Bring Your Own Device (BYOD) Policy

Tags BYOD Device

Background

Personally-owned mobile computing devices (“mobile devices”), such as smartphones, tablets, and laptops, are important tools for the MassArt community to conveniently access Technology services and information assets.  However, mobile devices also represent a risk to the confidentiality and integrity of MassArt information due to their portability. Without appropriate safeguards, mobile devices present an unacceptable risk in that they can easily result in compromise of the confidentiality, integrity, and availability of institutional information, Technology assets, and services.

Policy Statement

MassArt permits employees to access institutional technology resources with mobile devices only if they meet the security configuration requirements, rules, and responsibilities outlined in this policy and are used in a manner consistent with the Acceptable Use Policy. Employees who wilfully disregard this policy may have their mobile devices blocked from accessing institutional technology resources. Chronic or acute violations of this policy by employees may be referred to Human Resources.

Applicability

This policy applies to any student or employee who uses a personally-owned Mobile Device to create, view, process, or store institutional information or access institutional technology resources. (Refer to the Definitions section for a complete definition of Mobile Devices).

Definitions

  1. MOBILE DEVICE – Electronic computing devices capable of accessing, storing, or manipulating institutional information, or connecting to institutional systems or applications, in an untethered manner (usually, but not always, through a Wi-Fi connection).  This Includes laptop/notebook computers, smart phones, tablets; and any other mobile computing or communications device with wireless connectivity.
  2. JAILBREAK* (a Mobile Device) -  Remove or alter the security controls set for a Mobile Device by the manufacturer and which are not intended to be changed by the end user or customer.  The act of jailbreaking gives direct access to the mobile device operating system, thereby unlocking all its features and enabling the device to be run in an unsupported manner or run unauthorized software.
  3. CONFIDENTIAL DATA – Data, particularly personally identifiable information, whose loss, misuse, or unauthorized access can adversely affect the privacy, reputation, or welfare of an individual or the institutional.
  4. MOBILE DEVICE MANAGEMENT (MDM) - software which secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.

Rules

  1. Technology Services is responsible for developing and maintaining security control standards for all mobile devices, including personally-owned devices that create, access, process or store institutional information
  2. Employees must agree to any Terms of Use or other user agreement presented when attempting to connect to the institutional network with their Mobile Device and before accessing any institutional technology resource.
  3. Employees do not have the right, nor should have the expectation, of privacy while using or accessing institutional technology or services with their Mobile Device.
  4. The Acceptable Use Policy, and any other applicable institutional policy, remains in effect when accessing institutional network and resources from a Mobile Device.
  5. The user must have the following minimum security settings configured and enabled on their Mobile Device before accessing any institutional technology resource:
    • Minimum of a 4-character pass code or PIN.
    • Lock-screen after a minimum of 15 minutes of inactivity.
    • Wipe the device after a maximum of 15 failed login attempts.
    • Commercial anti-virus software installed.
    • The latest manufacturer operating system updates installed.
  6. MassArt reserves the right to request access to any Mobile Device believed to store institutional records in order to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings or Freedom of Information Act (FOIA) requests.
  7. Employees will not download or transfer confidential information to their personal devices.
  8. Employees may not access institutional technology resources with a Jailbroken mobile device.
  9. Employee mobile devices used to access institutional technology resources may not be shared with other individuals or family members, due to the business use of the device (potential access to institutional emails, introduction of malware, etc.).
  10. Employees must delete any confidential data that may be inadvertently downloaded and stored on the Mobile Device through the viewing email attachments.
  11. Employees must report suspected unauthorized access of institutional data via their mobile device to Technology Services immediately.
  12. Employees must adhere to all applicable state and federal laws, such as the Commonwealth of Massachusetts Public Records Law, when using a mobile device to access institutional resources or store institutional non-public data.

 

Related Information

Enforcement

Failure to follow the policy may result in an employee’s loss of the right to access technology resources from their Mobile Device. The illegal use of a Mobile Device, such as the intentional deletion or damage of institutional files or data, copyright violations, or theft of services for institutional purposes, may be reported by the institutional to the appropriate legal authorities for possible prosecution(s) and may result in disciplinary action up to and including termination of employment..

Review and Maintenance

The MassArt Technology Department will review this policy on an annual basis to ensure that it remains effective, complies with internal operational parameters, and meets identified institutional business goals and industry best practices.  

Review and Revision History

Date

Name and Title

Annual Review or Revision Summary
02-08-2021 Bryce Cunningham, Information Security Officer Second draft
08-01-2023 Patrick O'Connor, Chief Information Officer / Assistant Vice President, Technology Final Draft Approved
02-13-2025 Patrick O'Connor, Chief Information Officer / Assistant Vice President, Technology Updated Branding, Reviewed

Applicability: All employees
Policy Owner: Information Security Officer
Approved by: Patrick O’Connor, Chief Information Officer / Assistant Vice President, Technology
Approved on: 08-01-2023
 

 *For MassArt’s purposes, Jailbreak or its variants is defined as the use of a privilege escalation exploit to remove software restrictions imposed by the manufacturer.

Was this helpful?
0 reviews
Print Article