For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Information Security Requirements for Devices That Access Drexel Email Systems

Published: June 12, 2014
Revised: September 3, 2019

Original Effective: June 12, 2014
Revision Effective: September 3, 2019

This Information Security Requirement for Mobile Devices That Access Drexel Email Systems has been published per the procedures defined in the Information Security for Institutional Information Policy (IT-8).

Requirements

Email systems operated by or on behalf of Drexel University and its affiliates must apply one of the below device security policies to each mailbox such that all devices accessing the mailbox implement the Requirements.

Device Security Policy

  1. Devices must enforce use of a 10-character password comprised of characters from at least three of these four sets: lower case letters, upper case letters, numbers, and other characters. Mobile Devices may use the above standard or enforce use of a 6-digit numeric PIN, excluding repeating and/or sequential digits.
  2. Device must turn off its screen and lock itself after 15 minutes without user interaction.
  3. Device must use FIPS 140-2 certified encryption of the built-in or add-in storage where email messages and attachments are stored.
  4. Mobile Device must erase all Drexel email content if the device password or PIN is entered incorrectly 15 times in a row. If the device cannot limit its erasure to the Drexel email content, if must erase all contents of the device password or PIN is entered incorrectly 15 times in a row.
  5. Mobile Device must remain in a secure state, per its manufacturer, and may not be "rooted" or "jail-broken" at any time.

Mobile Application Management Security Policy

  1. Application must enforce use of a 6-digit numeric PIN, excluding repeating and/or sequential digits to start.
  2. Application must quit or must turn off the screen after 15 minutes of user interaction and must re-re-prompt for the PIN when re-activated.
  3. Application must use FIPS 140-2 certified encryption for its storage area.
  4. Application must erase all Drexel email content if the application PIN is entered incorrectly 15 times in a row. If the application cannot limit its erasure to the Drexel email content, if must erase all contents of the device Violation

Any violation of this Information Security Requirement by any Applicable Member shall be construed as a violation of the Information Security for Institutional Information Policy (IT-8) and may result in disciplinary action up to and including termination.

Additional Information

A list of email applications that can comply with the above requirements is maintained on our Email App Compatibility for Multi-Factor Authentication page.