Thanksgiving Break
Nov. 26, All day
Thanksgiving Break
Nov. 27, All day
Thanksgiving Break
Nov. 28, All day
Thanksgiving Break
Nov. 29, All day
Thanksgiving Break
Nov. 30, All day

WBB vs. Georgetown
Nov. 23, 02:00 pm
MBB vs. Rider
Nov. 24, 07:00 pm
Volleyball vs. West Virginia
Nov. 26, 06:00 pm
WBB vs. Iona
Nov. 26, 08:00 pm
Volleyball vs. Oklahoma
Nov. 29, 12:00 pm

  • Home
  • KUMC Mobile Device Security

KUMC Mobile Device Security

Policy
Purpose: 

Principle

As mobile devices further incorporate features traditionally found in a personal computer, their smaller size and affordability make these devices a valuable tool in a wide variety of applications. However, these devices are also subject to increased risk of loss, breakage, theft and unauthorized use.

Purpose
The purpose of this policy is to provide guidelines for the appropriate use and configuration of mobile devices as necessary to protect the KUMC network and\or information from unauthorized access or disclosure.

Applies to: 

Resources Covered By This Policy
All electronic mobile devices that are used to access the University of Kansas Medical Center's network or to store KUMC information.

Individuals and Groups Covered By This Policy
All KUMC faculty, staff, and students; employees of Kansas University Physicians, Inc. (KUPI); .as well as vendors, contractors or any others who utilize a mobile device to access the KUMC network or store KUMC information.

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

I.  Requirements for the Use of Mobile Devices

  • Personal mobile devices that are used to access the KUMC network must conform to the security requirements outlined in KUMC's Desktop Computer Standards.
  • Use of encryption.  All laptops and tablet PCs must consistently encrypt all files using the University's standard encryption technology (currently McAfee Endpoint Encryption with server-based key management).  Any unencrypted laptop or tablet acquired by an individual or department must be delivered to Information Resources for encryption prior to being used for any purpose. 
  • Recovery software.  All portable computers (laptops and tablets) owned by the University or the KUMC Research Institute must have tracking software installed to enable their identification and retrieval in the event of loss or theft.  Exceptions will be made only for older computers used to access or store sensitive information and where the tracking software conflicts with the software used for encryption.
  • Physical protection.  Mobile devices owned or issued by the University must not be left unattended and, where possible, must be physically locked away or secured. 
  • Device identification.  All laptops, tablets, PDAs, Blackberries, smart phones and portable hard drives owned or issued by the University must be permanently marked as "Property of the University of Kansas Medical Center" and indicate a method of return if the device is lost. 
  • Virus protection.  Any mobile device that is capable of using antivirus software must have the software installed and configured to maintain updated virus signatures.  Contact Information Security (8-3333) for information on approved antivirus software.
  • Security Updates.  A procedure must be established and implemented to ensure that all security patches and updates relevant to the device or installed applications are promptly applied in compliance with KUMC's Vulnerability Management policy.  
  • Disable unused services.  Wireless, infrared, Bluetooth or other connection features should be turned off when not in use. 
  • Storage of passwords.  The storage of user IDs and passwords which allow access to the KUMC network or its systems is prohibited on mobile devices.
  • Termination of University relationship.  All University-owned mobile devices must be returned to KUMC immediately upon termination of the assigned user's relationship with the University.  In addition, any software applications purchased by the University and installed on personal mobile devices must be removed immediately by the user.
  • Report any suspected misuse or theft of a mobile device immediately to Information Security and the campus police. 

II. Additional Requirements for Mobile Devices Used to Store Sensitive Information

The following represent "best practices" for anyone utilizing a mobile device; however, mobile devices used to store sensitive information must meet the following requirements.

