School of Medicine: Policy on the Use of Computing Devices

Title

School of Medicine: Policy on the Use of Computing Devices

Introduction

Purpose

The purpose of this policy is to define minimum security controls for devices in use at the University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University") School of Medicine. Individual departments/units may apply stricter controls to protect information and devices in their areas of responsibility. The policy applies to each School of Medicine Constituent for any covered device under their control, including personal devices (“Bring Your Own Device” - “BYOD”).

Personal mobile devices (e.g. laptops, tablets, smart phones, etc.) present challenges to UNC-Chapel Hill’s control and may introduce threats to the University network; data; and other computing devices, especially when the constituent is off-campus where UNC-Chapel Hill network security controls are not in place. These threats may lead to malware infections, system hacking, loss or theft of University sensitive data, and reputational harm to the institution.

The specific IT resources and applications accessed by personal mobile devices should be governed by the Constituent’s department, with assistance from School of Medicine IT.

Scope of Applicability

This policy applies to all School of Medicine Constituents who use either University-issued or personally-owned (BYOD) computing devices to access UNC-Chapel Hill IT resources, data, and applications. This includes laptop/desktop computers, tablets, and smart phones.

Policy

Policy Statement

School of Medicine Constituents who use personal mobile devices to access UNC-Chapel Hill IT resources and applications must do so in accordance with this policy, as well as related University policies and standards.

School of Medicine Constituents may be required to enroll their personal mobile devices in a Mobile Device Management (MDM) solution in order to access certain IT services or applications. MDM program requirements will be outlined in a separate standard that will be incorporated into this policy by reference when completed.

The below tables list the required controls for both University-issued and personal devices (BYOD).

Device Security Controls
Control Category University-Issued Personal/BYOD
Encryption (including external storage devices) Required Required for S.I., otherwise highly recommended => Information Security Controls Standard
Password Required => Information Security Controls Standard
Approved Device Management (e.g. Active Directory/SCCM) Required Highly Recommended
Mobile Device Management (eg. JAMF, InTune, etc.) Recommended but not yet fully supported for all device types
Operating System (OS) Supported by Manufacturer Required
Secure Disposal Required => Information Security Controls Standard
Malware Protection/Anti-Virus Required May Be Required => Information Security Controls Standard
Screen-Lock Required => Information Security Controls Standard
Least Privilege Rights (e.g. normal user account vs admin account) Required Recommended
General Controls/Guidance
Control Category University-Issued Personal/BYOD
Approved Data Storage UNC-Chapel Hill Microsoft 365 storage (Teams, OneDrive, SharePoint) & Network file share
Domestic Collaboration Sanctioned Solution & contracts in place
International Collaboration Export Controls Guidance
Report Malware Infections? May Be Required => Information Security Incident Management Standard
Off-site User Agreement Off-Campus Use Agreement and Authorization N/A
Loss/Theft Internal Audit Policy
If S.I. => Information Security Incident Management Standard		 If S.I. => Information Security Incident Management Standard
Subject to State Laws, Data Retention, and eDiscovery? Yes
Use of External Storage Devices UNC-Chapel Hill issued/supported devices are recommended
Information Security Controls Standard
Hardware Supported by UNC-Chapel Hill? Yes Depends on manufacturer and specific model
(mobile phones are not supported)
Software Supported by UNC-Chapel Hill? Yes, if sanctioned/obtained from UNC-Chapel Hill
Enterprise Data Backup Must use approved solution (UNC Chapel Hill Microsoft 365, etc.)
Information Security Controls Standard

Exceptions

The heterogeneous nature of the School of Medicine computing environment is such that in many cases a specific business unit will have unique technology requirements, and will use compensating controls to achieve appropriate security risk management. This exception process is intended to provide for the unit and School of Medicine IT to work collaboratively to document appropriate security controls for challenging environments. When a unit requests a control exception, and provides good background information and justifications, an open communication process can result in a well-documented exception.

Process

Exceptions may be submitted for approval to the School of Medicine Chief Information Security Officer (CISO) or delegate via an IT service ticket. Exceptions may be requested on a device-by-device basis, or with a single request covering multiple identical devices with the same basis for exception ("Exemplars"), or with a single request covering a system of devices which use the same set of compensating controls.

Exception review must include consideration of:

  • Compensating controls in place;
  • Impact on organizational mission;
  • Any recommendations from campus resources related to a specific vulnerability or specific system's remediation;
  • Technical obstacles to remediation, operational obstacles to remediation; and
  • Any other environment-specific information provided in the request.

Generally, cost to remediate must be prohibitive to the department if used as justification for the exception request. The appropriate data steward must provide approval of the request in order for an exception to be considered.

During review of the exception request by the School of Medicine CISO or delegate, remediation timelines would likely be extended, depending on risk to the University and at the discretion of the School of Medicine CISO. Any such extension must be authorized in writing.

If an exception is not granted, the department may appeal the denial to the School of Medicine Chief Information Officer (CIO), who may request involvement of the affected Department Head. If the result of non-remediation would be removal of the system from the network or other high-impact action, the School of Medicine CISO must seek approval of the School of Medicine CIO to take such action.

The exception process for this policy is required in addition to any exception processes related to applicable University policies.

Definitions

Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

eDiscovery: The process of extracting and analyzing electronic information for civil litigation purposes.

Encryption: The process of using an algorithm to transform information to make it unreadable for unauthorized users. Examples are BitLocker, FileVault2, etc.

Operating System: The system software that manages computer hardware, software and provides common services for computer programs.

Password/Pass-Phrase: A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.

Personal mobile device: A constituent-owned portable computing device, i.e. laptop, tablet, smart phone, etc.

PIN: A typically numeric code used to authenticate to a hardware component.

Sensitive Information (S.I.): Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

School of Medicine Constituent: UNC-Chapel Hill School of Medicine faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Compliance

Failure to comply with this policy may put University information and assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill. Violation of this policy may also carry the risk of civil or criminal penalties.

Unit Policies, Standards, and Procedures

Contact Information

Policy Contacts
Subject Contact Telephone Online
Standard Questions School of Medicine IT 919-962-HELP School of Medicine IT
Report a Violation School of Medicine IT 919-962-HELP School of Medicine IT

History

  • Effective date and title of approver:
    • Effective Date: 5/11/2020
    • Approver: School of Medicine Chief Information Officer
100% helpful - 1 review

Details

Article ID: 132349
Created
Thu 4/8/21 9:29 PM
Modified
Mon 1/9/23 12:02 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
01/09/2023 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Associate Dean for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
01/09/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
01/09/2023 12:00 AM
Next Review
Date on which the next document review is due.
01/31/2024 12:00 AM
Origination
Date on which the original version of this document was first made official.
05/19/2020 10:48 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
School of Medicine