Members of the university community who are permitted by their department or unit to work with sensitive institutional data on their personally owned devices must meet their shared obligation and responsibility to secure such data by properly securing and managing their devices as outlined in SPG 601.33.
Each U-M department/unit has the discretion to decide whether to:
- Permit those in their department or unit to work with sensitive university data on their own devices in accordance with the policy
- Implement additional restrictions
- Prohibit use of personally owned devices with sensitive institutional data
This toolkit is available to help departments/units re-evaluate their decision on a regular, ongoing basis and to support ongoing communication about their decision.
Departmental leaders can use this toolkit to assess risks and implement the policy in the best way for their specific unit. Submit toolkit improvement suggestions to Information Assurance at email@example.com.
Step 1: Review What the Policy Covers
SPG 601.33 covers the use of personally owned devices to work with sensitive university data. If members of the university community are permitted this use by their department/unit, they are expected to take responsibility for securing and managing their devices to protect the data.
What Are Personally Owned Devices?
Personally owned devices include personal computers, laptops, smartphones, tablets, media players, and removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another. They also include devices for which U-M provides a partial subsidy or stipend.
Which Sensitive Data Types Are Covered?
The policy covers all sensitive institutional data. The Sensitive Data Guide lists which data types can and cannot be used on personal devices (see the table at the bottom of the page).
Members of the university community using their own devices to work with sensitive institutional data are expected to:
- Properly secure and manage their devices
- Return or delete the data upon university request or when they are no longer authorized for access
- Report within 24 hours any kind of compromise of their devices (loss, theft, unauthorized access, and so on)
- Allow the inspection of their devices by the university in the course of an incident investigation
- Respond to requests for information if the data is subject to them (for example, FOIA requests)
Step 2: Review Your Department's Risks
- What sensitive university data is used in your department?
- Who works with sensitive university data in your department?
- What potential harm could come from unauthorized disclosure?
What Sensitive University Data is Used in Your Department?
Identity the types of sensitive institutional data that people in your department work with, access, or maintain. Are there specific regulatory compliance obligations? How severe is the harm or the penalties if there is an unauthorized disclosure?
Review Data Types. To help you identify the data types used by people in your department, refer to the list of data types in the Sensitive Data Guide, as well as the Safe Computing Sensitive University Data web page. The Sensitive Data Guide to IT Services reflects the decisions of the university's data stewards as to whether specific types of sensitive institutional data may be accessed or maintained using an appropriately secured personally owned device.
Some types of sensitive institutional data (for example, credit card or Payment Card Industry (PCI) information processed on behalf of the university) should never be accessed or maintained using a personally owned device. This restriction does not apply to personal transactions, such as personal credit card purchases.
Review Regulatory Compliance Requirements. Refer to the Sensitive Data Guide or the Safe Computing Comply With Laws, Policies & Regulations web page to learn about the regulations associated with the data types used in your department.
Who Works with Sensitive University Data in Your Department?
Identify the roles of people in your department who work with sensitive university data. Do most people work with sensitive data? Only people in limited, specialized roles? Only people in specialized circumstances or locations? Is their use similar to that of other members of the university community who work with that same type of data? For example, do some staff members work with admissions data or donor data?
General users (people in general roles who make general use of sensitive data). If sensitive data users in your department are similar to those across the university, you may be able to implement SPG 601.33 as is, requiring that people in your department follow the university's minimum user management and security expectations when using their personally owned devices to access or maintain sensitive institutional data.
Specialized users (people in specialized roles who work with department-specific sensitive data). Perhaps your unit includes researchers who work with sensitive identifiable human subject research data or Protected Health Information (PHI) regulated by HIPAA. Perhaps they receive grants from NASA that have export control regulation restrictions. If certain groups of people in your department access highly regulated or high-risk sensitive data, you may want to consider additional restrictions beyond those outlined in SPG 601.33 just for those groups of people. You might otherwise implement the policy as is for the majority of people in your department.
What Potential Harm Could Come from Unauthorized Disclosure?
Consider the reputational harm that could come to the university if there was an unauthorized disclosure of sensitive institutional data that people in your department work with. How severe would the harm or the penalties be if there were an unauthorized disclosure?
- Are there penalties or fines associated with an unauthorized disclosure of that sensitive institutional data?
- Are there other potential negative outcomes, such as loss of access to grants or funding, associated with an unauthorized disclosure of sensitive institutional data that your unit works with?
If you have questions that impact which option you will choose, see the contact options at the Compliance Resource Center.
Step 3: Decide and Document Your Department's Policy Approach
Decide on Your Department's Approach
Based on your analysis, decide whether additional restrictions are needed for your department/unit and, if so, what those restrictions should be. There are three basic options:
Option A: No Additional Restrictions (default option). This is appropriate for departments that have a large number of general users of lower-risk sensitive institutional data (for example, data regulated by FERPA). As long as users appropriately secure their personally owned devices following the university's minimum user management and security expectations, they may use them to access or maintain sensitive university data in accordance with SPG 601.33.
Option B: Additional Restrictions. Departments in which some or all people access high-risk sensitive institutional data may want to require that those people take additional or specific precautions beyond the minimum expectations for a secure device listed in Secure Your Devices, such as these:
- Disable GPS
- Disable Bluetooth
- Use two-factor authentication (component of mobile device management; not MToken)
- Require a passcode that is more than four digits (if technically feasible)
- Restrict use when traveling or otherwise away from secure networks
- Specify department-specific software or applications that cannot be accessed or used on a personally owned device
- Restrict certain data types from access (for example, Protected Health Information, Export Control)
- Require training, registration of devices with departmental IT, or use of a departmental mobile device management service
Option C: No Access Permitted. Departments that access or maintain high-risk sensitive institutional data may decide that the consequences of data loss or theft through the use of personally owned devices may be so adverse that they cannot be risked. Accordingly, such departments may choose to not allow any individuals to access or maintain that data using their personally owned devices.
Document Your Decision
You can use Unit Implementation of SPG 601.33 to document your department's implementation decision. SPG 601.33 requires departments/units to maintain documentation on their decisions on whether to allow users to access or maintain sensitive institutional data on appropriately secured personally owned devices, including whether departments will establish additional restrictions.
Step 4: Communicate Expectations Within Your Department
Once you've decided whether or not your department will be more restrictive in how it implements SPG 601.33, you will need to inform people in your department what is expected of them.
To help you get out the word, we have developed a set of communication tools for your emailing and website use. Feel free to make use of them or develop your own.
Step 5: Plan Regular Reviews
As smartphones, tablets, and other devices change—and as patterns of data use change—departments will need to review their approach and modify it as needed.
We recommend that departments periodically review implementation of SPG 601.33. It is especially important to conduct a review when:
- new types of sensitive institutional data are used
- your data use changes
- new devices, applications, or services are rolled out