������һ��

Effective: 08/08/2022
Last Revised: 11/18/2022
Responsible ������һ�� Administrator: Assistant Vice President, IT Security Services
Responsible ������һ�� Office: Information Technology Services
Standard Contact: IT Security Services, security@nebraska.edu

Standard Contents

1. Purpose
2. Scope
3. Standard Statement
4. Security of Personally Owned Devices
   4.1 Use of Personally Owned Devices
   4.2 Audit of Personally Owned Devices
5. Procedures
6. Compliance
7. Related Information
8. Approvals and Revision History

1. Purpose

The purpose of the Security for Personally Owned Devices Standard is to define the organization’s requirements for enforcing effective security measures to protect ������һ�� data and information systems when accessed, processed, transmitted, or stored on personally owned endpoints and systems. When conducting ������һ�� activities, it may at times be necessary for ������һ�� users to access, process, transmit, or store institutional data on personally owned devices. This Standard serves as a statement of objectives for the protection of institutional and research data as defined in Executive Memorandum 42. When institutional data is accessed, transmitted, processed, or stored on personally owned devices users are required to meet their shared obligation and responsibility to secure data by properly self-managing the privacy and security settings on their personally owned device.

(Return to top)

2. Scope

This Standard shall apply to all ������һ�� of Nebraska System (“������һ��”) personnel. All users (employees, students, contractors, vendors, or others) of Information Systems are responsible for adhering to this Standard.

(Return to top)

3. Standard Statement

It is the intention of this Standard to establish best practices pertaining to the use of personally owned endpoints and systems when accessing ������һ�� information systems and data. Deviations from the requirements defined herein in the form of exceptions must be approved in advance and in writing by the Chief Information Security Officer (“CISO”) as defined in ITS Policy Exception Standard. The following subsections outline the Security for Personally Owned Devices Standard.

(Return to top)

4. Security of Personally Owned Devices

4.1 Use of Personally Owned Devices

4.1.1 Personally Owned Device Security

������һ�� personnel are encouraged to maintain safe and secure personal devices with up-to-date software and appropriate security protections to safeguard personal data. ������һ�� personnel that engage in ������һ�� business with a non-university device must follow the Policies, Executive Memoranda, Standards, and guidance provided by the ������һ��, as well as comply with appropriate safeguards required by state and federal regulations.

Publicly Accessible Medium Risk Information Systems

������һ�� personnel may access ������һ�� information systems that contain medium risk data from a personal device if the system hosting the data is publicly accessible outside of ������һ��-managed networks. Medium risk data may not be stored on a personal device that does not meet the appropriate minimum security requirements as defined in the Configuration Management Standard and associated Procedures.

������һ�� Executive Memorandum 42 requires specific authorization for storing medium risk institutional data on personally owned devices. The exception process to request such allowance must be approved in advance and in writing by the CISO as defined in ITS Policy Exception Standard.

Publicly accessible ������һ�� Information Systems that contain medium risk data and may be accessed using personal devices include but are not limited to:

• Firefly
• MyBlue, MyRed, MyNCTA, & MavLink
• Learning Management System (Canvas)
• eSignature System
• ������һ�� email
• Multi-factor Authentication (Duo)

Network Restricted Medium Risk Information Systems

������һ�� personnel that access institutional or research data from a ������һ�� information system that contains medium risk data, and is not publicly accessible, must meet the appropriate minimum security requirements for accessing medium risk systems as defined in the Configuration Management Standard and associated Procedures. The minimum security requirements for personally owned devices, also known as BYOD (Bring Your Own Device), will be publicly available on the ������һ�� website.

������һ�� Executive Memorandum 42 requires specific authorization for storing medium risk institutional data on personally owned devices. The exception process to request such allowance must be approved in advance and in writing by the CISO as defined in ITS Policy Exception Standard.

High Risk Data

������һ�� Executive Memorandum 42 requires specific authorization for accessing or storing high risk institutional data on personally owned devices. The exception process to request such allowance must be approved in advance and in writing by the CISO as defined in ITS Policy Exception Standard. Exceptions will not be allowed for the storage of high risk data on non-������һ�� owned systems, cloud services, or removable storage devices like USB drives, SD cards or similar portable drives and devices without documented security controls via the exception process.

4.1.2 Data Return and Deletion

Personnel shall return and delete institutional data maintained on personally owned devices upon request from the ������һ�� or when their role or employment or access status changes such that they are no longer an authorized user of the data.

4.1.3 Incident Reporting

Personally owned devices that store medium or high risk institutional data that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported within 24 hours as defined in the Incident Response Standard.

4.2 Audit of Personally Owned Devices

4.2.1 Device Inspection

In the course of an incident investigation, the ������һ�� reserves the right to inspect a personally owned device that stores medium or high risk institutional data. Any access to a personally owned device will be carried out in accordance with Executive Memorandum 16, as well as follow other relevant ������һ�� protocols, and legal or law enforcement requirements.

4.2.2 Response to Document Requests and Production

Records or data maintained by the ������һ�� or ������һ�� users may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). ������һ�� users must produce these records or data (or the devices on which they are stored) upon request of the ������һ��.

(Return to top)

5. Procedures

Procedures specific to this Standard are to be documented and maintained by the individual service owners throughout the ������һ�� system.

(Return to top)

6. Compliance

Compliance Measurement

The ������һ�� of Nebraska IT Security Services team will verify compliance to this Standard through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the Standard owner.

Exceptions

Any exception to the Standard must be documented and formally approved by the CISO. Standard exceptions must describe:

• The nature of the exception
• A reasonable explanation for why the Standard exception is required
• Any risks created by the Standard exception
• Risk mitigation plan and duration of the exception
• Evidence of approval following established Exception Standard

Non-Compliance

Failure to comply with ������һ�� IT standards may result in sanctions relating to the individual's use of IT resources or other appropriate sanctions according to policies applicable to ������һ�� faculty and staff or student conduct.

(Return to top)

7. Related Information

The following is a listing of related Policies, Executive Memoranda, Standards, Controls, and Procedures.

• NIST 800-53
• NIST 800-171
• NU Executive Memorandum 16
• NU Executive Memorandum 26
• NU Executive Memorandum 41
• NU Executive Memorandum 42
• ������һ��-Wide Policies & Guidelines - /offices-policies/policies
• ITS-00 Information Technology Definitions and Roles
• ITS Knowledge Base -  

(Return to top)

8. Approvals and Revision History

Approval of this Standard:

• Authored by: Richard Haugerud, IT CISO (11/18/2022)
• Approved by: Bret Blackman, IT CIO (11/18/2022)

Revision history of this Standard:

• Version 1.0 - 08/08/2022 - Initial Standard Published
• Version 1.1 - 11/18/2022 - Clarified language in section 4
• Version 1.2 - 01/19/2023 - Added Multi-factor Authentication (Duo) to list of services in Publicly Accessible Medium Risk Information Systems in section 4.1.1

(Return to top)