This message is to serve as a reminder of Indiana University’s mobile device security standard, otherwise known as IT Policy 12.1.
In summary, IT Policy 12.1 sets security requirements for all mobile devices used by faculty, staff, affiliates, or student-employees to access, store, or manipulate institutional data.
This policy applies to all IU employees (faculty, staff, affiliates and student-workers) who use a mobile device whether it is personally owned or university owned.
IT Policy 12.1 requires all employee mobile devices meet the following standards:
Safeguard
Handheld mobile device (i.e. smart phone, tablet, etc.)
Laptop / notebook computer
Passcode / passphrase
Minimum 4-character passcode using at least 2 unique characters, and auto-lock after a maximum of 15 minutes of inactivity.
Passphrase meeting IU requirements must be used when device boots, and auto-lock after a maximum of 15 minutes of unattended inactivity.
Intrusion prevention
Lockout or wipe after 10 incorrect attempts, or increasing delay after incorrect attempts.
Lockout after 25 incorrect attempts within 2 hrs.
Encryption
Recommended in all cases if supported by the device. Required for all intended use involving critical information.
Full disk.
Remote wiping
UIPO Incident Response or the Support Center will assist with remote wiping based on the circumstances of reported loss or theft.
Not Applicable
Devices that do not support encryption must not be used to access, store, or manipulate critical information.
Employees must notify it-incident@iu.edu if the device is lost, stolen or otherwise compromised. Additionally, the device must be wiped (i.e., factory reset) to ensure all data has been erased before transferring ownership (sales, trade-in, etc.).