Requirements and best practices for personally owned devices, including BYOD (bring your own device)

Background

Most members of the university community will use personally owned devices (cell phone, tablet, laptop, workstation, etc.) to perform university-related work.  This usage may be classified on a continuum from convenience (e.g., checking email on a personal phone when out of the office) to necessity (e.g., use of a personal cell phone as a second factor for authentication).  It is important to understand that, whether used out of convenience or necessity, personally owned devices introduce some level of risk into the work environment.  This risk is especially notable when accessing or storing sensitive information.  These risks may be related to data confidentiality, integrity, and/or availability.

Many factors influence the risk of using a personal device.  In general, the risk is higher if:

  1. Data is stored on the device rather than accessed through the device.  For example, risk is higher if synchronizing OneDrive files between the cloud and a personal device, and lower if only using the personal device to edit the document.
  2. A large amount of data is stored on the device.  For example, risk is higher if Outlook is configured to store three months of email on the personal device, and lower if only storing one week of email.
  3. The storage capacity of the device is higher.  For example, a laptop or desktop has the ability to store more data than a typical cell phone.
  4. The device is shared by multiple users rather than used by only one person.
  5. The device is connected to an unmonitored network (e.g. home network, airport network), rather than a monitored network (e.g., University of Iowa campus network). 

The following requirements and best practices outline important considerations to bear in mind when using personally owned devices.  Beyond the information outlined below, additional restrictions may be enforced by law, regulation, contract, and university policy.  Because new compliance requirements are created over time, what is allowed today may not be allowed in the future.  For this reason and many others, the use of university owned and managed equipment is generally preferred, and in many cases required.

These guidelines will be updated periodically to reflect changes in compliances which apply to the university.

Requirements

  1. The university may at any time request the return and/or deletion of any university data stored on a personally owned device.  The owner of the device is responsible for securely deleting any university data before transferring ownership or disposing of the device.
  2. If a personally owned device containing university data is lost or stolen, the owner of the device is responsible for reporting the incident to their supervisor and the Information Security and Policy Office (ISPO) in accordance with the Network vulnerability assessment and incident response policy
  3. During an incident investigation, ISPO may require that a personally owned device be made available for inspection.  Devices may need to be made available for other reasons, such as requests from law enforcement, legal discovery, subpoenas, public records requests, etc.  If a forensic investigation is required, personal data may not be removed from the device prior to the investigation.
  4. The owner of non-university equipment is responsible for following software licensing rules.  In some cases, software vendors may make software available for use on a personally owned device as part of the campus license agreement; the owner of the device is responsible for understanding and following the rules as they apply to each software title.

Best practices

  1. In general, it is strongly recommended that employees use equipment owned and managed by the university to perform university-related work.  This is especially important when the work involves interaction with Critical or Restricted data as defined in the Institutional data policy.
  2. Individual units may establish rules limiting the use of personally owned devices for individuals working under their supervision (e.g., faculty, staff, students, contractors, consultants, volunteers, etc.)  ISPO can assist units as they develop these rules.
  3. Data Trustees and Data Stewards may establish rules limiting the use of personally owned devices to access and/or store data which they oversee.
  4. The university may establish rules limiting the use of personally owned devices based on job function or classification.
  5. All individuals who use personally owned devices are expected to follow standard safeguards such as screen locks, storage encryption, update and patch management, anti-virus, replacement of obsolete or unsupported technology, etc. See the Device security standard for additional information. 
  6. Whenever possible, personally owned devices should not be shared with others, including family members.  When sharing is necessary, separate accounts should be configured to ensure that others sharing the device cannot access university data.
  7. In general, the university can provide a higher level of support for university owned and managed devices.  Units which provide device support will maintain their own guidelines for support of personally owned devices.  Units may also have separate support guidelines depending on whether the device is owned by a student, faculty or staff member.  Certain types of software do not protect the confidentiality of data (e.g., Grammarly).  If an individual chooses to use such software on their device, that device must not be used to access confidential data.

Related policies, references and attachments

Network vulnerability assessment and incident response policy

Network citizenship policy

Security policy

Institutional data policy

Acceptable use of information technology resources

Device security standard

Mobile device security best practices

Technology allowance policy