Assume you are tasked with designing a new policy that highlights information security best practices related specifically to mobile devices at RIT, including laptops, smartphones, and tablets. The new policy should supplement RIT’s Information Security Policy and Acceptable Use Policy (case Exhibits 4 and 5). What practices would you recommend? How could you make staff aware of the policy and encourage their compliance?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Simplified Action Plan
1. Immediate (1 Week)
Enforce Auto-Backups → Deploy OneDrive/Box for all leadership devices.
Enable Remote Wipe → Install MDM (e.g., Intune) for offline wiping.
2. Short-Term (1 Month)
Scan for Sensitive Data → Use tools like Microsoft Purview to detect PII.
Create a Theft Response Checklist → Mandate reporting within 1 hour.
3. Long-Term (3 Months)
Annual Security Training → Focus on phishing & physical security for execs.
Full-Disk Encryption → Enable BitLocker on all laptops.
1. Device Provisioning & Configuration
(1) All RIT-issued laptops, smartphones, and tablets must use full-disk encryptionto protect data at rest. Personal devices used for university business must meet equivalent encryption standards.
(2) Install and maintain endpoint protection, remote management agents (e.g., LANDesk), and security updates automatically. Laptops must connect to RIT’s network at least weekly to receive updates.
(3) Enforce multi-factor authenticatio for device login and university systems access. Smartphones and tablets must use PINs, patterns, or biometric locks (e.g., fingerprint, facial recognition) with a maximum 10-minute inactivity lockout.
2. Data Management & Classification
(1) Private data (SSNs, financial accounts) and Confidential data (FERPA records, faculty salary info) may not be stored on mobile devices unless encrypted and approved by the Information Security Office (ISO).
(2) RIT-issued devices must use automated, cloud-based backup solutions (e.g., OneDrive for Business) with daily snapshots. Manual backups are prohibited for sensitive data.
(3) Implement Mobile Device Management (MDM) software to enable remote data wiping for lost/stolen devices. If MDM is unavailable, IT must assist with account deactivation and data erasure.
3. Physical Security & Usage
(1) All RIT devices must be registered in the asset management system (e.g., LANDesk) with serial numbers and assigned users. Faculty/staff are responsible for reporting lost/stolen devices within 24 hours to IT and RIT Public Safety.
(2) Laptops must be secured with Kensington locks when unattended on campus. Off-campus, devices should not be left in vehicles or unsecured areas.
(3) When traveling with sensitive data, devices must be carried in locked bags and never checked as luggage. Remote workers must connect to RIT’s VPN to access internal systems.
4. Incident Response & Accountability
(1) Immediate notification to IT Support and ISO if a device is lost/stolen.
(2)IT will initiate remote wipe (if possible) and notify the New York Attorney General’s Office if Private data is compromised.
(3) Employees who fail to secure devices or report incidents may face disciplinary action, including loss of device privileges.
I will establish corresponding promotion mechanisms for the above policies.
1. All faculty/staff must complete annual mobile device security training (30-minute module) covering encryption, data classification, and incident reporting. New hires must train within 30 days of onboarding.
2. Recognize departments with 100% training completion and zero security incidents via internal awards (e.g., “Security Champion” designation).
3.Establish a dedicated mobile device support line/portal to assist with encryption setup, backup issues, and policy questions.
My recommended practices are:
(1) Register remote devices in ITS and conduct a device inventory at the end of the fiscal year.
(2)Enforce encryption on the device.
(3)Add remote locking function, remote information clearing function and the function of viewing the location of your own device.
(4)Add the automatic device backup function, backing up at least once a month.
Methods to encourage compliance:
(1)Publish the new policy on the RIT official website and notify all staff by email.
(2)Conduct compulsory safety awareness and new policy training, and reward employees who follow the safety policy.
(3)Conducting phishing simulations to assess staff’s awareness, and those who fall for the phishing simulations will be acquired to attend additional policy training.
1, encrypt all university-owned laptops and mobile devices.
2, requires a strong password or biometrics to unlock the device.
3. Local storage of unencrypted PII or business-critical data on mobile devices is prohibited.
4, support remote erase data and positioning device function.
