Mobile Device & Removable Media Service Requirements

Effective date: 07/01/2018

Last updated: 03/04/2024

Service Requirement PDF

Purpose

This Service Requirement defines the appropriate use of mobile devices and removable media as a means of accessing Restricted or Internal University Data. This service requirement’s purpose is to provide the ways in which the University permits the use of mobile devices and removeable media to access University data.

These service requirements apply to any mobile device and removable media device that accesses Duquesne University Data. It also applies to any campus affiliates including faculty, staff, students, retirees, or guests accessing University Data.

University Data that is considered Restricted or Internal is defined in the CTS Data Governance Service Requirements.

Service Requirements

These Mobile Device & Removable Media Service Requirements specify the fundamental details for the appropriate use of mobile devices & Removable Media at Duquesne University. 

University Owned Mobile Devices

Certain University employees are required to use mobile devices for Duquesne University business functions. University supervisors must identify those employees that require a mobile device as part of their job responsibilities. Computing and Technology Services (CTS) is responsible for the procurement and institutional management all University owned mobile devices. CTS will work directly with IT support staff, departments and individuals on the purchase of a mobile device and any subscription to data/voice plans. Departments are responsible for providing the appropriate funding for the purchase of the devices and subscriptions to voice/data plans. 

All University-owned mobile devices are required to be managed by Computing and Technology Services (CTS), which requires the installation of managed service software. This software allows the University to maintain proper security controls, software updates, approved applications, and configurations of mobile devices owned by the University. 

Employees are allowed incidental personal use of University-owned mobile devices as long as no applicable fees, state or federal laws and/or university policies are being violated by such use. University-owned mobile devices including the data stored on a device, and the data/voice plans and records are sole property of the University. When an employee leaves the University, all University-owned mobile devices must be returned to the University. 

Personally Owned Mobile Devices

The University recognizes that in today’s world of mobile devices, many individuals leverage the use of their personal mobile devices to connect to University information technology resources. Computing and Technology Services (CTS) permits the use of personal devices to access certain resources on campus, but may require security controls be configured on personal devices based on the sensitivity of that data that individuals are accessing. All use of personally owned devices to access University Data must comply with state and federal laws, as well as with Duquesne University’s own policies and service requirements governing the appropriate use of technology. 

All Mobile Devices accessing University Internal or Restricted Data

If a campus affiliate, either for work-related or academic requirements or through their own personal choice, elects to access University Data via a mobile device, they must accept the security policies defined by the University. These security policies will be required to be added to the mobile device upon connecting to University Data. 

The mobile security requirements to access University Data are:

• Require at least a 5 digit pin/passcode to unlock the device;
• Access to remotely wipe the Duquesne University data in the event the device is lost or stolen;
• Potentially limit the amount of email that can be stored on the device based on manufacturer/software availability.

Data Loss Prevention (DLP) continues to be a concern at Duquesne and other institutions across the world try to gain control over the proliferation of sensitive data and how to put policy and controls around it.  Data breaches continue to affect institutions, resulting in tarnished reputations and costly identity protection services. It is important that members of our community be aware of the restricted data including personally identifiable information (PII) that might be stored on devices, and remove any traces of PII immediately. 

Report a Lost or Stolen Mobile Device Processes

• If a University-owned or personal mobile device containing University Data classified as Restricted or Internal is lost or stolen, please contact the CTS IT Service Desk at 412-396-4357 to report the device is missing. CTS may then issue a remote wipe command to erase the University data from the mobile device. 

Removable Media Devices

Removable media such as USB memory sticks, memory cards, external hard drives, or any hardware that is used to store files, pictures, or other electronic media should be properly secured and protected if storing Duquesne University data. The following security requirements must be followed to use removable media on Duquesne University systems or in hosting Duquesne University data. 

• Users must ensure that any removable media device is free from malicious software before connecting them to University computers or network devices. 
• Users should never store Restricted Data on removable media unless it is properly encrypted and secured by Computing and Technology Services (CTS). 
• All removable media is required to be properly encrypted and password protected in case of loss or theft. 
• Users should ensure that removable media is stored in areas that are physically secured. 
• If a removable media containing University information is lost or stolen, the incident must be reported to Computing and Technology Services (CTS) immediately by emailing helpFREEDUQUESNE. 

Other best practices for mobile device management

While not requirements, these best practices for mobile device management will help provide our campus affiliates guidance on how to protect and secure mobile devices. 

• Use anti-malware applications.
• Leverage encryption if possible. 
• Verify encryption mechanisms and ensure that data is being transmitted securely. 
• Disable options and applications that you don't use. 
• Regularly back up your data. 
• Dispose of your device safely by removing all sensitive data.
• Avoid jailbreaking.
• Verify applications before downloading.

Enforcement

The unauthorized or improper use of Duquesne University’s technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to TAP 26 - Computing and Ethics Guidelines.

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.