Tarleton OITS Portable Computing Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Portable Computing Standard

Effective: February 11, 2020

Revised: April 9, 2026

Procedure Summary

Portable computing devices are becoming increasingly powerful and affordable. Their functionality and small size are making these devices more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure for individuals using the devices.

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. This standard applies to Tarleton information resources that store, process, or transmit mission critical and/or confidential information.

The purpose of the Tarleton physical access standard is to provide guidance on the responsibilities of information resource owners to protect data residing on portable devices. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. This standard applies to the use of all portable information resources devices that process, contain or have direct access to confidential information. This standard will apply equally to all individuals who utilize portable computing devices and access Tarleton information resources.

Please see the Tarleton Security Controls Catalog, specifically the Media Protection (MP) family, for additional information and requirements.

Procedures and Responsibilities

Whenever possible, portable computing devices must be password protected.
Whenever possible, sensitive or confidential Tarleton data should not be stored on portable computing devices or portable storage devices. However, in the event that there is no alternative to local storage, such data must be encrypted using university-approved encryption techniques.
Sensitive or confidential information must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols and encryption techniques are utilized. See the Tarleton Security Controls Catalog AC-19, Access Control for Mobile Devices and SC-13, Cryptographic Protection for additional information.
All remote access (e.g. Internet, Remote Desktop Protocol (RDP), etc.) to confidential information from a portable computing device shall utilize encryption techniques, such as Virtual Private Network (VPN), Secure Socket Layers (SSL) or secure File Transfer Protocol (SFTP).
Unattended portable computing devices shall be kept physically secure using means appropriate to the potential risk associated with the device.
Keep portable computing devices patched and updated.
Install anti-virus software and a personal firewall where applicable.
Information resource owners will ensure that any portable computing device(s) within their area of responsibility is being managed and used in accordance with the Tarleton Acceptable Use procedure and applicable Tarleton Security Controls Catalog requirements.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.

Portable computing devices: Any easily portable device that is capable of receiving, transmitting and/or storing data, and that can connect by cable, telephone wire, wireless transmission or via any Internet connection to the Tarleton infrastructure and/or data systems. These include, but are not limited to: notebook computers, handheld computers, tablets, PDAs, pagers, smartphones, etc.

Portable Storage Device: An easily portable device that stores electronic data which includes but is not limited to: flash drives, external hard drives, memory cards, DVDs, CDs, USB connected storage devices, etc..

Remote Access: The act of using a computing device to access another computer/network from outside its established security realm (e.g. authentication mechanism, firewall, or encryption).