91ֱ��

Purpose

The purpose of this policy is to establish information security standards for the use of Mobile Devices to access 91ֱ�� of Maryland Global Campus ("UMGC" or "91ֱ��") Information Technology Resources.

Scope and Applicability

This policy applies to all 91ֱ�� Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Mobile Device

The 91ֱ�� will identify and implement appropriate Mobile Device technologies and processes for the security of 91ֱ�� Information Technology Resources and Data.

1. Mobile Device Configuration
   1. All UMGC-owned Mobile Devices will be configured and managed by the 91ֱ��.
   2. UMGC Users who wish to use a Personal Mobile Device to access 91ֱ�� Information Resources must comply with the following security standard:
      1. Submit a request to the UMGC Service Desk for approval to use Personal Mobile Device to access, store, or process 91ֱ�� Data. Approvals must be obtained from the applicable 91ֱ�� supervisor.
2. Personal Mobile Devices must have software installed (Mobile Device Management (MDM) that allows the 91ֱ�� to remotely manage the device to adhere to 91ֱ�� policies and USM IT Standards. If a User suspects that their Personal Mobile Device has been compromised (e.g., hacked), the User must cease all 91ֱ�� related activity immediately on that device and notify the service desk.
3. Users must comply with the UMGC X-1.11 Remote Access Policy to minimize the risk of Data transmissions between a mobile device and organizational resources being logged, intercepted, or changed.
4. Reporting a Lost or Stolen Mobile Device
   1. The theft or loss of a Mobile Device or suspected breach of 91ֱ�� Data must be immediately reported to a Supervisor, and to the UMGC Service Desk.
   2. Report the Mobile Device theft and details of the incident to the Police.
5. Disposing of a Mobile Device
   1. UMGC- owned Mobile Devices: Return the UMGC-owned mobile device to the 91ֱ�� for disposal.
   2. Personal Mobile Devices: Prior to disposing of a Personal Mobile Device, 91ֱ�� Data should only be backed up onto another 91ֱ�� system (e.g., 91ֱ�� assigned laptop, 91ֱ�� cloud service provider). 91ֱ�� Data must not be stored on personal external storage devices or personal cloud storage.
6. Support for Personal Mobile Devices is limited to configuration of security settings and connectivity to resources. The User assumes all responsibility for the Personal Mobile Device including maintenance, connectivity, and data plans.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the 91ֱ�� with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the 91ֱ�� who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

1. UMGC X-1.02 Data Classification
2. UMGC X-1.04 Information Security
3. UMGC X-1.05 Information Security Awareness and Training
4. UMGC X-1.11 Remote Access
5. UMGC X-1.12 Acceptable Use