Title
School of Medicine: Policy on the Use of Computing Devices
Introduction
Purpose
The purpose of this policy is to define minimum security controls for devices in use at the University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University") School of Medicine. Individual departments/units may apply stricter controls to protect information and devices in their areas of responsibility. The policy applies to each School of Medicine Constituent for any covered device under their control, including personal devices (“Bring Your Own Device” - “BYOD”).
Personal mobile devices (e.g. laptops, tablets, smart phones, etc.) present challenges to UNC-Chapel Hill’s control and may introduce threats to the University network; data; and other computing devices, especially when the constituent is off-campus where UNC-Chapel Hill network security controls are not in place. These threats may lead to malware infections, system hacking, loss or theft of University sensitive data, and reputational harm to the institution.
The specific IT resources and applications accessed by personal mobile devices should be governed by the Constituent’s department, with assistance from School of Medicine IT.
Scope of Applicability
This policy applies to all School of Medicine Constituents who use either University-issued or personally-owned (BYOD) computing devices to access UNC-Chapel Hill IT resources, data, and applications. This includes laptop/desktop computers, tablets, and smart phones.
Policy
Policy Statement
School of Medicine Constituents who use personal mobile devices to access UNC-Chapel Hill IT resources and applications must do so in accordance with this policy, as well as related University policies and standards.
School of Medicine Constituents may be required to enroll their personal mobile devices in a Mobile Device Management (MDM) solution in order to access certain IT services or applications. MDM program requirements will be outlined in a separate standard that will be incorporated into this policy by reference when completed.
The below tables list the required controls for both University-issued and personal devices (BYOD).
Exceptions
The heterogeneous nature of the School of Medicine computing environment is such that in many cases a specific business unit will have unique technology requirements, and will use compensating controls to achieve appropriate security risk management. This exception process is intended to provide for the unit and School of Medicine IT to work collaboratively to document appropriate security controls for challenging environments. When a unit requests a control exception, and provides good background information and justifications, an open communication process can result in a well-documented exception.
Process
Exceptions may be submitted for approval to the School of Medicine Chief Information Security Officer (CISO) or delegate via an IT service ticket. Exceptions may be requested on a device-by-device basis, or with a single request covering multiple identical devices with the same basis for exception ("Exemplars"), or with a single request covering a system of devices which use the same set of compensating controls.
Exception review must include consideration of:
- Compensating controls in place;
- Impact on organizational mission;
- Any recommendations from campus resources related to a specific vulnerability or specific system's remediation;
- Technical obstacles to remediation, operational obstacles to remediation; and
- Any other environment-specific information provided in the request.
Generally, cost to remediate must be prohibitive to the department if used as justification for the exception request. The appropriate data steward must provide approval of the request in order for an exception to be considered.
During review of the exception request by the School of Medicine CISO or delegate, remediation timelines would likely be extended, depending on risk to the University and at the discretion of the School of Medicine CISO. Any such extension must be authorized in writing.
If an exception is not granted, the department may appeal the denial to the School of Medicine Chief Information Officer (CIO), who may request involvement of the affected Department Head. If the result of non-remediation would be removal of the system from the network or other high-impact action, the School of Medicine CISO must seek approval of the School of Medicine CIO to take such action.
The exception process for this policy is required in addition to any exception processes related to applicable University policies.
Definitions
Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
eDiscovery: The process of extracting and analyzing electronic information for civil litigation purposes.
Encryption: The process of using an algorithm to transform information to make it unreadable for unauthorized users. Examples are BitLocker, FileVault2, etc.
Operating System: The system software that manages computer hardware, software and provides common services for computer programs.
Password/Pass-Phrase: A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.
Personal mobile device: A constituent-owned portable computing device, i.e. laptop, tablet, smart phone, etc.
PIN: A typically numeric code used to authenticate to a hardware component.
Sensitive Information (S.I.): Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
School of Medicine Constituent: UNC-Chapel Hill School of Medicine faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.
Related Requirements
External Regulations and Consequences
Compliance
Failure to comply with this policy may put University information and assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC- Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill. Violation of this policy may also carry the risk of civil or criminal penalties.
Unit Policies, Standards, and Procedures
Contact Information
History
- Effective date and title of approver:
- Effective Date: 5/11/2020
- Approver: School of Medicine Chief Information Officer