Purpose
This standard outlines the responsibilities of Ohio University employees to ensure the protection of university data while working for Ohio University.
Scope
This standard applies to all Ohio University employees, agents, and the computing devices (“devices”) used to perform University work. This standard also applies to those employees and agents who are working in flexible workplace arrangements as outlined in university Policy 40.063 Flexible Work Schedule, Flexible Hours, and Flexplace for Administrators.
Standard
Ohio University recognizes that work can be performed on different devices and in many different locations and spaces. Additionally, Ohio University has a significant amount of data that employees and agents interact with in their daily work. To reduce the risks to university data, this standard sets forth the criteria for working on different devices. Employees and agents must, at minimum, adhere to the following practices to ensure data security.
Any device used to perform university work must maintain a basic level of security to protect the integrity of university data and networks, meet university policy requirements, and comply with laws and regulations.
There are four primary models of devices used by OHIO employees and agents: managed OHIO devices, virtual desktop instance, self-managed OHIO devices, and personally owned devices.
Working on a Managed OHIO Owned Device
OHIO employees and agents are strongly encouraged to use computers and devices that are purchased by Ohio University and are managed and maintained by Ohio University IT staff. These devices must meet the requirements set forth in the Secure Computer Management Standard .
Working Within a Virtual Desktop Instance
The OHIO Virtual Desktop Infrastructure (VDI) provides remote access to specific Ohio University software using a full Windows desktop environment from any PC, Mac, iOS, or Android device. This access allows users to connect to select University resources from a personal device. When connected, screen images are sent to the user's device, and the user's keystrokes and mouse movements are sent to the virtual PC to mirror an in-person computing experience. VDI is the preferred solution for working with sensitive data.
Working on a Self-Managed OHIO Owned Device
OHIO employees and agents may have research, development work, or other business needs that require them to manage or maintain their University owned devices. The requirements for this work may differ significantly from the configurations provided by VDI and other OHIO managed devices.
Grant-Purchased Devices. Faculty and researchers frequently purchase computers and other devices from research grant funds or other external funding. Sometimes departmental IT staff manage these devices, but frequently they are self-managed by faculty and researchers (including graduate students working with them). Management of these devices must satisfactorily meet the requirements of the sponsoring organization as applicable.
Your Responsibilities for Self-Management
Self-managed devices, particularly grant or research funded devices, may have a wide range of hardware, operating systems, and software configurations. OIT service providers and unit IT staff cannot provide the same level of data protection, desktop support, and troubleshooting for those devices as provided to managed OHIO-owned devices or from services such as VDI.
Faculty and staff who self-manage OHIO-owned devices have the responsibility to limit unauthorized access to the device and any OHIO data on it, implement appropriate security controls, follow best practices, and configure their device to minimize potential security risks, and to troubleshoot, diagnose, and do repairs themselves. If you have trouble implementing any of the security controls below, contact your unit IT staff for assistance. Unit IT staff will contact the Information Security Office as needed.
Requirements for all self-managed devices:
- Comply with all OHIO policies and standards, as well as regulatory and contractual obligations, for the type of data that is stored or accessed by the self-managed device.
- Comply with all applicable OHIO IT policies .
- Periodically update the operating system, software, and endpoint protection.
- Enable auto updating wherever possible.
- Data classified as High and Moderate criticality must be secured as outlined in Protect Sensitive Data and following the guidelines in the Standard for General Information Systems.
- You may not access or store data classified as HIGH criticality on any self-managed device.
- Protect OHIO networks by not connecting a device that is out of date to the OHIO network.
- Work with your unit IT staff to put safeguards in place such as a private network or appropriate firewalls if the device needs to connect to other devices.
- When outside the OHIO network,connect using the university VPN service offerings. Do not use free wireless networks or off-campus networks without the VPN.
- Protect devices that cannot be updated by not connecting them to any outside (non-OHIO) network.
- Configure and activate a personal firewall to help insulate the device from network-based viruses and worms.
- Implement full disk encryption. Encryption keys must be securely stored in a location that can be accessed in the event you are unavailable to unlock the device.
- If you cannot implement full disk encryption, work with unit IT staff on compensating controls for your machine.
- Keep your operating system and other software up to date. Software updates include patches for newly identified vulnerabilities and other important security updates.
- If a Critical or High vulnerability is identified with your device, fix the issue immediately and in accordance with the Patch Management Standard
.
- If fixing the issue would hinder using the device (such as changing a setting that would prevent research software from running), contact the information security office for recommendations on how to limit risk.