It is suggested to improve the attention of employees by organizing equipment safety and information security training regularly, holding emergency drills for equipment loss or data loss to understand the processing process, and punishing individuals who cause information leakage.
My suggestions are as follows:
1. Require full-disk encryption for all RIT-issued laptops, smartphones, and tablets to protect data at rest.
2. Require strong authentication methods such as multi-factor authentication (MFA) for accessing resources via mobile devices.
3. Clearly define and enforce data classification policies for mobile devices. Sensitive data should be handled according to its classification level (private, confidential, internal, or public).
4. Develop and disseminate an incident response plan specifically for mobile devices. This plan should outline steps to take in case of loss, theft, or unauthorized access.
5. Provide regular security awareness training for all staff members who use mobile devices. Training should cover topics such as phishing prevention, safe browsing habits, and secure data handling.
Strengthen encryption settings:
1.Enable full disk encryption (FDE) on all mobile devices that comply with the FIPS 140-2 standard, ensuring that data cannot be physically extracted if the device is lost.
2.Set up remote wipe and add location tracking: Install MDM software with offline wipe capabilities and enable GPS tracking to allow continuous tracking of the device’s location after theft. This ensures that the last known location can be retrieved even after the device’s battery is exhausted.
3.Add clauses restricting sensitive data storage: Prohibit storing critical data files locally. For certain data, access should require biometric authentication or other confidentiality measures.
4.Equip all laptops with anti-theft locks: Add anti-theft lock mechanisms to all laptops to enhance physical security.
5.Disable automatic connection to public Wi-Fi: Prevent devices from automatically connecting to public Wi-Fi networks to reduce the risk of unauthorized access.
6.Standardize the reporting process in the response mechanism: Configure an emergency response toolkit to ensure that if a device is stolen and related files are stored as attachments, work can be promptly resumed. Additionally, ensure that remote device details can be extracted for location tracking.
The following practices are recommended:
For all mobile devices, including personal devices, a customized corporate usage policy must be signed if you want to access your company’s virtual private network (VPN).
Specify how quickly mobile device theft can be reported and how quickly remote wipe can be implemented. The policy can also detail how to locate a lost or stolen device using the mobile device’s features (apps).
Implement multi-factor authentication for accessing sensitive data or applications on mobile devices.
To raise awareness of this policy among employees and encourage them to adhere to:
Educate technology users holistically to make them aware of the risks their mobile devices can pose to their corporate networks and the importance of keeping their devices physically and electronically secure. Employees who follow the policy for exemplary adherence are also recognized and rewarded.
My opinion is that there should be a policy of regular full backups of important information. Increasing the frequency of backups prevents important data from being missed when it needs to be restored. Secondly RIT should use remote wipe technology and information encryption technology to stop attackers from gaining access to private information in the security event.
As for the staffs, RIT can organize regular employee training so that employees understand the importance of protecting information and how to protect critical information.
1. Mandatory Full-Disk Encryption: Require all RIT-issued laptops, smartphones, and tablets to use encryption to protect data in the event of theft or loss.
2. Physical Security and Access Control: Require strong passwords/passcodes and automatic screen locking after 10 minutes of inactivity.
3. Backup and Data Management: Implement mandatory, automated backups for all mobile device data to RIT’s secure cloud storage, with daily verification of backup integrity.
4. Training and Communication: Require annual training for all staff on mobile device security, covering policy details, encryption tools, and incident response steps. Include case studies (e.g., the Dean’s stolen laptop) to illustrate real-world risks and consequences.
5. Policy Enforcement and Accountability: IT Support will periodically verify device compliance (encryption status, software updates) through network scans and asset management tools.
Here are my suggestions:
First off, all laptops, smartphones, and tablets issued by Rite Company should have full-disk encryption. That way, data is protected when it’s at rest—you know, like when the device isn’t in use or being transferred.
We should require strong authentication methods like Multi-Factor Authentication (MFA) for accessing resources through mobile devices. It’s way safer than just a password alone, since it adds an extra layer of security.
We need to clearly create and strictly enforce a data classification policy for mobile devices. Sensitive data should be handled based on its classification level—whether it’s private, confidential, internal, or public. That way, everyone knows how to treat different types of info.
