You are expected to be familiar with Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33).
U-M Policy Affects Your Personal Devices If You Use Them for U-M Work
Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) applies to individuals who may be permitted, for business reasons, to use their own devices to work with sensitive institutional data. This includes devices wholly owned by the individual or for which they receive a U-M stipend.
Responsibilities outlined in the policy fall into four areas:
- Check with your Unit
- Secure and Manage your Devices' Settings and Connections
- Manage Sensitive Data Securely
- How to Report an Incident
You are expected to know whether your department or unit permits use of personally owned devices with sensitive university data and if it imposes restrictions beyond those outlined in SPG 601.33. You are expected to comply with additional department/unit restrictions.
Meet Department/Unit Requirements
Departments/units may impose restrictions in addition to the user responsibilities and expectations outlined in SPG 601.33 and its supporting documentation.
- Check with your department before you use your own devices with sensitive university data.
- Comply with department/unit restrictions. If your department imposes additional restrictions in its implementation of SPG 601.33, you must comply with them.
You are expected to secure your devices if you use them to work with sensitive university data. Many university-managed devices, such as MiWorkspace computers, are already secured for you.
Enable Security Settings
- Require a password, PIN, or passcode for access.
- Set screensaver to auto lock after 15 or fewer minutes.
- Turn on data encryption.
- Install and use a device tracking/remote wipe app.
- Install and set up the U-M VPN (or Michigan Medicine VPN).
- Turn on built-in firewalls if available.
- Install and set up anti-virus software.
Without a password, PIN, or passcode, anyone who picks up your device can get to all your apps and data. If your password is saved on your device, they can open your mail and messages and post to social media as you.
These settings make it more difficult for anyone other than you to use your device if it is lost or stolen. By encrypting your data, you make it much harder for a criminal to read it, even if your device is hacked into.
Use Secure Connections
- Use cell phone network or MWireless instead of unsecured or public Wi-Fi.
- Turn on the U-M Virtual Private Network (VPN) (or Michigan Medicine VPN) if using untrusted networks.
- Turn off WiFi and Bluetooth when not in use.
Using an insecure network can expose the emails you send and the data you access to prying eyes. It can also leave your device open to unauthorized access.
When you use only secure network connections and limit unneeded network access, you protect the data you send and receive from those who eavesdrop on the traffic that crosses insecure networks.
A bonus is that turning off network access when you aren't using it saves your battery power.
Manage Your Device Securely
- Keep your operating system updated.
- Keep apps updated.
- Only install trusted apps, such as those from the Apple App Store, Google play, and other reputable sources.
- Do not make unauthorized modiications to your operating system to unlock or otherwise bypass the device's security features.
- Be aware of sensitive data legal restrictions if you travel abroad. Some data types must stay in the U.S.
- Before selling or giving away your phone, back it up then erase all content and settings.
Using outdated software leaves you vulnerable to known security vulnerabilities. Apps from untrusted sources are likely to include spyware or other malicious software.
By updating your software, you take advantage of the latest security patches. Reporting possible unauthorized data access helps ITS take steps to secure any exposed data.
Additional Best Practices
- Turn off GPS for apps when you do not need it.
- Set your web browser for private browsing.
- Turn on airplane mode when you don't need any network connections.
- Avoid public WiFi hotspots.
- Choose strong passwords and be suspicious of attempts to get you to reveal personal information.
- Put a sticker on your device with your name and email address to help someone return your phone to you if it is lost.
- Back up your data to a secure location.
You are expected to protect the sensitive university data that you are authorized to access. You are expected to access and use it responsibly and in compliance with university policy.
- Access U-M data only when needed. Access or maintain sensitive university data using your personal devices only when necessary for the performance of university-related duties and activities.
- Separate personal and institutional data if possible. You are strongly encouraged to create separate environments for U-M data and personal data on your personally owned devices.
- Delete or return data securely when no longer needed. You must securely return or delete sensitive university data maintained on your own device when you are no longer an authorized user of that data.
You are expected to report loss or theft of your own devices that are used to work with sensitive university data to the ITS Service Center. You are also expected to report any suspected or actual compromises or unauthorized access of sensitive university data or systems.
Report Security Incidents and Respond to Investigations
- Report security incidents involving your devices. Immediately report suspected or actual compromises or unauthorized access of sensitive university data. This includes incidents that involve loss or theft of your devices used to store or maintain sensitive institutional data.
- Please allow appropriate inspection of your device. You may be asked to make your personal device available for inspection by U-M as part of an incident investigation conducted in accordance with Privacy and the Need to Monitor and Access Records (SPG 601.11).
- Please provide access to documents when required. You may also be required to provide access to documents on your devices that U-M is obligated to provide in response to a legal or regulatory authority (for example, FOIA, eDiscovery).