SAP 24.99.99.T1.18 (Effective September 5, 2007)

(Supplements Rule 24.99.99.T1)

 

Information Resources – Portable Computing

 

1.            GENERAL

 

Portable computing devices are becoming increasingly powerful and affordable.  Their functionality and small size are making these devices more desirable to replace traditional desktop devices in a wide number of applications.  However, the portability offered by these devices may increase the security exposure for individuals using the devices.

 

The purpose of the Tarleton State University portable computing security procedure is to establish the rules for the use of mobile computing devices and their connections to the network.  These rules are necessary to preserve the integrity, availability and confidentiality of Tarleton State University information.

 

2.            APPLICABILITY

 

This Standard Administrative Procedure (SAP) applies to the use of all portable information resources devices that process, contain or have direct access to confidential information.

 

This SAP will apply equally to all individuals that utilize portable computing devices and access Tarleton State University information resources.

 

3.            DEFINITIONS

 

Confidential Information:  Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act or Family Educational Right to Privacy Act.

 

Information resources:  The procedures, equipment and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display and transmit information or data.

 

Portable computing devices:  Any easily portable device that is capable of receiving, transmitting and/or storing data, and that can connect by cable, telephone wire, wireless transmission or via any Internet connection to the Tarleton State University infrastructure and/or data systems.  These include, but are not limited to, notebook computers, handheld computers, PDAs, pagers, cellphones and portable storage devices (such as flash drives, memory cards, USB-connected storage devices, etc.).

 

4.            PROCEDURES

 

4.1          Whenever possible, portable computing devices must be password protected.

4.2          Whenever possible, sensitive or confidential Tarleton State University data should not be stored on portable computing devices.  However, in the event that there is no alternative to local storage, such data must be encrypted using University-approved  encryption techniques.

 

4.3          Sensitive or confidential information must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols and encryption techniques are utilized.

 

4.4          Remote access to Tarleton State University systems must utilize approved encryption techniques when transmitting or receiving sensitive or confidential information.

 

4.5          Unattended portable computing devices shall be kept physically secure using means appropriate to the potential risk associated with the device.  This may include storing the device in a locked office, desk drawer or filing cabinet, or attaching the device to a desk or chair via a cable lock system.

 

4.6          All portable devices, such as laptops, must utilize current anti-virus software especially when connected to a network outside the Tarleton infrastructure.

 

4.7          Device and information resource owners will ensure that any portable computing device within their area of responsibility is being managed and used in accordance with all applicable University acceptable use policy.

 

OFFICE OF RESPONSIBILITY:  Department of Information Technology Services

 

CONTACT:  Executive Director – Information Technology Services