DTS POLICY 5000-0003
Policy Type: Enterprise
Section/Group: Security
Authority: UCA 63A-16-103; Utah Administrative Code R895-7 Acceptable Use of Information Technology Resources; Utah Administrative Code, R477-11 Discipline
Document History
Original Submission
Submitted on: NA
Submitted by: Tim Hastings, Chief Information Security Officer
Approved by: Michael Hussey, CIO
Issue Date: NA
Effective Date: December 9, 2013
Revisions
Last Revised Date: October 2, 2018
Last Revised by: NA
Last Approved by: NA
Reviews
Reviewed Date: February 2023
Next Review: February 2024
Reviewed By: Ken Wheeler
1.0 Purpose
1.1 Background
The following policy and guidelines inform State employees and contractors of their allowable usage and features with mobile computing devices available for business and limited personal use while connected to State networks and information technology assets.
This policy is necessary to protect the confidentiality, availability, and integrity of State of Utah secured information while stored, transmitted, or processed on mobile computing devices. Mobile devices are more susceptible to theft and loss in comparison to traditional desktop computing devices and additional security measures are needed. This policy is not applicable to State data and information that is available on State public Internet sites.
1.2 Definitions
- Mobile device – Any mobile computing device, mobile phone, tablet computer, or laptop computer that accesses and stores information.
- State data – Non-public information owned by the State of Utah that requires authentication (a user identification and password) for access.
- Secure network – The State’s wired and wireless network used to access State data and resources including the UWDN network. Access to the Capnet network is not limited by this policy.
- Mobile Device Management (MDM) – A technology system that is used to ascertain if mobile devices attempting to connect to the network have required security controls configured.
- Bring Your Own Device (BYOD) – a concept that allows employees and contractors to utilize their personally-owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal laptop computers, tablets, smartphones, and other devices.
- Security protocols – Configurations, settings and communication techniques on a device that control the confidentiality, integrity and availability of the devices data.
- Operating System – A collection of software that manages device hardware resources and provides common services for applications and computer programs.
- Security Incident – An event that compromises the confidentiality, integrity or availability of State data.
- Encryption – The process of encoding data in such a way that third parties cannot read it and only authorized parties can (currently iOS devices are encrypted by default and Android devices are not).
- Firewall – A software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data and determining whether they should be allowed through or not.
- Supported Version – A release of software and/or hardware that has been approved for State use and can be used to access and process State data
2.0 Scope
2.1
This policy applies to any mobile device that is used by the executive branch agencies to access and store State information or is used to access the secure network.
2.2
This policy applies to State employees and contractors accessing State data. Agencies should determine the best means of sharing data with outside parties including commissioners, board member and consultants. Communication methods and mediums should be considered before sharing information with them and security controls such as authentication and encryption should be considered for private and restricted data.
2.3
The policy establishes a baseline standard for all mobile devices, whether purchased by the State or personally purchased, and used by State employees for access to State data and networks. Agencies are required to adhere to these standards on all mobile devices and determine if additional security measures should be established for the needs of their individual data sets.
2.4
The Division of Technology Services (DTS) supports the Mobile Device Management (MDM) service to enforce the technology standards outlined in this policy. Agencies can administer these MDM services independently or can elect to have DTS perform this as a service for them. If Agencies choose to administer MDM services individually, DTS will annually assess the configurations for compliance with this policy.
3.0 Policy and Rules of Behavior
3.1 Compliance
Any user with a mobile computing device accessing State data is subject to all DTS enterprise and agency policies, as well as federal, state and local statute governing acceptable use of State networks and information technology assets.
3.2 Smart Phone and Tablet Devices
Smart phone and tablet devices (such as Android and iOS) will be configured to and users will agree to:
- Protect the State-owned and personal computing device from theft, damage, abuse, and unauthorized use.
- Notify the DTS Help Desk or Enterprise Information Security Office within one hour if the device is lost or stolen, or as soon as practical after they notice the device is missing.
- Follow the Enterprise Information Security Policy 5000-0002, Section 2.4.11 Media Protection when connecting external devices to mobile devices for data storage (using encrypted disks to store any sensitive information).
- Connect to State networks using the security protocols required by your Agency. This may include use of secured network connections and use of State approved Virtual Private Network (VPN) services.
- Receive and install security and other operating system updates from the operating system vendor.
- Install Mobile Device Management software and applications on their device prior to connecting them to State systems.
- Use a 4-digit device password or thumb print reader on smart phones and tablets.
- Agree that DTS may restrict the access of any mobile computing device to State networks if the mobile computing device presents a probable and demonstrable threat to the integrity of State data or other computing resources.
- Encrypt the data on their device where State data is stored.
