Bring Your Own Device Policy
| Applies to: | Original Policy Date: | Date of Last Review: | Approved By: |
|---|---|---|---|
|
University staff, faculty visiting faculty, students, alumni, contractors, volunteers, guests or agents of the administration, and external individuals and organizations accessing network services |
January 1, 2018 |
March 2024 |
Ryan Petersen |
Purpose
This Bring Your Own Device (BYOD) policy defines the appropriate use and procedures for using personally owned computing devices on the University network and the storage of intellectual property, sensitive data or University licensed software.
Scope
This policy applies to University staff, faculty, visiting faculty, students, contractors, volunteers, guests or agents of the administration, and external individuals and organizations that utilize the network and/or computing resources provided by the University for University related activities with a personally owned device such as:
- Portable computers; e.g., desktops, laptops, notebooks, netbooks
- Portable storage media; e.g., USB storage devices, flash memory cards, Blu-Ray/DVD ROM, external hard drives
- Mobile devices; e.g., smartphones, tablet computers, wearables
- Internet of Things; e.g., camera security devices, door access control, HVAC devices, power devices, streaming devices, monitoring devices, Arduino, and Raspberry Pi.
- In some cases, these restrictions may be lifted by other official policies pertaining to certain staff, systems, or processes.
Additionally, this policy applies to all requests to service faculty or staff personal computer equipment.
Statement
- Enable password, pin/passcode, or biometric (facial recognition or fingerprint) protection on any device containing University data. Destroy, remove, or return all data, electronic or otherwise, belonging to the University, once their relationship ends or once they are no longer the owner or primary user of the device. (e.g., the sale or transfer of the device to another person)
- Remove or return all software application licenses belonging to the University when the device is no longer used for University business.
- Notify the Office of Information Technology of any theft or loss of the personal device containing data or software application licenses belonging to the University.
- At no time may the personal device be connected to the secure University networks without prior authorization.
- Personally owned devices must never be used as a University server or networking device.
- Devices that are Jailbroken, Rooted, or have been subject to any other method of changing built-in protections must not be used to access University resources and data.
- Florida Tech Personal Identifiable Information (PII), sensitive information, or Florida Tech proprietary information must not be stored on personally-owned devices.
The Office of Information Technology does not provide support for devices not owned by the University.
The Chief Information Officer must approve exceptions to this policy.
The Information Technology Department will not install university-owned software on personal devices unless the software license allows installation on personal devices.
Procedures/Guidelines
Devices and Support
All devices connected to the University network are required to adhere to the University’s Acceptable Use Policy. Devices must be current on all software updates and security software. Users are also required to follow the Digital Millennium Copyright Act (DMCA). Information Technology may, without notification, prevent or ban any personally owned device which disrupts any University computing resource or is used in a manner that violates any University policy.
Risk, Liabilities, and Disclaimers
Those who use personally owned computing devices on the university network or for university business purposes accept the following risks, liabilities, and disclaimers:
- The University does not accept liability for the maintenance, backup, or loss of data on a personal device and data. The device owner is responsible for backing up all software and data to an appropriate backup system before requesting assistance from the Information Technology department.
- The University does not accept liability for the security of personal devices when accessing the networks.
- No user should expect a guarantee of privacy in communications over the internet and the University’s network.
Doesn’t make sense with the above “The Technology Support Center does not provide support for faculty or staff equipment that is not owned by the University. “
Definitions
| Term | Definition |
|---|---|
| Personal Identifiable Information (PII) |
The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge; often referred to as a key or password. |
| Sensitive Data |
Any classified information that can be used to identify you or another person that must be protected and is inaccessible to outside parties unless specifically granted permission. Examples include, but are not limited to: social security numbers, medical records, bank account numbers, credit card numbers, University administrative computer data (employee records, student records, electronic documents that contain confidential information), Tracks account passwords, PAWSpins, and research data. |
| Jailbroken and rooted device | Jailbreaking or rooting means removing software restrictions that are intentionally put in place by the device manufacturer. |
Responsibilities
Participants are responsible for protecting any and all sensitive data for which user has access. When working with restrictive or sensitive data, especially data that contains PII or PHI, it is the responsibility of everyone who can access the data to keep files within secure storage at all times.
Enforcement
Violators of this policy will be subject to disciplinary action based on the severity of the offense and impact to the university, up to and including termination of employment. All participants who are found to have violated this policy may be subject to the loss of network and computing access.