Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.
There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information.
Private Information and Mobile Device Use
We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.
To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest.
Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.
General Guidelines for Mobile Device Use at RIT
Understand your device
- Configure mobile devices securely. Depending on the specific device, you may be able to:
- Enable auto-lock. (This may correspond to your screen timeout setting).
- Enable password protection.
- Use a reasonably complex password where possible.
- Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
- Ensure that browser security settings are configured appropriately.
- Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
- Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
- Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
- Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
Use added features
- Keep your mobile device and applications on the device up to date. Use automatic update options if available.
- Even update the Google Play Store: http://www.cnet.com/how-to/force-the-play-store-app-to-update-on-android/
- Install an anti-virus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
- Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
- Never leave your mobile device unattended.
- Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
- Include contact information with the device:
- On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
- For improved performance and security, register your device and connect to the RIT WPA2 network where available.
Mobile Device Disposal
Use appropriate sanitation and disposal procedures for mobile devices. Some suggestions can be found from:
- The SANS Institute: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf
- The FTC: http://www.consumer.ftc.gov/articles/0200-disposing-your-mobile-device