Information Technology, Documents, & Records
College Data on Mobile Devices
This policy governs the use of mobile devices to conduct college business or to access college data. Accessing college email and calendaring is considered to be conducting college business, and is therefore included in this policy. Carleton College has adopted this policy to safeguard the college’s investments and data and to comply with various regulations. This policy applies to both college-owned and personally-owned mobile devices which connect to the Carleton network.
Mobile devices include any portable device that allows access to college information and data. These include but are not limited to laptops, mp3 players, smart phones, and iPads. The college data covered by this policy includes:
- Protected Data (any data protected by state or federal guidelines)
- Sensitive Data (any data that the college has determined to be confidential)
The college data not covered by this policy includes:
- General College Data (any data pertaining to the operation of the college and use is not considered protected or sensitive)
For further details regarding the types of college data, see the Data Management and Access Guidelines (http://apps.carleton.edu/campus/its/policies/dataguidelines/).
Employees must configure college and personally-owned mobile devices to safeguard college protected and sensitive data. Such data should only be stored on or accessed from mobile devices for the duration required for work purposes. If you are directly accessing college systems, such as Colleague, Slate, and Advance, you must use the identified secure connection method for that system, e.g. Citrix. If you are unsure of the appropriate connection type, consult with the ITS staff responsible for the system. Employees must also keep mobile devices physically secure, especially when left unattended.
College and personally-owned mobile devices must be configured with the following security measures:
- Protected by a PIN of at least 4 digits
- Screen must auto-lock after not more than 15 minutes of inactivity
- Device must accept remote wipe commands
- Device must be encrypted if protected data is stored on the device
If you are accessing Carleton email on your mobile device, it must be accessed directly and not forwarded to a personal email account.
To protect college data, the college reserves the right to remote wipe any college-owned mobile devices, or any personally-owned devices that have accessed college systems or data, including email servers. See the Information Security Plan (http://apps.carleton.edu/campus/its/policies) for further instructions regarding the protection of college data.
Securing your device
ITS maintains a document (https://wiki.carleton.edu/dashboard.action) outlining the methods to secure your mobile device. If you will potentially be accessing data covered by this policy, you must adhere to these guidelines.
A lost or stolen device must be reported to Campus Security as well as local law enforcement in the area where the device was lost.
At the end of its life, a college-owned mobile device must be returned to and disposed by IT. Personally-owned mobile devices should be wiped of any protected data. See the Device Disposal Guidelines (https://wiki.carleton.edu/dashboard.action) for information on proper disposal.
Notifications for Breach of Security
Minnesota’s Security Breach law (Statute: § 325E.61) requires that “Any person or business that conducts business in [Minnesota] and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay . . . ."
If you believe that college data containing personally identifiable information, or any other college protected or confidential data, may have been breached, the following steps should be taken immediately:
- The individual who discovers the breach should immediately notify Campus Security.
- Campus Security will contact the VP for Finance and Treasurer and the Director of Information and Technologies.
- Campus Security, the VP for Finance and Treasurer, and the Director of IT will determine if a breach of security of data has occurred, and the appropriate action to take.
Campus Security, the VP for Finance and Treasurer, and the Director of IT may utilize guidance for dealing with a data breach and sample notification letter formats that can be found on the Federal Trade Commission website: http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html
Technology Priorities and Planning Committee (TPPC)