Guidelines for Securing Mobile Computing
Many USG employees and students rely on mobile computing devices for work and personal uses. Laptop
computers, Personal Digital Assistants (PDAs), USB memory (aka thumb drives), smart phones (mobile
phones with advanced communication, storage and processing capabilities). They bring a lot of convenience
and ease of use. They also include risks. This document outlines guidelines
regarding the use of these mobile
devices in the University System of Georgia network and computing environment.
Risks of Mobile Computing
Mobile computing devices have a large amount of storage, are highly portable and are frequently
unprotected: They are relatively easy to steal or lose, and unless precautionary measures are taken, an
unauthorized person can gain access to all the information stored on them. Even if not stolen or lost,
intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is
"sniffed out of the air" during wireless communications. The result can include: crippled devices, infection
with a virus/spyware/malware allowing for surreptitiously capture the owner's keystrokes, and/or a device
whose data has been invisibly downloaded by an intruder leading to the loss of personal and other non-
public information (e.g., credit card numbers, passwords).
Data Security Restrictions
The best way to protect USG data is to remove unnecessary data from your computer or device. Prohibited
data should not be stored on your system or device unless you have explicit permission. This includes things
like Social Security Numbers, credit card numbers, or checking account numbers.
Mobile Computing Guidelines
The following guidelines are intended to help mobile computing device users protect the data the devices
contain. These guidelines are easy to implement and use and can protect your data and USG's data in the
event that the device becomes compromised, lost or stolen.
Configure a password to gain access and or use the phone.
Set an idle timeout that will automatically lock the phone when not in use.
Keep all system/application patches up to date, including Mobile OS and installed applications.
For phones that support encrypted communication (SSL, https, VPN, etc), always configure defaults
to use encryption.
Portable Storage Devices
Portable Storage Devices are usually large capacity drives that are easily moved from place to place (e.g., USB
memory sticks, removable hard drives, etc).
Configure a username/password combination to access the data/device.
Devices which are used to store and/or transport Prohibited or Restricted data must be encrypted.
Devices encrypted by one of the services offered by USG InfoSec & ITS will add additional
authentication to the device.
Configure the system to require a password whenever a user logs in.
Set a screensaver timeout and enable the password lock-out feature so a password is required when
returning from screensaver mode.
Laptops used to access Prohibited and Restricted data are required to be encrypted with USG's
Whole Disk Encryption (WDE).
Physical locks should be used whenever the system is in a stationary location for extended periods of
Supported Smart Phones in a Managed Environment
The USG ISO evaluates mobile phones and their ability to secure communications between the mobile device
and the remote networks that they communicate on. Phones are also evaluated on their ability to encrypt
data that is stored on the mobile device.