Bring Your Own Device (BYOD) Standard

Standard Number: IT.1.1.3S
Category: Acceptable Use of Technology
Owner: Information Security Services
Effective: December 31, 2019
Revision History: Originally effective December 18, 2012
Review Date: December 30, 2022

1. Purpose, Scope, and Responsibilities

   1. Personally owned computing devices are increasingly being used to access University Technology Resources and University Data. A security breach when using a personal device could result in loss or compromise of University Data, damage and/or unauthorized access to University Technology Resources, and/or financial harm to the University.
   2. The purpose of this Standard is to establish minimum security requirements for personally owned devices that connect to University Technology Resources and/or access University Data, including but not limited to smartphones, tablets, laptops, and notebooks.
   3. Individuals who elect to utilize a personal device to access University Technology Resources are responsible for the following:
      1. Abiding by the requirements identified within this document;
      2. Any damages and criminal and/or civil charges resulting from the activities conducted on their personal device while connected to a University Technology Resource; and,
      3. All transactions made under their Authentication to a University Technology Resource.
   4. The University is not responsible or liable for the maintenance, backup, or loss of data on a personal device and does not accept responsibility for the security of personal devices including loss, theft, or damage.
   5. The Chief Information Security Officer is responsible for implementation and enforcement of this Standard. Information Technology Services (“ITS”) is responsible for University authentication systems, verifying authentication credentials provided, troubleshooting connectivity or authentication issues, and performing vulnerability scans of the Campus Network.
   6. Deploying infrastructure and maintaining the availability of the Campus Network is a shared responsibility of ITS Network Services and other college/department IT groups on campus.

2. Personal Device Use

   1. Individuals who elect to utilize a personal device to access University Technology Resources, whether for personal use, University business, on University time, or during business travel must:
      1. Abide by the Acceptable Use of Data and Technology Resources Policy;
      2. Maintain and backup the personal data stored on the device;
      3. Ensure the physical security of the device to prevent loss, theft, and/or damage;
      4. Report lost or stolen devices that contained University Data;
      5. Ensure the device meets the security requirements identified within Section 3 of this document.
   2. A personally owned device must never disrupt use or function of the Campus Network and/or the University Information System to which it is connected. The University will ban or prevent any device from accessing the Campus Network that continually causes disruptions to University Technology Resources.
   3. The device owner must change their WVU Login password immediately when a personal device that has access University Data is lost or stolen.
   4. Pursuant to Identity and Access Management Policy, Authentication is required before a device will be permitted to access the Campus Network.
   5. Personally owned devices must never be used as a University server or networking device.

3. Device Security

   1. To prevent others from obtaining unauthorized access, device owners must never leave their device unattended.
   2. All devices that connect to University Technology Resources and/or access University Data must meet the following security requirements:
      1. Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint;
      2. Passwords/passphrases must meet the minimum requirements identified within the Password Standard;
      3. Be configured to lock or logout and require a user to re-authenticate if left unattended for more than 15 minutes. Devices that do not support this capability must be secured alternatively such as restricting access in a locked room;
      4. Run a Supported Operating System that is patched and updated regularly;
      5. Devices must be configured to allow Remote Wipe in the event the device is lost or stolen. Devices that do not support Remote Wipe functionality must be encrypted.
   3. Devices that are Jailbroken, Rooted, or have been subject to any other method of changing built-in protections must not be used to access University Technology Resources.
   4. Device must support WPA2 and AES to connect to WVU.Encrypted.

4. Conducting University Business

   1. Pursuant to the Acceptable Use of Data and Technology Resources Policy, the University provides the use of University Technology Resources, including Devices, which must be used by Authorized Individuals as the primary means to create, store, send, or receive University Data.
      1. De minimis use of personally owned devices is permitted to access University Data and/or conduct University business provided the device meets the security requirements identified within Section 3 of this Standard and the device is made available for inspection by the University to ensure appropriate security controls are in place.
      2. Use of a personal device as the primary means to create, store, send, or receive University Data and/or conduct University business is prohibited.
   2. Data classified as Sensitive in the Sensitive Data Policy must never be accessed via or downloaded to a personally owned device.
   3. Software licensed to the University must never be downloaded to a personally owned device unless specifically permitted by the license (e.g., Microsoft Office).
   4. University Data subject to document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders) stored on a personally owned device must be produced upon the request of the University.
   5. Any University Data downloaded to a personally owned device must be destroyed, removed, or returned to the University once the individual:
      1. Is no longer employed by the University;
      2. No longer requires access to the University Data due to changing job responsibilities; or,
      3. Is no longer the owner or primary user of the device.

5. Exceptions

   1. This Standard does not apply to University-owned devices. For more information regarding University-owned devices, refer to the University-Owned Device Standard.

6. Definitions

   1. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Technology Resource.
   2. “Jailbroken” means the process of modifying an iOS device such as an iPhone, iPad, or iPod Touch to bypass restrictions imposed by Apple to allow owner to modify the operating system, install non-approved applications, and grants the user elevated administration-level privileges.
   3. “Real-Time Scanning” means the anti-virus software is always on and checks files in real time when they are created, opened, or copied.
   4. “Remote Wipe” means a security feature that allows data on a device be deleted without physically possessing the device.
   5. “Rooted” means the process of allowing Android users to attain privileged control over subsystems to alter or replace system applications and settings, run specialized applications that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user.
   6. “Supported Operating System” means the entity providing the OS, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
   7. “University Data” means anything that contains information regarding the University made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items. See Record Retention Policy and Schedule.
   8. “University Technology Resources” means University-owned hardware, software, and network/communications equipment, technology facilities, and other relevant hardware and software items, as well as personnel tasked with the planning, implementation, and support of technology. University Technology Resources can be broken into the following categories:
      1. Campus Network means the wired and wireless components and University Technology Resources connected to the network managed by the University. Excludes residence halls, University public/private partnerships, and other relationships the University may establish with institutions, including the City of Morgantown and WVU Medicine, through which the University provides IP addresses but does not manage the network.
      2. Device means a server, computer, laptop, tablet, or mobile device used to enter or access University Data from a University Information System.
      3. University Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.

Related Documents

• Password Standard
• Sensitive Data Policy
• University-Owned Device Standard
• Identity and Access Management Policy
• Identity and Authentication Management Standard