Responsible Office: Office of Cybersecurity |
Last Review: 03/01/2025 Next Review: 03/01/2027 |
Contact: Chris Madeksho |
Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
To provide computer security standards for the appropriate use and procedures for using personally owned devices connected to the University of Tennessee Health Science Center (UTHSC) network and the storage of intellectual property, sensitive data, or university-licensed software.
Scope
This practice applies to every person accessing the UTHSC enterprise.
Definitions
Personal Device – any device that is not purchased or owned by UTHSC.
UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.
Responsibilities
Data Owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management. They assign data classification based on the data’s potential impact level and determines if data access is allowed.
Information Technology Services (ITS) is responsible for the deployment of the technical controls to manage personal devices on the UTHSC network.
Office of Cybersecurity is responsible for establishing security controls and procedures to protect UTHSC intellectual property and data. Categorization of data is per IT0005-HSC-A-Data & System Categorization. The security of the data is based on IT0311-HSC-D-Data Security.
Owner of personal devices must abide by this practice and all University standards and practices while using their personal device on the UTHSC network.
System Owner is responsible for the development, procurement, integration, modification, operation, maintenance, and/or final disposition of an information system.
UTHSC Chancellor/Executive Leadership defines the allowance for the use of personal devices on the UTHSC network.
Standard
- Those using personal devices on the UTHSC network must:
- Not store data with a level 2 or above categorization on those devices.
- Not access data with a level 2 or above categorization on those devices unless they have agreed to the security controls deemed appropriate by the Office of Cybersecurity and approved by the Data Owner.
- Not store the authoritative version of UTHSC data or information.
- Destroy, remove, or return all data, electronic or otherwise belonging to UTHSC once their relationship with UTHSC ends or once they are no longer the owner or primary user of the device. (e.g., the sale or transfer of the device to another person).
- Remove or return all software application licenses belonging to UTHSC when the device is no longer used for UTHSC business.
- Notify the Office of Cybersecurity of any theft or loss of the personal device containing data or software application licenses belonging to UTHSC.
- Not connect the personal device the UTHSC network without prior authorization.
- Successfully authenticate to the UTHSC network using approved credentials including, but not limited to UT-NetID, eduroam, UT-LDAP, or UTAD.
- Keep the device current on security patches and updates and allow UTHSC mobile device management tools to be installed and maintained.
- Network Access:
- Network services provided to personal devices are limited to Internet access and University computing resources that are available to the public. Personal devices requiring additional network access to conduct UTHSC business must meet security requirements for UTHSC-managed computers, dictated in IT0102-HSC-B-Device Life Cycle Security.
- Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the computer and/or disciplinary action per GP-001.04-Information Security Violations for the individual violating the policy.
- Exceptions to this Standard should be requested using the process outlined in IT0003-HSC-A.03-Security Exceptions and Exemptions to ITS Standards Practices & Controls.
- If an exception is allowed and personal devices, encryption of these devices must be adhered to according to IT0311-HSC-E-Encryption and IT0311-HSC-E.01-Encryption for Mobile Computing and Storage Devices.
Policy History
Version # | Effective Date |
1 | 03/26/2016 |
2 | 12/03/2020 |
3 | 05/12/2022 |
4 | 01/25/2023 |
5 | 03/01/2025 – new naming convention |
References
- IT0003-HSC-A-UTHSC Information Security Program
- IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
- IT0003-HSC-A.03–Information Security Violations
- IT0005-HSC-A-Data & System Categorization
- IT0102-HSC-B-Device Life Cycle Security
- IT0311-HSC-D-Data Security
- IT0311-HSC-E-Encryption
- IT0311-HSC-E.01-Encryption for Mobile Computing and Storage Devices
IT0102-HSC-C Personally Owned Device Security
Version: 5 // Effective: 03/20/2016
Downloadable PDF
Related Procedures:
IT0003-HSC-A UTHSC Information Security Program
IT0102-HSC-B Device Life Cycle Security
IT0005-HSC-A Data & System Classification
IT0311-HSC-E Encryption
IT0311-HSC-E.01 – Encryption for Mobile Computing and Storage Devices
IT0003-HSC-A.02 – Security Exceptions and Exemptions to ITS Standards Practices & Controls
IT0003-HSC-A.03 – Information Security Violations