Let’s develop and promote an emergency response plan specifically for mobile devices. This plan should spell out exactly what to do if a device gets lost, stolen, or accessed without permission. Having a step-by-step guide would make emergencies less chaotic.
Finally, provide regular security awareness training for all employees using mobile devices. The training should cover things like how to spot phishing attacks, safe browsing habits, and how to handle data securely. It’s all about keeping everyone in the loop to prevent mistakes!
Recommendations:
1. Codes and similar authorization information should be mandatory required to update regularly. Deeper encryption is supposed to add if possible, to protect sensitive data in personal devices used for university business.
2. Data should be classified stored and ensure confidential data is stored in encrypted folders and synced only with approved cloud services, to add another prevention to the data if someone get the use of the physical device.
Improve awareness:
1. Entrance training for every staff is very important, and make sure a regular information security training including encryption, data processing and items reporting modules.
2. Make clear accountability mechanism, like combining compliance and personal assessment, and stipulate the duties and accountability of every staff in emergencies or daily security control.
All of those are guarantees to both mechanisms and staff in information security, shrinking every space for vulnerabilities.
1. 对存储私人数据的设备进行加密:要求对存储有个人身份信息(如社会安全号码、财务信息等)的笔记本电脑/智能手机进行全盘加密,以防设备被盗时数据被未经授权访问。
2. 立即报告失窃情况:员工必须立即通知信息技术部门和公共安全部门,以便启动追踪措施(如资产管理系统警报)。
3. 启用远程追踪:使用如LANDesk等工具监控连接到罗彻斯特理工学院网络的被盗设备,不过远程擦除功能有限。
4. 限制在个人设备上存储敏感数据:禁止在个人移动设备上存储机密信息(如教职工薪资、学生记录等)。
5. 强制定期备份:确保对大学设备进行自动备份,以尽量减少设备失窃时的数据丢失。
意识与合规性:
1. 利用过去的失窃案例(如院长的笔记本电脑失窃案)对员工进行培训,以突出风险。
2. 向全校发送电子邮件,提醒报告程序和加密步骤。
3. 定期审核设备的加密和备份状态。
(1) Policy recommendations
1. Device management
Enforce enrollment of all mobile devices through the MDM system and remotely configure security parameters (e.g., password rules, software installation).
Implement full life cycle management (from warehousing to scrapping), and establish equipment archives and usage records.
2. Data Protection
Enforce encryption for storing and transmitting sensitive data (e.g., AES encryption, VPN), separating work from personal data.
Enable the remote lock/wipe feature for a quick response when you lose your device.
3. Access Control
Implement multi-factor authentication (passwords, biometrics/dynamic passwords).
Assign least access based on roles and regularly audit the reasonableness of permissions.
4. Application and software management
Establish a whitelist of applications, prohibit unofficial applications, and force automatic updates.
Install enterprise-grade antivirus software to monitor for malicious programs in real time.
5. Security Updates and Audits
Enforce timely installation of system/software security updates.
Regularly audit device security configurations and access logs to warn of violations.
(2) Publicity and compliance measures
1. Raise awareness: New employee training is incorporated into the safety policy, and current employees receive regular online/offline training (combined with real cases).
Intranet sections, posters, email policy essentials and security tips.
2. Incentivize compliance
Set up a “Safety and Compliance Star” award (commendation prize), and add points for performance appraisal.
Provide IT support to help employees in difficulty, and take measures such as warnings and restrictions on permissions for violators.
1. All laptops, mobile phones and tablets must be set to have a lock screen function (password/fingerprint recognition) and automatically back up to the cloud storage system of Rochester Institute of Technology every day – this way, incidents like the theft of the dean’s laptop can be avoided, and work data loss can be prevented. 2. The “Find My Device” application must be forcibly installed so that the IT department can remotely erase stolen devices. 3. The most important thing is: Social security numbers or student personal information should not be directly stored on the device – it should be stored in the cloud.
