All mobile devices used by Luddy faculty, staff, students, and affiliates are required to follow IT-12 Security of Information Technology Resources and IT-12.1 Mobile Device Security if these devices are used to access, store, or manipulate institutional data, regardless of ownership of the device. Such devices include laptops, tablets, and smart phones. Securing these devices includes having lock-screens with passwords, or passphrases of a required minimum length to access the device; a specified time out period of inactivity in which the device will go to a lock-screen; intrusion prevention, where the device will auto-lock or auto-wipe after a predefined number of failed attempts to login; encryption of the devices' storage capacity where possible; and the ability to remotely wipe or lock the device in the case of loss or theft.

Mobile devices will be configured to meet these requirements by the Luddy ITG staff at the time of purchase and initial setup. When a mobile device is reconfigured, redeployed, or brought in for service, ITG staff will make any required changes to assure the device remains in compliance. Users will be informed of the importance of these controls and urged not to reconfigure the device in any way that would put it out of compliance.

Any mobile device used to access, store, or manipulate critical data must also meet these additional requirements:

• Written approval from the senior executive of the unit involved or the Institutional Review Board confirming a critical business need
• Encrypting the information on the device and in transit is required
  
  Any mobile device that is no longer capable of running a vendor supported OS and any mobile device no longer needed by the school will be securely disposed of per IT Policy: System and Media Disposal.

There are no exceptions to this policy.