- Agencies may determine that personally owned mobile computing devices can connect to the State network and be used for business purposes. Personal devices that are used to access and store State data must meet the following requirements:
- Allow the State access, for discovery purposes, to the content stored on the device when it is believed to be connected to a security incident;
- Give the State the right to remotely disable or wipe the State data stored on the mobile device in the event the device is lost or stolen;
- Install a Mobile Device Management agent requiring device encryption, a 4-digit passcode (or thumb print reader) and anti-virus (antivirus on Android devices only).
3.3 Laptop Computers
Laptop computers will be configured to and users will agree to:
- Protect the State-owned and personal computing device from theft, damage, abuse, and unauthorized use.
- Notify the DTS Help Desk or Enterprise Information Security Office within one hour if the device is lost or stolen, or as soon as practical after they notice the device is missing.
- Not use personally owned data storage devices and media (USB Flash Drives, CD/DVD, Portable Hard Drives, etc.,) to capture and store State-owned information assets.
- Connect to State networks using the security protocols required by your Agency. This may include use of secured network connections and use of State approved Virtual Private Network (VPN) services.
- Receive and install security and other operating system updates from the operating system vendor.
- Use a password compliant with the 4000-0002 Enterprise Password Standards Policy.
- Agree that DTS may restrict the access of any laptop to State networks if the device presents a probable and demonstrable threat to the integrity of State data or other computing resources.
- Encrypt the data on their laptop if connected to the State network.
- Agencies may determine that personally owned laptops can connect to the State network and be used for business purposes. Personal laptops that are used to access and store State data must meet the following requirements:
- Allow the State access, for discovery purposes, to the content stored on the device when it is believed to be connected to a security incident;
- Give the State the right to remotely disable or wipe the content of the device in the event the device is lost or stolen;
- Install anti-virus software that actively scans for security threats and receives regular updates of new viruses;
- Install and activate encryption of all State data stored on the laptop or activate whole-disk encryption (Filevault for Apple computers and Bitlocker for Windows computers);
- And activate the laptop’s firewall to block incoming traffic to the device.
3.4 State Network Use
Access to and continued use of network services is granted on the condition that each employee or contractor reads, signs, respects, and follows Enterprise and Agency policies concerning the use of computing devices while connected to State-owned networks and/or information assets.
Access to State resources which house federally regulated data such as FTI, HIPAA, CJIS, etc., is not allowed over wireless networks, except through a state-provided VPN or an industry recognized encryption protocol (e.g., HTTPS).
3.5 Personally Owned Devices
Personally owned devices used for State business purposes agree to the following:
- DTS does not provide technical support for personally owned devices,
- Users acknowledge that when State data is stored on personally owned devices, the contents of these devices could be subject to GRAMA requests, and
- Users agree to hold the State harmless for any damage to the device or its operating system and related software as a consequence of using the State network or other computing resources.
3.6 Current Mobile Devices Approved for State use
DTS does not provide support for the following devices with an Operating System (OS) older than two versions back from the current.
Smartphones and Tablets
- Android OS
- Motorola
- Samsung
- iOS
- iPhones
- iPads
Windows Based Laptop Computers
- DTS supported models (see current ServiceNow catalog)
Mac OSX Based Laptops (see current ServiceNow catalog)
DTS Supported models
(See current ServiceNow catalog)
3.7 Personally Owned Data Storage Devices
Personally owned data storage devices (USB Flash Drives, CD/DVD, Portable Hard Drives, etc.,) are not approved for use. State information should not be stored on personally owned mobile devices outside of native email, calendar, and State approved applications. Use of state owned storage devices are governed by agency policy and procedures.
3.8 Expectation of Privacy
State of Utah employees and contractors do not have a right, nor should they have an expectation, of privacy while using State-owned personal computing and data storage devices connected to or using State-owned networks and information technology assets, including accessing the Internet and using e-mail and voice communications. The Division of Technology Services will respect the privacy of employee and contractor personal devices and will only request access to the device by technicians to implement security controls, as outlined by enterprise policy directives, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings. This differs from policy for State-owned or provided equipment/services, where State employees and contractors do not have the right, nor should they have the expectation, of privacy while using State-owned equipment or services. If questions arise related to compliance with these security requirements, State employees and contractors may opt to drop out of the BYOD program versus providing the device to technicians for compliance verification. Should a user opt out of the BYOD program, it is expected the personal device is not used to access State resources.
4.0 Policy Compliance
State of Utah employees and contractors are expected to comply with this policy. Additional policies and standards developed and implemented by State Agencies may include additional objectives or detail, but must be compatible with the security objectives described in this policy document.
5.0 Enforcement
Violation of this policy by personnel employed by the State of Utah may be the basis for discipline including but not limited to termination. Individuals and contractors working with any State of Utah Agency found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.