IT0102-HSC-C Personally Owned Device Security

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To provide computer security standards for the appropriate use and procedures for using personally owned devices connected to the University of Tennessee Health Science Center (UTHSC) network and the storage of intellectual property, sensitive data, or university-licensed software.

Scope

This practice applies to every person accessing the UTHSC enterprise.

Definitions

Personal Device – any device that is not purchased or owned by UTHSC.

UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.

Responsibilities

Data Owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management.  They assign data classification based on the data’s potential impact level and determines if data access is allowed.

Information Technology Services (ITS) is responsible for the deployment of the technical controls to manage personal devices on the UTHSC network.

Office of Cybersecurity is responsible for establishing security controls and procedures to protect UTHSC intellectual property and data. Categorization of data is per IT0005-HSC-A-Data & System Categorization. The security of the data is based on IT0311-HSC-D-Data Security.

Owner of personal devices must abide by this practice and all University standards and practices while using their personal device on the UTHSC network.

System Owner is responsible for the development, procurement, integration, modification, operation, maintenance, and/or final disposition of an information system.

UTHSC Chancellor/Executive Leadership defines the allowance for the use of personal devices on the UTHSC network.

Standard

  1. Those using personal devices on the UTHSC network must:
    1. Not store data with a level 2 or above categorization on those devices.
    2. Not access data with a level 2 or above categorization on those devices unless they have agreed to the security controls deemed appropriate by the Office of Cybersecurity and approved by the Data Owner.
    3. Not store the authoritative version of UTHSC data or information.
    4. Destroy, remove, or return all data, electronic or otherwise belonging to UTHSC once their relationship with UTHSC ends or once they are no longer the owner or primary user of the device. (e.g., the sale or transfer of the device to another person).
    5. Remove or return all software application licenses belonging to UTHSC when the device is no longer used for UTHSC business.
    6. Notify the Office of Cybersecurity of any theft or loss of the personal device containing data or software application licenses belonging to UTHSC.
    7. Not connect the personal device the UTHSC network without prior authorization.
    8. Successfully authenticate to the UTHSC network using approved credentials including, but not limited to UT-NetID, eduroam, UT-LDAP, or UTAD.
    9. Keep the device current on security patches and updates and allow UTHSC mobile device management tools to be installed and maintained.
  2. Network Access:
    1. Network services provided to personal devices are limited to Internet access and University computing resources that are available to the public. Personal devices requiring additional network access to conduct UTHSC business must meet security requirements for UTHSC-managed computers, dictated in IT0102-HSC-B-Device Life Cycle Security.
  3. Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the computer and/or disciplinary action per GP-001.04-Information Security Violations for the individual violating the policy.
  4. Exceptions to this Standard should be requested using the process outlined in IT0003-HSC-A.03-Security Exceptions and Exemptions to ITS Standards Practices & Controls.
    1. If an exception is allowed and personal devices, encryption of these devices must be adhered to according to IT0311-HSC-E-Encryption and IT0311-HSC-E.01-Encryption for Mobile Computing and Storage Devices.

Policy History

Version #
Effective Date
1
03/26/2016
2
12/03/2020
3
05/12/2022
4
01/25/2023
5
03/01/2025 – new naming convention

References

  1. IT0003-HSC-A-UTHSC Information Security Program
  2. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
  3. IT0003-HSC-A.03–Information Security Violations
  4. IT0005-HSC-A-Data & System Categorization
  5. IT0102-HSC-B-Device Life Cycle Security
  6. IT0311-HSC-D-Data Security
  7. IT0311-HSC-E-Encryption
  8. IT0311-HSC-E.01-Encryption for Mobile Computing and Storage Devices