To make employees accept this requirement: Create a 5-minute interesting video with the stolen dean’s laptop as the main character; distribute “Security Guard” coffee vouchers to departments that comply with the regulations; and send false phishing test text messages – anyone who reports such tests can receive pizza as a reward. Keep the operation simple, reward good habits, so that no one will cry over lost data!
RIT Mobile Device Security Policy Proposals
Security Operation Essentials
1.Device Encryption & Passwords: All devices must use complex passwords (8+ characters with letters, numbers, and symbols). Critical laptops should enable full-disk encryption.
2.Sensitive Data Management: Sensitive information like student Social Security numbers and credit card details is prohibited from local storage. Encryption or VPN access is required for such data.
3.Loss Reporting Process: Report lost devices to IT within 24 hours to trigger remote data wiping (avoiding data risks seen in the dean’s case).
4.Automatic Software Updates: Mandate automatic updates for systems and security software. Devices without updates are barred from connecting to the campus network.
5.Automatic Backup Mechanism: Set up weekly automatic backups for key positions like deans, replacing manual operations (preventing file loss).
Policy Implementation Methods
1.Training with Cases: Conduct quarterly training using the dean’s laptop theft case to explain emergency procedures, emphasizing that data breaches may incur costs for credit monitoring services.
2.Simple Operation Guides: Create illustrated manuals or QR codes for encryption and reporting steps, posted in office areas for easy reference.
3.Reward and Punishment Mechanisms: Offer small incentives for proactive compliance. Deduct performance bonuses for data leaks caused by personal negligence.
4.Regular Inspections: IT will randomly check the security status of 20% of devices every six months. After any device loss, hold meetings to analyze improvements (e.g., backup loopholes).
Effect: These measures address gaps in remote data wiping and backups, reducing the university’s legal and financial risks from device loss.
Recommended mobile device security policies for RIT:
• Encryption mandate: Require full-disk encryption on all laptops and tablets, with automatic activation upon device issuance. Smartphones should use biometric locks (fingerprint/Face ID) and encrypt stored data.
• Remote management tools: Implement software to remotely wipe data, lock devices, and track location in case of theft. This works even if devices aren’t constantly connected, via periodic network checks.
• Data classification rules: Prohibit storing Private or Confidential data (like SSNs or financial records) on mobile devices unless encrypted and approved by ISO. Require staff to use cloud storage for sensitive files instead of local storage.
• Automatic backups: Enforce daily automated backups for laptops, synced to RIT’s secure servers, with user reminders for incomplete backups.
• Device registration: All mobile devices must be registered with ITS, which tracks configurations and ensures security updates are applied.
Awareness and compliance strategies:
• Training sessions: Host mandatory workshops on mobile security, using the stolen laptop case as a real-world example. Include scenarios like “What to do if your phone is stolen.”
• Visual reminders: Distribute stickers for devices with quick tips (e.g., “Encrypt this laptop!” or “Never leave devices unattended”).
• Policy acknowledgments: Require annual sign-offs on the policy, linking compliance to annual performance reviews.
• Incentives: Offer small rewards (e.g., gift cards) to departments with 100% device registration and encryption rates.
• Regular audits: Periodically scan networks for unregistered devices or unencrypted data, notifying users and their managers of violations.
(3)Require full-disk encryption on all laptops and enable encryption on smartphones/tablets to protect data at rest; Implement automated, frequent backups for all mobile devices to a secure, centralized server or cloud service; Enable remote wipe and locate capabilities to allow IT to erase data or track devices if lost or stolen.
first of all, access control like ensure all devices are configured to automatically update their operating systems and applications to patch vulnerabilities as well as require the use of a VPN for accessing RIT’s network and sensitive data from off-campus locations.
for training sessions:
conduct mandatory training sessions for staff to familiarize them with the new policy and its importance; Send periodic reminders and updates about the policy through newsletters or IT bulletins; Recognize and reward departments or individuals who consistently follow best practices, encouraging a culture of compliance; Implement regular audits to ensure compliance and enforce penalties for non-compliance, reinforcing the policy’s importance.
Security Measures:
The device will automatically lock after being idle for 5 minutes and require password/biometric re-authentication.
The IT department will configure daily encrypted backups to the central server.
Install mobile device management software to remotely wipe data in case of loss or theft of the device.
