SU’s new Mobile Device Security Standard

passcodeSecurity threats to mobile devices, including smartphones and tablets, are clearly on the rise. The frequency of mobile threats doubled between 2010 and 2011, says Symantec in its recently released annual Cybercrime Report. 35 percent of online adults worldwide have either lost or had their mobile device stolen, exposing them to identity and data theft.

The Cloud Security Alliance (CSA) Mobile Working Group recently released peer-reviewed results of a survey that ranks data loss from lost or stolen smartphones and tablets as the top mobile security threat. As an overview of the threat, the report states that “By their nature, mobile devices are with us everywhere we go. The information accessed through the device means that theft or loss of a mobile device has immediate consequences. Additionally, weak password access, no passwords and little or no encryption can lead to data leakage on the devices.”

And Syracuse University, and its faculty and staff are potential victims. In the past 30 days, more than 3,000 SU faculty and staff have connected more than 4,100 mobile devices to SU’s Exchange email system.

To help counter these increasing threats to mobile devices, Information Technology and Services (ITS), in collaboration with SU's Technology Leadership Council (TLC), developed and began implementing a new Mobile Device Security Standard in September.

The Mobile Device Security Standard will improve security of Syracuse University data that resides on mobile devices and help prevent loss or compromise of that data. This standard will help protect faculty and staff from identity and data theft, and the University from adverse consequences and costly breach notification requirements in the event of a device loss or theft.

This standard applies to all mobile computing devices, including but not limited to smartphones, tablets and other handheld or mobile devices that are used by SU faculty and staff (regardless of whether the device is owned by SU or the employee), and that have access to and are able to store SU data classified as "confidential" or "enterprise" as defined by the Syracuse University Information Security Standard.

Any device used to access SU's Exchange email system through any protocol other than Outlook Web Access (OWA; exchange.syr.edu) on a browser is subject to the standard. Whenever a mobile device connects to Exchange it can receive and store some confidential data, without the device owner’s immediate knowledge. Devices that are "rooted" or "jailbroken" are not allowed to access SU data since these devices are highly insecure.

Implementation of the standard began with a pilot group consisting of all ITS employees who have mobile devices that connect to SU's Exchange email system. The experiences of this pilot group were used to debug and fine tune the related procedures and processes across a wide array of personnel, devices, operating systems and client applications.

The standard will be deployed on individual Exchange mail boxes by the IT support units within each home department. In early January, ITS will deploy the standard to any remaining Exchange mailboxes.

Upon deployment of the standard, each mobile device will be configured with these security settings:

  • A numeric device passcode with a minimum of 4 characters
  • The device will automatically lock after 15 minutes of inactivity
  • Device encryption will be enabled, if supported (iOS devices do this automatically when the passcode lock is set)
  • The device will be automatically wiped after 10 failed passcode entry attempts
  • Users will be prohibited from disabling security settings
  • IMAP access to user's Exchange mailbox will be disabled. (If the device owner uses an email application on their desktop that requires IMAP, that application will no longer work. Thunderbird on Linux and Macs is one example.)

The security standard will also standardize the existing ability for a device’s owner or authorized IT personnel to remotely wipe the device if it is discovered to be missing.

These settings are deployed through the Exchange ActiveSync Server (AES) and the BlackBerry Enterprise Server (BES).

Any device that is incapable of enabling the required settings above will not be allowed to connect directly to Exchange. Users of these devices can use a browser on their device to reach OWA.

The first time an employee uses their device after deployment to connect to Exchange or BES, they will be prompted to create a passcode (if one has not been previously set), which will be needed to unlock the device and gain access to email and other data.

Employees are required to immediately report the loss or theft of their mobile device to their local IT support staff so that a remote wipe of the device may be initiated. Users must also immediately change their SU network password to protect against unauthorized access to SU resources.

Questions? Want more information?

For an FAQ, click here. [https://answers.syr.edu/display/infosec011/Mobile+device+security+FAQs]

Faculty and staff should contact their local IT support personnel with any additional questions. For a list of IT support teams, see its.syr.edu/supportsvc/dsp/dsplist.pdf.