- Use antivirus software. Follow the guidance for anti-virus software to protect a self-managed device.
- Back up your data. The university offers several file storage options that you can use. Check the Storing Data by Type webpage to see which services are appropriate for certain types of sensitive institutional data. Ohio University data must be backed up to an OHIO owned and managed device or service.
- Create strong passwords and follow safe password practices.
- Choose web browser security settings that protect privacy and enhance security.
- Do not use accounts with elevated administrator access for day-to-day, routine activities.
- Promptly report a compromised account or other security incident to the Information Security Office.
Working on Personally Owned Devices
Ohio University recognizes that those who work on its behalf may need to access or maintain sensitive university data from their personally owned devices (smartphones, tablets, laptops, and more*). Sensitive institutional data shall be accessed or maintained on personally owned devices only when necessary for the performance of University-related duties and activities. University employees and agents shall take all required, reasonable, and prudent actions necessary to ensure the security and retention of sensitive institutional data.
Departmental/Unit Responsibilities:
-
Departments/units have the discretionary authority to decide whether to allow personally owned and self-managed devices to be used with sensitive data for those in their department.
-
When permitting the use of personally owned devices, the department must ensure that all of the requirements for self-managed devices as outlined above are met.
-
-
Departments/units may also choose to adopt additional expectations and restrictions beyond those outlined in this standard.
-
It is the department or unit’s responsibility to keep documentation of those individuals that have been permitted to utilize self-managed or personally owned devices for the purpose of university work.
Individual Responsibilities:
-
You may not access or store data classified as HIGH criticality on any personally owned self-managed device.
- Permission to use personally owned devices
- Departments or units shall decide on a case-by-case basis whether to allow University employees or agents to use personally owned devices to access or maintain sensitive institutional data.
- Device Security
- University employees or agents shall maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided by the University, as well as comply with appropriate safeguards required by state and federal regulations.
- The University or individual departments or units may require that specific security settings and/or software to protect sensitive institutional data be put in place and maintained on the device.
- Data Return/Deletion
- Users shall return or delete sensitive institutional data maintained on personally owned devices upon request from the University or when their role or employment status changes such that they are no longer an authorized user of that data.
- Incident Reporting
- Personally owned devices that access or maintain sensitive institutional data and that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported to the Information Security Office within 24 hours.
- Device Inspection
- In the event of an incident, law enforcement, prosecutors, and/or Ohio University's legal representation may ask a court to issue a subpoena, search warrant, or court order as applicable to compel an employee to turn over a personally-owned device that has been used to conduct Ohio University business for forensic examination.
- Any access to a personally owned device will be carried out in accordance with legal or law enforcement requirements.
- Response to Document Requests and Production
- Records or data maintained by the University, University employees or agents may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). University employees, agents and affiliates must produce these records or data (or the devices on which they are stored) upon request of the University.
- Be aware that in the event of a legal investigation personally owned devices may be seized by the authorities.
- Records or data maintained by the University, University employees or agents may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). University employees, agents and affiliates must produce these records or data (or the devices on which they are stored) upon request of the University.
Definitions
Device– the computing device used to perform work as an employee or agent of Ohio University. This includes computers, laptops, smartphones, tablets, media players, and removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another.
OHIO-owned- Any asset such as a device as described above that was purchased by Ohio University, utilizing Ohio University funding (including funding from grants), and as such is the property of Ohio University.
Personally owned devices– computing devices purchased and owned by an individual, rather than by the institution. Such devices include personal computers, laptops, smartphones, tablets, media players, and removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another. This also includes devices for which Ohio University provides a partial subsidy or stipend.
University employees or agents– those individuals that are employed by the institution such as faculty, staff, student employees, graduate assistants, contract employees, volunteers or other individuals that are acting in a capacity that creates a relationship where that individual has the authority to act or work on behalf of Ohio University.
References
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception Request Form.
Governance
This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology - Ed Carter (Chair)
- Human Resources - Michael Courtney
- Faculty - Hans Kruse
- Senior Associate Dean – Brian McCarthy
- Finance and Administration – Julie Allison
- Faculty - Shawn Ostermann
- Regional Higher Education - Larry Tumblin
- Enterprise Risk Management & Insurance - Larry Wines
- Office of Audit, Risk, and Compliance – Joshua Gonzalez
- Faculty – Bruce Tong
History
Draft versions of this policy were circulated for review and approved on November 15, 2024.