Do not leave the device unattended in public places.
How to comply:
Conduct training and simulation tests on how to identify private/confidential data and the incident reporting process.
Carry out publicity, for example: create promotional posters and send short videos via email as reminders.
To recommend the following practices:
1. All devices must enable full-disk encryption and multifactor authentication, and prohibit storing unnecessary personal identifiable information and confidential data.
2. Establish an asset management system through tools like LANDesk to monitor hardware configurations, software versions, and patch statuses, mandate the installation and update of antivirus software, and clarify offline protection requirements for non-networked devices such as laptops.
3. In case of device loss or theft, report to the IT department, ISO, and public security department within 24 hours; the IT department must immediately implement remote locking and initiate remote wiping if sensitive data is stored and its security is unknown.
4. Employees should manually back up data to RIT encrypted servers weekly, and the IT department will randomly check backup integrity quarterly.
To enhance staff awareness and encourage compliance, adopt a hierarchical promotion strategy: When releasing the policy, analyze risks via emails, briefing sessions for IT heads of each college, and columns on the information security official website. Organize mandatory security training for all staff covering encryption operations, data classification, and emergency procedures, requiring certification through online tests, and implement normalized supervision.
Recommendations:
1.Data Encryption and Remote Management: Mandate full – disk encryption on all mobile devices and install remote tracking and wiping software (for example, sensitive data can be remotely deleted in case of theft) to prevent data leakage due to device loss.
2.Sensitive Data Control: Prohibit the storage of unencrypted private information (such as Social Security numbers and credit card numbers) on mobile devices. When storage is necessary, synchronize the data through the RIT Secure Cloud Platform to reduce local storage risks.
3. Automatic Backup and Compliance Checks: Deploy an automated backup system to back up mobile device data at least once a week. The IT department should regularly audit the effectiveness of the backups to avoid omissions in manual backups.
4. Physical Security Specifications: Require device users to set a lock – screen password (the complexity must meet RIT standards) when leaving the device unattended. Use anti – theft locks to secure the device when going out. Ensure that doors and windows are locked in residential or office premises.
Compliance Promotion Measures:
Promote the policy through new – employee on boarding training and quarterly security briefings. Emphasize the risks by citing the case of the dean’s stolen laptop.Post posters in the office area and send regular email reminders, clearly stating the consequences of non – compliance (such as device disablement and disciplinary action).Establish an anonymous reporting channel to encourage employees to monitor and reward those who proactively report security risks.
When designing the new policy, recommend practices like requiring strong passwords, enabling full-disk encryption for all mobile devices, and implementing remote tracking and wiping capabilities to secure data in case of loss or theft. Prohibit storing sensitive information (e.g., SSNs, credit card numbers) on mobile devices unless absolutely necessary, and mandate regular software updates to patch vulnerabilities. For physical security, urge staff to never leave devices unattended in public areas and to use cable locks in offices.
To raise awareness, conduct annual information security training sessions focused on mobile device risks, distribute concise policy handbooks, and send periodic email reminders with real-life examples from RIT’s past incidents (like the stolen laptop case). Encourage compliance by linking policy adherence to performance reviews and implementing a reporting system where staff can anonymously flag violations. Make IT support accessible for device security setup, and highlight that non-compliance may result in disciplinary action or loss of device privileges.
RIT Mobile Device Security Policy (Supplemental)
1. Core Security Requirements
A. Device Protection
Encryption
Authentication
Remote Wipe
B. Data Handling
PII Storage
Cloud Use
Backup
C. Incident Response
Theft/Loss: Immediate reporting to IT (within 1 hour) to trigger remote wipe
Breach Protocol: Follow NY breach notification rules if PII is potentially exposed
2. Awareness & Compliance Strategies
A. Training
Mandatory Workshops
Phishing Drill
B. Enforcement
Device Registration
Compliance Checks
C. Incentives
”Secure User” Badges
3. Policy Integration
Aligns with Existing Policies
To enhance data security, implementing regular full backups of critical information is essential. Increasing backup frequency minimizes the risk of data loss during restoration, ensuring comprehensive recovery in incidents. Additionally, RIT should adopt remote wipe technology and information encryption to prevent unauthorized access to private data during security breaches, neutralizing threats even if devices are compromised.
