A. Name: Mobile Device Encryption Policy
B. Number: 2017-02-15-mobiledeviceencryption
C. Author: M. Muth (ISC Information Security)
[ ] proposed [X] under review [ ] approved [ ] rejected [ ] obsolete
E. Date proposed: 2017-02-15
F. Date revised: N/A
G. Date approved: N/A
H. Effective date: N/A
II. Authority and Responsibility
Information Systems and Computing's Office of Information Security has the authority and responsibility to establish information security policies, guidelines, and standards.
III. Executive Summary
This policy describes the requirements for encrypting Penn-owned mobile devices. It includes generic requirements, as well as their current technical interpretation.
The purpose of the policy is to protect the confidentiality, integrity, and availability of University data stored on Penn-owned mobile devices.
V. Risk of Non-compliance
If a Penn-owned mobile device containing confidential University data is lost or stolen, Penn schools and centers are exposed to risk of regulatory fines, lawsuits, reputational damage, and the loss of trust by critical members of our community. For individuals, a loss of privacy may result, together with possible identity theft, embarrassment, harassment, and other problems.
This policy applies to all Penn-owned mobile devices running a workstation-class operating system supported by Penn, and capable of doing native full-disk encryption, except for Temporary Use Mobile Devices.
VIII. Statement of policy
IX. Recommendations and Best Practices
A. Verification: ISC reserves the right to review a school or center's records verifying mobile device encryption.
B. Notification: Notification shall be made to the Security Liaison for the area.
C. Remedy: Remedy will be the establishment of required encryption and record keeping. ISC will offer consulting assistance to the school or center IT personnel where possible to bring the encryption program into compliance as quickly as possible.
D. Financial Implications: Costs associated with the implementation of mobile device encryption are the responsibility of the department, school, or center which provided funds to purchase the mobile device.
E. Responsibility: Responsibility for remedy lies with the department, school, or center which provided funds to purchase the mobile device.
F. Time Frame: This policy shall be effective three months after final approval for new mobile devices and 12 months after final approval for existing mobile devices. If a school or center security liaison believes that the school or center cannot comply with this timeframe, he or she may petition for an extension under Appeals, below.
G. Enforcement: The Office of Audit, Compliance and Privacy may include compliance in its periodic audits of schools and centers.
H. Appeals: Requests for a waiver from the requirements of this policy are decided by the University Information Security Officer. A waiver granted for the inability to meet one compliance requirement does not exempt the system owner from meeting all other requirements. All waiver requests may be submitted to ISC Information Security. Cases of ambiguity in the policy will be handled by the Network Policy Committee (NPC).