Security of Personally-owned Devices Policy

1.  Overview

When conducting College activities, it may at times be necessary for College employees to access or maintain sensitive institutional data on personally-owned devices. There is often risk of data loss or unauthorized access when sensitive data is accessed or maintained via self-managed personally-owned devices.

This standard directs members of the College community who access or maintain sensitive institutional data to meet their shared obligation and responsibility to secure such data by properly self-managing the privacy and security settings on their personally-owned device.

2. Scope

In accordance with the Acceptable Use Policy, the College characterizes certain activities related to misuse of sensitive data as unethical and unacceptable.

This standard is applicable to any member of the College community whether located on campus or elsewhere.

3. Policy

Sensitive institutional data shall be accessed or maintained on personally-owned devices only when necessary for the performance of College-related duties and activities. College employees shall take all required, reasonable, and prudent actions necessary to ensure the security and retention of sensitive institutional data.

A. Permission to Use Personally-owned Devices

Departments shall coordinate with the Information Security Office in deciding whether to allow their employees to use personally owned-devices to access or maintain sensitive institutional data.

B. Device Security

College employees shall maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided by the College, as well as comply with appropriate safeguards required by state and federal regulations. In addition, the College or individual departments may require that specific security settings and/or software to protect sensitive institutional data be put in place and maintained on the device.

C. Data Return/Deletion

Users shall return or delete sensitive institutional data maintained on personally-owned devices upon request from the College or when their role or employment status changes such that they are no longer an authorized user of that data.

D. Incident Reporting

Personally-owned devices that access or maintain sensitive institutional data and that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported within 24 hours to both the appropriate College executive and to the Information Security Office.

E. Device Inspection

In the course of an incident investigation, the College reserves the right to inspect a personally-owned device that accesses or maintains sensitive institutional data. Any access to a personally-owned device will be carried out inaccordance with the Network Privacy Policy, as well as follow other relevant College protocols and legal or law enforcement requirements.

F. Response to Document Requests and Production

Records or data maintained by the College or College employees may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). College employees must produce these records or data (or the devices on which they are stored) upon request of the College.

4. Violations

Violations of this standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, dismissal, and/or legal action.  The connectivity of machines and servers to the Whitman network that do not comply with this standard may be limited or disconnected.

Disciplinary action for faculty and staff, if any, for violation of this standard shall be consistent with the Whitman College Human Resource policies and procedures. Disciplinary action for students, if any, for violation of this standard shall be consistent with the Whitman College Dean of Students' policies and procedures.

5. Definitions

Device: For purposes of this document, a device is defined as an object with the ability to engage in computational operations, including the accessing or storing of electronic data.
Sensitive Institutional Data: the Data Classification Standards document, defines sensitive institutional data categories. These categories include both Sensitive and Restricted.
Personally-owned: For purposes of this document, personally owned includes devices for which a user receives a College subsidy or stipend as well as those wholly owned by the employee.

<update:  January 2019>