For staff, regular training programs are vital. These sessions should emphasize the importance of information protection and equip employees with practical strategies to safeguard sensitive data—from secure file handling to recognizing phishing risks. By integrating technical safeguards (backups, encryption, remote wipe) with behavioral awareness (training), RIT can build a robust security framework that addresses both technological vulnerabilities and human error, fostering a culture of proactive data protection.
Recommendations:
• All devices must use strong passwords (mixing letters, numbers, and symbols) and enable auto-lock.
• Sensitive data stored on devices must be encrypted.
• Install antivirus software and keep it automatically updated.
• Never leave devices unattended in public places; lock them when stepping away.
Promotion Measures:
• Organize casual training sessions (like lunch-and-learns) to explain policies in simple language.
• Send regular reminder emails with real-life cases to emphasize safe habits.
• Post visual posters in offices and labs showing key security steps.
1, encrypt all university-owned laptops and mobile devices( mixing letters, and numbers).
2, requires a strong password or biometrics to unlock the device.
3. local storage of unencrypted PII or business-critical data on mobile devices is prohibited.
4, support remote erase data and positioning device function.
5.close the device when leaving it.
Recommended Security Practices:
Device Security: Enforce full-disk encryption, multifactor authentication, and prohibit storing unnecessary PII/confidential data.
Asset Management: Use tools like LANDesk to monitor hardware/software status, mandate antivirus updates, and define offline protection rules.
Incident Response: Report lost/stolen devices to IT, ISO, and authorities within 24 hours; IT must remotely lock/wipe devices with sensitive data.
Data Backup: Require weekly manual backups to encrypted servers, with IT conducting quarterly integrity checks.
Awareness & Compliance:
Rollout: Communicate risks via emails, IT head briefings, and security website columns.
Training: Mandate staff training on encryption, data classification, and emergency response, with certification via online tests.
Oversight: Implement ongoing supervision to ensure adherence.
Recommended Mobile Device Security Practices for RIT
1. Technical Security Measures
Encryption & Data Protection
Enforce full-disk encryption for laptops (BitLocker/FileVault) and file-level encryption for smart devices (iOS Data Protection) .
Deploy MDM tools (Jamf/Intune) for remote wipe of lost/stolen devices .
Access Control
Implement Multi-Factor Authentication (MFA) with hardware tokens or biometrics .
Prohibit shared accounts; bind device credentials to unique employee IDs .
Software & Network Security
Mandate auto-updates for OS/apps; block unsigned app installations .
Whitelist business apps; ban unapproved software (e.g., P2P tools) .
Restrict connections to encrypted Wi-Fi (WPA2/AES); require VPN for remote access .
Physical Security
Require Kensington locks for laptops and GPS tracking for smart devices .
Mandate 24-hour reporting for lost/stolen devices .
2. Operational Governance
Device Lifecycle Management
Standardize security configurations for corporate devices (e.g., disable USB debugging) .
For BYOD, require MDM enrollment and periodic security scans .
Data Handling
Prohibit storing sensitive data (student records, research) on personal devices .
Enforce encrypted transfers (SFTP/encrypted email) and approved cloud storage .
Monitoring & Response
Deploy real-time alerts for abnormal login/data exfiltration .
Conduct quarterly security audits for compliance .
Promoting Policy Awareness & Compliance
Training & Education
Mandate annual mobile security training with case studies .
Conduct phishing simulations with targeted coaching for high-risk staff .
Communication Strategies
Distribute visual guides (e.g., “3 No’s”: no public Wi-Fi, no sensitive data, no device sharing).
Send weekly security tips via email/intranet.
Incentives & Accountability
Award “Security Champion” to compliant departments/individuals .
Tie device compliance to department KPIs with performance deductions for violations .
RIT Mobile Device Security Policy
(Supplement to Information Security Policy & Acceptable Use Policy):
1.Device Enrollment & Management
2.Data Protection
3.Access Controls
Awareness & Compliance Strategies:
1.Training & Communication
2.Accountability Measures
3.Incentives & Support