  •  Access and use sensitive information appropriately.  Sensitive information must not be stored on mobile devices without prior approval from your department Director or Chair.  For more information on identifying and handling sensitive information, refer to the policy titled "Sensitive Information in Electronic and Paper-Based Systems".
  • Use of personal devices is prohibited.  Sensitive information may only be stored on mobile devices that are owned or issued by KUMC. 
  • Use of USB drives (also known as "thumb drives") for the storage of sensitive information is prohibited.
  • Device registration and certification.  Any mobile device used to store sensitive information must be registered with and certified by Information Security prior to its use.  Contact the Department of Information Security (8-3333) for information about mobile device registration and certification.
  • Physical protection:  Mobile devices used to store sensitive information must not be left unattended and, where possible, must be physically locked away or secured.  In addition, any portable media (for example, portable hard drives, CD-R or DVD-R disks) used for backup of systems containing sensitive information must be encrypted and stored securely in locked drawers, cabinets or other secure enclosures.
  • Exclusivity of use. Any mobile device that has been registered and approved to store sensitive information must not be shared with any other person without prior written approval from Information Security.
  • Password protection.  Access to the mobile device must be protected by the use of a password that meets the requirements outlined in the Password Security Policy.
  • Use of encryption.  Any mobile device other than a portable laptop or tablet PC that contains sensitive information must consistently encrypt all files using an encryption method that has been approved by Information Security.  Contact the Department of Information Security (8-3333) for information on approved encryption solutions.
  • Secure connectivity.  Any sensitive information transmitted to or from the mobile device (e.g., wireless or the Internet) must be encrypted. 
  • Synchronization.  Mobile devices containing sensitive information must only synchronize data with sync stations, workstations or other devices that also have been approved for the storage of the sensitive information.
  • Protection of information.  Reasonable care must be taken when using mobile computing facilities in public places, meeting rooms or other unprotected areas outside of KUMC's premises to avoid the unauthorized access to or disclosure of the information stored on or accessed by the device.
  • Termination of University relationship.  Sensitive information must be removed from the device immediately upon termination of the assigned user's relationship with the University.
  • Dispose of the device properly.  All KUMC devices, including mobile devices and other electronic equipment that are used to store sensitive information in the past, must be disposed of as outlined in KUMC's Computer Equipment Disposal and Media Sanitization Policy.
Exclusions or Special Circumstances: 

Requests for exceptions to this Policy may be granted only under special circumstances. Any requests must be submitted in writing to the Director of Information Security for approval. The KUMC Information Security Exception Form is available for this purpose.

Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis.

Consequences: 

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

  • Loss of individual computing privileges.
  • Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Disconnection of non-compliant systems from the KUMC network

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies. 

 

 

 

Contact: 

For information on this policy, please contact:

Eric Walters
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Michael Harmelink
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4900

Rick Johnson
Director of Public Safety
University of Kansas Police Department
University of Kansas Medical Center
115 Support Services Bldg, 2100 West 36th Avenue
Kansas City, Kansas 66160
(913) 588-0830

Approved by: 
Executive Vice Chancellor, KUMC
Approved on: 
Monday, July 17, 2006
Effective on: 
Monday, July 17, 2006
Review Cycle: 
Annual (As Needed)
Definitions: 

Mobile device: includes any device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images.  Examples include, but are not limited to, laptops or tablets (e.g., iPads), personal digital assistants (PDAs), and "smart" phones such as Blackberries.  This definition also includes storage media, such as USB hard drives or memory sticks, SD or CompactFlash cards, and any peripherals connected to a mobile device.

Personal mobile device: includes any mobile device that is not owned or issued by the University of Kansas Medical Center.

Sensitive information: includes personal identity information, protected health information, student educational record information that are protected by law or regulation; as well as other proprietary information.   Guidelines for identifying and protecting sensitive information at the University of Kansas Medical Center are discussed in the operational protocol titled "Sensitive Information in Electronic and Paper-Based Systems".

Keywords: 
mobile, devices, cellphone, tablet, usb
Review, Approval & Change History: 

2014-07-15:  Updated contact information.

2014-03-03: Reviewed and moved into KU Policy Library.

2013-04-18: Reviewed with no changes.

2012-04-27: Reviewed with no changes.

2011-05-18: Revised to include language regarding termination of University relationship.

Information Access & Technology Categories: 
Privacy & Security

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times