Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access Sensitive Institutional Data

Standard number: DS-07
Date issued: 6/17/2013
Date last reviewed: 5/26/2021
Date of next review: 6/30/2024
Version: 2.2
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance

I. Purpose

The pervasive use of mobile computing devices, including personally owned, self-managed smartphones and tablets, has increased the ability of members of the U-M community to work anytime from anywhere. While increased use of personally owned devices offers convenience, productivity gains, and job satisfaction, there are also significant risks of data loss, theft, or unauthorized access if these devices are lost, stolen, or accessed by unauthorized individuals or entities. In addition, there is a risk that data used on a personal device might breach institutional contracts or violate state or federal laws and regulations.

Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) stipulates that sensitive institutional data should be "accessed or maintained on personally owned devices only when necessary for the performance of university-related duties and activities," and only if permitted by the university.

University IT standards generally identify requirements for becoming compliant with university IT policies, as well as applicable laws and regulations. This standard describes more specific implementation details to help ensure a consistent approach by units in following SPG 601.33.

II. Scope and Authority

This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates who access sensitive institutional data on personally owned devices.

Information Assurance is responsible for the maintenance and interpretation of this standard.

III. Standard

All U-M policies that provide guidance on handling sensitive institutional data apply equally to users of personally owned devices. The Sensitive Data Guide to IT Services provides information that helps the university community determine which institutional data types are restricted from being stored or maintained on personally owned devices. In addition the university provides the minimum user management and security setting expectations for university users that have permission to access or maintain sensitive institutional data on their personally owned device.

Units have the discretionary authority to adopt and enforce requirements for use of personally owned devices that are more specific or restrictive than defined in SPG 601.33 and its related guidelines.

The dean, director, or delegated executive authority of a unit has the authority to decide whether to allow the unit's employees, agents, affiliates, or workforce members to use personally owned devices to access or maintain sensitive institutional data. Further, if the unit determines that some or all such people are permitted to use their devices for such purposes, the unit can then require that additional specific security settings be established and maintained.

Units should employ a risk-based approach when deciding whether to permit access to or maintenance of sensitive institutional data while using personally owned devices. Risk criteria may include:

• Role-based need to perform U-M responsibilities regardless of location
• Type and volume of sensitive data that can be accessed
• Regulatory and statutory compliance requirements

Units that limit access to sensitive U-M data by some or all within the unit or that require specific user management or security safeguards should follow the Unit Implementation of SPG 601.33. The unit's security unit liaison is responsible for maintaining a copy of the completed form for as long as unit-specific requirements are in force.

Units that adopt and implement more stringent unit-specific requirements are required to provide notification of such requirements to those affected by them and maintain documentation of the requirements. Units that do not adopt any unit-specific requirements beyond those enumerated in SPG 601.33 and its related guidelines have no further notification requirements under this Standard.

Notification of Device Inspections

In the course of an incident investigation, U-M employees, agents, affiliates, and workforce members may be required under SPG 601.33 to permit the inspection of their device if it has been permitted to access or maintain sensitive institutional data. In addition, there is an ongoing obligation to make their device available as part of a document request with which the university is legally obligated to comply.

In the event the university needs to conduct an inspection of a personally owned device as stipulated in SPG 601.33, Section IIE or provide documents requested under Section IIF, the dean, director, or delegated executive authority will inform the user in writing of the reasons for the inspection or document request.

IV. Definitions

1. Sensitive Data. Sensitive data, as defined in Institutional Data Resource Management (SPG 601.12), refers to data whose unauthorized disclosure may have serious adverse effect on the university's reputation, resources, services, or individuals. Data protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive.

2. Personally Owned Devices. SPG 601.33 and this Standard apply to devices wholly owned by a member of the university community as well as those for which an individual receives a university subsidy or stipend.

   Personally owned devices include personal computers, laptops, and portable electronic devices such as smartphones, PDAs, mobile phones, tablets, media players, and any similar electronic devices. In addition, removable media falls under this Standard, including USB flash drives, external disk drives, memory cards, CDs, DVDs, and other electronic, magnetic, or optical storage media that can be readily transferred from one electronic device to another.

V. Additional Resources

See U-M Data Classification Levels for specific definitions and examples of the regulated and sensitive data types included in the U-M Standard.

VI. References

• University Data and Personally Owned Devices
• Tech Tools: Cell Phones and Portable Electronic Resources (SPG 514.04)
• Responsible Use of Information Resources (SPG 601.07)
• Privacy and the Need to Monitor and Access Records (SPG 601.11)
• Institutional Data Resource Management (SPG 601.12)
• Information Security (SPG 601.27)
• Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
• eDiscovery at the University of Michigan (DM-08)