Requirements and procedures are in support of governing Columbia University IT Policies and CUIMC Information Security Procedures.
Portable devices, including smartphones, tablets, and other mobile peripherals, are increasingly used as an extension of computers. Those that connect to institutional data - including email - typically store information in permanent and cached memory whether they are currently connected to the main source of the data. This combined with size and convenience of portable devices makes it all the more important to ensure that they are properly secured against accidental and intentional security breaches.
Requirements
Following is a summary of the Registration And Protection Of Endpoints Policy, which applies to any mobile device, whether personally or departmentally owned.
General Protection Requirements
Users must ensure the following.
- Devices must be password protected (as per the University Information Resource Access Control And Log Management Policy).
- A mechanism exists to encrypt all data on the device.*
- The device is set to lock after 5 minutes of inactivity.*
- A mechanism exists for secure, remote wipe of data if lost or stolen.
- The device erases data after 10 failed password/login attempts.*
- Any device storing University data is disposed of or sanitized according to University policy.
- Phones that are issued or financially subsidized by the University are enrolled in the University's Emergency Text Notification System.
* Smartphones and tablets configured for a CUIMC email account (any address ending in @cumc.columbia.edu) or Ivanti are automatically enforced to use encryption and a passcode with auto-lock. Details are under CUIMC IT Procedures below.
Additional Requirements for Sensitive, Confidential and PHI Data
- Users with devices containing sensitive or confidential data must keep a record of that data; the record must not be stored on the same device. It is also recommended that Confidential data is password protected, both in transit and storage.
- Loss or theft of equipment containing sensitive data must be properly reported.
- Users with devices containing Sensitive data must ensure that:
- Sensitive data is encrypted while in transit and storage, including anything kept on removable media (USB keys, disks, smart cards, etc.)
- Encryption must be based on standard algorithms with no inherent security flaws and use a 256-bit AES encryption cipher key at a minimum.
- See Approved Encryption for a list of formats and methods meeting these requirements.
- Full disk encryption must be used.
- Peer-to-peer programs are not used without the approval of the Information Security Office.
- Users with mobile devices containing PHI must make sure data shown on the computer screen cannot be seen by unauthorized persons.
Additional Guidelines
- Use credible, updated software. Make sure that manufacturer-approved operating systems and service provider updates are installed to protect against security vulnerabilities. Do not install third-party applications that are invasive or access sensitive or institutional information stored on the device; any third party with access to PHI must have a Business Associate Agreement with Columbia University.
- Keep devices physically secured. Whenever possible, keep equipment in a locked drawer, room, or area when not in use.
CUIMC IT Procedures
The following apply to smartphones and tablets using CUIMC IT support and/or connecting to a CUIMC email account (ending in @cumc.columbia.edu).
Compatible Devices
Prior to purchasing a device and contracting with any cellular service provider, you must verify that it is able to meet all security requirements. You must also verify that they have been properly configured and are in use throughout the time you have the device. The vendor must currently support the device's operating system, including the release of regular security patches.
- iPhone and iPad - most versions released in the past few years are compatible. The iOS version (operating system) must be current enough that Apple still releases security patches for it.
- Android - due to the wide range of hardware and software available for devices using the Android operating system, specific information cannot be outlined here. Please verify ahead of time that any device will meet the requirements listed above.
CUIMC Email Enforced Compliance
Configuring a mobile device to connect to a CUIMC email account automatically enforces:
- Automatic passcode lock
- Data encryption
When first configuring CUIMC email you will receive an alert on the device itself prompting you to set up a passcode; at that time data encryption will also be configured.