RSCC Policies & Guidelines
Roane State Community College
Policy Number: GA-18-07
Subject: Mobile Device
- Purpose and Scope
- The purpose of this policy is to define the appropriate use and procedures for using mobile devices, owned by the college or the individual, on the college network and to protect the security and integrity of private and sensitive institutional data residing in the college technical infrastructure.
- This policy applies to all Roane State employees, including full and part-time staff, students, contractors, freelancers and other agents or guests who make a connection from a mobile device to any college provided network or any college owned software, service, resource, or data system.
- Mobile Device - A mobile device is any device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images in an untethered manner (usually, but not always, through a wireless connection). Examples include, but are not limited to, laptops, tablets (such as a Microsoft Surface), wearable (like an Apple Watch), personal digital assistants (PDA) and “smart phones” (such as an Apple iPhone or Android). This definition also includes storage media such as USB hard drives, memory sticks or any other peripherals connected to a mobile device. These easily carried devices combine telecommunications and computing functions through a variety of applications.
- Personal device -any device that is not college owned.
- Encryption- using electronic or physical means to render clear text information unreadable to unauthorized persons.
- Sensitive Information- information that provides Personally Identifiable Information (PII) on a Roane State Community College (RSCC) student, faculty, or staff member. PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. This includes, but is not limited to, information such as Social Security Number, date and place of birth, and mother’s maiden name. Sensitive information also includes Protected Health Information as defined by state and TBR polices and guidelines, and student record information (academic, personal, and financial information). Directory information is not considered PII. Access the complete detailed RSCC policy GA-18-08 at www.roanestate.edu/policies/ Data and Personally Identifiable Information (PII) Security.
- Required Protocols
All mobile devices used to access or store sensitive college information must adhere to the following requirements. These apply to both personal and college owned devices if sensitive information is accessed or stored.
- Physical Protection
- Individuals must keep mobile devices with them at all times or store them in a secure location (lockable office or drawer) when not in use and whenever possible. Users must not store sensitive information or confidential institution data on a personal device or a portable storage device. Sensitive documents and correspondence stored or cached on personal devices should be removed as quickly as possible. As an example, if you have connected to RSCC email on your device and you open a sensitive document from an email to read, this document is likely cached and stored on the device. Roane State recommends clearing the cache (and/or deleting temporary browser files) on a regular basis to prevent sensitive information from being unintentionally stored.
- Roane State utilizes virtual desktop solutions for college employees to access a secure virtual desktop for accessing and storing sensitive information. The college also utilizes shared drives (e.g. “U” drive) for storing sensitive documents and to foster collaboration between staff members in a secured environment. Any Roane State personally owned mobile devices should not be shared with any unauthorized user.
- Password Protection and Encryption
Individuals should use reasonable physical security measures procedures such as enabling a PIN, password, biometrics or additional security features such as encryption, to prevent unauthorized access to devices and data. RSCC owned devices will have appropriate encryption and password protection.
- Proper Disposal
Destroying, removing, and/or returning all Roane State data upon termination of a relationship with the college must be done immediately. User must return/uninstall all software application licenses issued and belonging to the college when the personal device is no longer being used for institution business (i.e. Microsoft 365 Office). All college owned mobile devices must be returned to the Office of Information Technology upon termination of the assigned user’s relationship with the college.
- Lost or Stolen Data
- If a mobile device containing Roane State sensitive or confidential information is lost or stolen, the loss should immediately be reported to the institution information security personnel or to the CIO. These individuals will determine whether there is any requirement to report the security incident using the Cyber Incident Response Plan. Additionally, the incident must be reported to the technology Help Desk at the institution to determine if the device can be wiped remotely.
- Roane State encourages owners and users of personal mobile devices to incorporate tracking software on their devices (such as Find my iPhone for Apple devices).
- Devices and Support
- Staying current with security and operating system updates for all personal mobile devices is expected.
- Information Technology will centrally deploy policies on all college owned mobile devices to ensure a secure operating environment. Prior to initial use, all RSCC mobile devices will be provisioned by IT and registered on the Roane State network. IT will also inventory all college mobile devices.
- The college’s Help Desk will provide technical support for all RSCC owned mobile devices. RSCC will provide limited support for personally owned mobile devices, such as wireless connectivity and access to the Roane State email system.
- Privacy and Security
- The college will always respect the privacy of a personally owned mobile device and will only request access to the device by campus technical resources to implement security controls or to respond to legitimate discovery requests arising out of administrative, civil or criminal proceedings.
- The Office of Information Technology NTTS department reserves the right to perform security scans against any owned device that accesses college networks, services, resources, data or applications. The college staff may, without notification, prevent or ban any mobile device which disrupts any college computing resources or is used in a manner which violates any college policy.
- Suspected violations of this policy may result in suspension of a user’s access to the college network and/or any data, service, resource or software prior to the initiation or completion of appropriate disciplinary procedures, when it reasonably appears necessary to preserve the integrity, security, or functionality of college data and services or to protect RSCC from liability. The college may also refer suspected violations of applicable laws to appropriate law enforcement agencies.
- The CIO shall be the primary contact for the interpretation, enforcement and monitoring of this policy and the resolution of problems concerning it. Any legal issues concerning the policy shall be referred to the appropriate officials for advice.
- Risks, Liabilities and Disclaimers
Employees, students, and guests who elect to utilize personally owned mobile devices making a connection to any Roane State network or system-provided software, service, data or resource accept the following risks, liabilities and disclaimers:
- At no time does Roane State Community College accept liability for the maintenance, backup or loss of data on a personal device. It is the responsibility of the equipment owner to backup all software and data appropriately.
- Roane State does not accept liability for the security or loss of data for any visitor, client or guest of the institution using a guest account or wireless guest account.
- Roane State Community College shall not be liable for the loss, theft or damage of any personal devices. This includes but is not limited to, use of the device for academic work or business activities, on institution time, or during business travel.
Revision History: 06/05/2014, 02/01/2016
TBR Policy Reference: 1.08.00.00
Revision Date Effective: 11/30/2020
Revision Approval By: Christopher L. Whaley, President
Original Date Effective: 08/01/2012
Original Approval By: Gary Goff, President
Office Responsible: Vice President for Business & Finance
© Roane State Community College
Roane State Community College does not discriminate on the basis of race, color, religion, creed, ethnicity or national origin, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, and activities. View full non-discrimination policy.
Report Fraud, Waste and Abuse
Digital Millennium Copyright Act of 1998