End-User Device and Information Policy
Policy Number: IT-8
Effective Date: July 1, 2014
Applicability: This policy applies to all persons using End-User Devices to access information provided by Information Systems operated by or on behalf of Drexel University and its affiliates.
Responsible Officer: Vice President of Information Technology
Drexel University (the “University”) intends to protect the confidentiality of educational, financial, health and other personal information provided to it and to protect information created in the course of University business, education, research, and other activities. In order to maintain sufficient protection of this data on End-User Devices, Information Security Requirements will be established by the University and adjusted as needed.
It is the policy of the University that the Vice President of Information Technology will maintain Information Security Requirements (the “Requirements”) as relates to End-User Devices. All End-User Devices which access information provided by Information Systems must comply with the Requirements. Individuals who and organizations that operate Information Systems that communicate with End-User Devices must implement the Requirements and take measures to block access to End-User Devices that do not comply with the Requirements.
In this Policy, the following definitions shall be used:
The term “End-User Device” means any Mobile Device, computer, or storage system accessing, collecting, and/or storing data, regardless of the ownership of the End-User Device.
The term “Mobile Device” includes small, portable devices accessing, collecting, and/or storing data. Included in this are tablet, smart phones, smart watches, and other “wearable” devices, typically running the Android, iOS, or Windows RT operating systems.
The term “Information Systems” includes all forms of network-connected devices, operated by or on behalf of Drexel University and its affiliates, that provide services and/or data to End-User Devices; it includes, but is not limited to, database, email, file, and web servers.
The Chief Information Security Officer of the University, the Chief Information Security Officer of the College of Medicine, and the Chief Privacy Officer of the University, or their designees, will develop and publish Requirements to protect the confidentiality of information contained in End-User Devices based on best practices and emerging standards in higher education. Multiple sets of Requirements may be established to protect different kinds of information, End-User Devices, and communications mechanisms.
The Requirement are to be reviewed at least annually. When changed, a summary of the changes is to be communicated to all Members of the University Community in writing, which may be done electronically.
Within three months of a change in the Requirements, all individuals who and organizations that operate Information Systems that permit communications with End-User Devices must implement the Requirements.
When differences in End-User Device security capabilities make it necessary to create multiple sets of Requirements to achieve a specific information security goal, the highest security level is to be the default. The Chief Information Security Officer of the University, the Chief Information Security Officer of the College of Medicine, and the Chief Privacy Officer of the University, or their designees, will develop and publish processes by which individuals may seek authorization to use a Requirement set with a lower security level.