Mobile Device Security Guidelines and Best Practices

Overview

Mobile phones, tablets, and wearable devices are often used to conduct personal and business communication and transactions. Everyone should do their best to secure their devices and protect their and Pitt’s information and environment. Please read the following guidelines to make sure that your devices are properly secured, regardless of whether they are University-owned or personal.

Detail

Category	Safety Measure
Operating System and applications	Enable automatic iOS or relevant operating system updates and verify they are installed Only install vetted applications such as applications available on trusted sites
Device loss and theft	Maintain physical control; Do not leave unattended devices in unsecured or public places Keep devices out of sight and locked when not in use Protect your device with a passcode and enable screen lock after no more than 15 minutes of inactivity Use strong authentication.   Consult the University of Pittsburg Password Best Practices and Standards (Password Best Practices) Encrypt your device Enable Find My Phone or a similar application Record the serial number and WiFi MAC address Attach a label with your name and a secondary contact phone number to the device
Credential theft/malware/malicious applications	Do not reuse Passwords (password hygiene) Avoid saving passwords outside of a secure password vault such as the Pitt Password Manager
Eavesdropping	Turn off Bluetooth and AirDrop when not in use Use a VPN such as GlobalProtect
Data loss	Install remote secure wipe utilities Restrict device data syncing to only approved University services  Do not store University data on the device; Only view University data on the device
Advanced settings	Use the carrier’s data service for sensitive communications instead of WiFi Commonly used device guidance iPhone Samsung Android Google Pixel Consult the: National Security Agency Mobile Device Best Practice CISA Capacity Enhancement Guide. Mobile Device Cybersecurity Checklist for Consumers
Mobile devices containing Pitt information	Please refer to the University’s Data Risk Classification to determine what classification of data can be stored on a personal device and contact the Technology Help Desk
Disposal	Securely dispose of devices by following the E-Waste Disposal guidelines   Ensure all University data is removed from your device before disposal.  The Technology Help Desk can assist with this task.
Policies and Training	Take Security Awareness Training courses at Pitt Security Training Follow the University Data Classification guidelines and Understanding Workstation Security Standards for Remote Work
Incident Reporting	Notify the Technology Help Desk to reset your University Computing Account immediately.  Make sure to have your multifactor tokens reset as well. Notify law enforcement. If your device is stolen on campus, report the theft to the Pitt Police. If the theft occurs off campus, notify the local authorities as they may be tracking a pattern of thefts, and your details may help them refine their search. Change any passwords for web services that may have cached passwords stored on the missing device. These should include any passwords for services outside of the University such as online banking, Amazon.com, etc. Initiate a remote wipe of the missing device. The Technology Help Desk can assist with this task.

References

1. NIST SP 800-124 Rev. 2 - Guidelines for Managing the Security of Mobile Devices in the Enterprise
2. University of Pittsburgh - Understanding Workstation Security Standards for Remote Work
3. University of Pittsburgh - Understand the University's Data Risk Classification and Compliance
4. University of Pittsburgh - Electronic Equipment Disposal (E-Waste)