If you work with sensitive university data from your own devices, you are expected to protect that data by meeting these responsibilities:
Check with your department to verify that it allows you to use personal devices with sensitive data.
You may not access or maintain sensitive university data using your own devices until or unless your department specifies that this is allowed.
Comply with any additional department/unit restrictions.
If your department/unit does allow you to access or maintain sensitive university data using your own devices, it may impose restrictions in addition to those outlined in Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33). If your department imposes additional restrictions, you must comply with them.
Secure and manage your devices.
For minimal expectations for security settings and management practices needed to protect your devices, see:
- Secure Your Devices
- For IT staff: Server & Database Hardening
Comply with policies and regulations.
Follow U-M responsible use, data security and data management policies, standards, and guidelines. Also, all legal and regulatory compliance requirements continue to apply.
In particular, Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33) requires you to appropriately manage and secure your own devices, such as smartphones and tablets, if you use them to access or maintain sensitive university data.
Access U-M data only when needed.
Access or maintain sensitive university data using your personal devices only when necessary for the performance of university-related duties and activities.
Separate personal and institutional data if possible.
You are strongly encouraged to create separate environments for U-M data and personal data on your personally owned devices.
Delete or return data securely when no longer needed.
You must securely return or delete sensitive university data maintained on your own device when you are no longer an authorized user of that data. (See Securely Dispose of U-M Data and Devices.)
Security Incidents & Investigations
Report security incidents involving your devices.
Immediately report suspected or actual compromises of sensitive university data. This includes incidents that involve loss or theft of your devices used to store or maintain sensitive institutional data.
Allow appropriate inspection of your devices.
You may be required, upon request, to make your personal device available for inspection by U-M as part of an incident investigation conducted in accordance with Privacy and the Need to Monitor and Access Records (SPG 601.11).
You may also be required to provide access to documents on your devices that U-M is obligated to provide in response to a legal or regulatory authority (for example, FOIA, eDiscovery).