in loss or compromise of university data, damage and/or unauthorized access, and/or financial harm to the university.聽

The purpose of this standard is to establish minimum security requirements, VU Community Member responsibilities, along with appropriate and inappropriate use of personally owned devices that connect to 国产原创 IT assets and/or access university data.聽聽

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to any device being used to collect, transmit, process, store or host university data that is not VU-owned, including but not limited to cell phones, tablets, laptops, and notebooks.聽

STANDARD

1. ROLES AND RESPONSIBILITIES

  • Individuals who utilize a personal device to access 国产原创 IT assets are responsible for the following:
    • Abiding by the requirements identified within the Appropriate Use of Technology Assets Policy and this Bring Your Own Device (BYOD) Standard;
    • Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a 国产原创 IT asset;
    • Complying with 国产原创 cybersecurity professionals for the access of personally owned devices when deemed necessary to support incident investigations (e.g., personal devices may be accessed during an investigation); and
    • All transactions made from their VUNet ID while using a personally owned device.
  • The university is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices including loss, theft, or damage. Personal devices must maintain an adequate baseline level of security in accordance with university policies and standards.
  • The Chief Information Security Officer is responsible for implementation and enforcement of this Standard. All members are required to comply with the standards of this policy.聽 聽国产原创 university Information Technology (VUIT) is responsible for university authentication systems, verifying authentication credentials provided, and troubleshooting connectivity or authentication issues.
  • Deploying infrastructure and maintaining the availability of the university network is a shared responsibility of VUIT, the Office of Cybersecurity and all school/department IT groups on campus.

2. DEVICE SECURITY AND USAGE

  • Individuals who utilize a personal device to access university technology resources, must:
    • Ensure the physical security of the device to prevent unauthorized use, loss, theft, and/or damage; and
    • Report suspected security and privacy incidents or stolen devices that contained university data.
  • A personally owned device must never disrupt use or function of the university network and/or a 国产原创 IT asset to which it is connected. The university will ban or prevent any device from accessing the network that continually causes disruptions to system resources.
    • The device owner must change their VUNet login password immediately when a personal device that has access university data is lost or stolen; and
    • Personally owned devices must never be used as a university server or networking device.
  • All devices that connect to university IT assets and/or access university data must meet the following security requirements, as feasible:
    • Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint;
    • Meet applicable information security policies and standards (e.g., passwords and/or passphrases) as defined by the Office of Cybersecurity or VUIT;
    • Be configured to lock or logout and require a user to re-authenticate if left unattended for more than 15 minutes. Devices that do not support this capability must be secured alternatively such as restricting access in a locked room;
    • Run a supported Operating System that is patched and updated regularly;
    • Devices must be configured to allow the removal of all data in the event the device is lost or stolen. Devices that do not support the removal of all data functionality must be encrypted; and
    • Devices that have unauthorized modifications to change built-in protections (e.g., 鈥淛ailbroken鈥 or 鈥淩ooted鈥) must not be used to access university resources.

3. CONDUCTING UNIVERSITY BUSINESS

  • The university provides the use of university IT assets, including devices, which must be used by authorized individuals as the preferred means to create, store, send, or receive university data.
  • To prevent data loss and inadequate security on a device that is outside of VU control, data classified as confidential, sensitive, or critical (Level 2 - 4 in the ) must not be stored to a personally owned device.
  • Software licensed to the university must never be downloaded to a personally owned device unless specifically permitted by the license (e.g., Microsoft Office).
  • University data subject to document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders) stored on a personally owned device must be produced upon the request of the university.
  • Any university data downloaded to a personally owned device must be destroyed, removed, or returned to the university once the individual:
    • Is no longer employed by the university;
    • No longer requires access to the university data due to changing job responsibilities; or,
    • Is no longer the owner or primary user of the device.

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.

ENFORCEMENT

Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

N/A

FREQUENTLY ASKED QUESTIONS

  • Can I use my personal cell phone to check and send emails?

    Personal cell phones and tablets are allowed for de minimis university business such as university email and chat messaging, provided that the requirements outlined in the Device Security and Usage section are met and sensitive data is not downloaded or stored on the phone. Such transient use is permissible and pre-approved.

  • Why can鈥檛 I store Level 2 鈥 4 data on my personally owned device?

    Unlike university owned and managed devices, personal devices do not have the university鈥檚 security controls and tools implemented by default. If the device is lost or stolen, the university may not have the ability to prevent data exfiltration, investigate the incident, or recover lost data. Additionally, personal devices are more likely to have security controls implemented incorrectly or inconsistently putting them at larger risk for exploit.

RELATED INFORMATION

HISTORY

Review Date
Summary of Changes
April 2023Updated boilerplate language and terms
February 2025Added review cadence and hyperlinked associated Standard. Conducting ongoing discuss regarding program oversight and governance amidst organizational changes