Standard Number: 220.127.116.11.3
Category: Acceptable Use
Owner: Information Security Services
Effective: July 18, 2023
Revision History: Originally effective December 18, 2012; updated January 1, 2020
Review Date: July 17, 2026
Purpose, Scope, and Responsibilities
- Personally owned computing devices are increasingly being used to access University Technology Resources and University Data. A security breach when using a personal device could result in loss or compromise of University Data, damage and/or unauthorized access to University Technology Resources, and/or financial harm to the University.
- The purpose of the Standard is to establish minimum security requirements for personally owned devices that connect to University Technology Resources and/or access University Data. This Standard does not apply to University-owned devices. For more information regarding University-owned devices, refer to the University-Owned Device Standard.
- Individuals who elect to utilize a personal device, including but not limited
to smartphones, tablets, laptops, notebooks, and netbooks, to access University
Technology Resources are responsible for the following:
- Abiding by the requirements identified within this document;
- Configuring personal device(s) to be able to connect to University Technology Resources;
- Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a University Technology Resource; and,
- All transactions made under their Authentication to a University Technology Resource.
- The University is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices including loss, theft, or damage.
- The Chief Information Officer, supported by the Chief Information Security Officer (“CISO”), is responsible for implementation and enforcement of this Standard. Information Technology Services (“ITS”) is responsible for University Authentication systems, verifying Authentication credentials provided, troubleshooting Authentication issues, and performing vulnerability scans of the Campus Network. ITS is not responsible for configuring use of personal devices to connect to University Technology Resources.
- Pursuant to the Campus Network Standard, ITS is responsible for deploying all Campus Network infrastructure including wireless access points and routers.
Personal Device Use
- Individuals who elect to utilize a personal device to access University Technology
Resources, whether for personal use, University business, on University time,
or during business travel must:
- Abide by the Acceptable Use of Technology Resources and Data Policy;
- Maintain and backup the personal data stored on the device;
- Ensure the physical security of the device to prevent loss, theft, and/or damage;
- Report lost or stolen devices that contained University Data; and,
- Ensure the device meets the security requirements identified within Section 3 of this document.
- A personally owned device must never disrupt use or function of the Campus Network and/or the University Information System to which it is connected. The University will ban or prevent any device from accessing the Campus Network that continually causes disruptions to University Technology Resources.
- The device owner must change their WVU Login password immediately when a personal device that has access University Data is lost or stolen.
- Pursuant to Identity and Access Management Policy, Authentication is required before a device will be permitted to access the Campus Network.
- Personally owned devices must never be used as a University server or networking device, including use as a router or hotspot to connect other University Technology Resources to the Campus Network.
- Personally owned devices must never be used in order to circumvent security controls put in place by ITS.
- Individuals who elect to utilize a personal device to access University Technology Resources, whether for personal use, University business, on University time, or during business travel must:
- To prevent others from obtaining unauthorized access, device must remain under the owner’s Effective Control at all times.
- All devices that connect to University Technology Resources and/or access University
Data must meet the following security requirements:
- Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint;
- Passwords/passphrases must meet the minimum requirements identified within the Password Standard;
- Have an anti-virus software installed and running Real-Time Scanning and/or scan the device regularly to prevent, detect, and remove malware. The University provides free anti-virus at https://freeav.wvu.edu;
- Be configured to lock or logout and require a user to re-authenticate if left unattended for more than 15 minutes. Devices that do not support this capability must be secured alternatively such as restricting access in a locked room;
- Run a Supported Operating System that is patched and updated regularly; and,
- Be configured to allow the owner to Remote Wipe in the event the device is lost or stolen. Devices that do not support Remote Wipe functionality must be encrypted.
- Devices that are Jailbroken, Rooted, or have been subject to any other method of changing built-in protections must not be used to access University Technology Resources.
- Device must support WPA2 and AES to connect to WVU.Encrypted.
Conducting University Business
- Pursuant to the Acceptable Use of Technology Resources and Data Policy, the
University provides the use of University Technology Resources, including
Devices, which must be used by Authorized Individuals as the primary means
to create, store, send, or receive University Data.
- De minimis use of personally owned devices is permitted to access University Data and/or conduct University business provided the device meets the security requirements identified within Section 3 of this Standard.
- Use of a personal device as the primary means to create, store, send, or receive University data is prohibited.
- Employees who access Sensitive Data for their job must primarily use a University Device. If a University Device is not available, a personally owned device may be used only if it has been pre-approved by the CISO and is utilizing an approved University remote access solution to access Sensitive Data. See Remote Access Standard.
- Software licensed to the University must never be downloaded to a personally owned device unless specifically permitted by the license (e.g., Microsoft Office).
- University Data subject to document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders) stored on a personally owned device must be produced upon the request of the University.
- Any University Data downloaded to a personally owned device must be destroyed,
removed, or returned to the University once the individual:
- Is no longer employed by the University;
- No longer requires access to the University Data due to changing job responsibilities; or,
- Is no longer the owner or primary user of the device.
- Pursuant to the Acceptable Use of Technology Resources and Data Policy, the University provides the use of University Technology Resources, including Devices, which must be used by Authorized Individuals as the primary means to create, store, send, or receive University Data.
- Anti-virus software is not required to be installed on mobile devices such as cell phones and tablet computers.
- “Authentication” means verifying the identity of a user, process, or device to allow access to a University Technology Resource.
- "Effective Control” means when a traveler either retains physical possession of the device or secures the device in an environment such as a hotel safe, a bonded warehouse, or a locked and guarded exhibition facility.
- “Jailbroken” means the process of modifying an iOS device such as an iPhone, iPad, or iPod Touch to bypass restrictions imposed by Apple to allow owner to modify the operating system, install non-approved applications, and grants the user elevated administration-level privileges.
- “Real-Time Scanning” means the anti-virus software is always on and checks files in real time when they are created, opened, or copied.
- “Remote Wipe” means a security feature that allows data on a device be deleted without physically possessing the device.
- “Rooted” means the process of allowing Android users to attain privileged control over subsystems to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user.
- “Supported Operating System” ” means the entity providing the OS, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
- “University Data” means anything that contains information regarding the University made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items. See Record Retention Policy and Schedule.
- “University Technology Resources” means University-owned hardware, software,
and network/communications equipment, technology facilities, and other relevant
hardware and software items, as well as personnel tasked with the planning,
implementation, and support of technology. University Technology Resources
can be broken into the following categories:
- Campus Network means the wired and wireless components and University Technology Resources connected to the network managed by the University. Excludes residence halls, University public/private partnerships, and other relationships the University may establish with institutions, including the City of Morgantown and WVU Medicine, through which the University provides IP addresses but does not manage the network.
- Device means a server, computer, laptop, tablet, or mobile device used to enter or access University Data from a University Information System.
- University Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.