8.3.1 Prior Approval
Employees using personally-owned devices, software, and/or related components to access USG data will ensure such devices employ some sort of device access protection such as, but not limited to, passcode, facial recognition, card swipe, etc. Within the USO, this approval authority is delegated to the first vice chancellor or above in the employee’s chain of command in consultation with the USG vice chancellor and chief information officer (VC/CIO). Participant organizations will establish and document local policies consistent with this prior approval standard.
Participant organizations will establish consistent, documented, and repeatable processes that are consistent with this prior approval standard and can be considered auditable.
Employees using prior-approved personally-owned devices and related software shall make every attempt to keep these devices and related software protected.
Employees using prior-approved personally-owned devices and related software accessing sensitive data will, in addition to device access protection, ensure that the sensitive data is protected using data encryption or USG- provided mobile device management, or the equivalent.
Determination of equivalent measures is reserved to the USG Chief Information Security Officer (CISO), the information security officers (ISOs) of the participant organizations, and/or other delegated designees. Participant organizations will need to document evidence of compliance.
Passwords and/or other sensitive data will not be stored unencrypted on mobile devices.
Managers will implement a documented process by which employees acknowledge and confirm to have all USG-sensitive data permanently erased from their personally-owned devices once their use is no longer required, as defined in Section 8.2.
Employees agree to and accept that their access to USG networks may be monitored in order to identify unusual usage patterns or other suspicious activity. This monitoring is necessary in order to identify accounts/computers that may have been compromised by external parties.
Employees will immediately report to their managers any incident or suspected incidents of unauthorized data access, data or device loss, and/or disclosure of system or participant organization resources as it relates to personally-owned devices.
Managers will immediately report such incidents to the USG CISO or the participant organization ISO as appropriate.
8.3.3 USG Intellectual Property
The principal storage location of state-owned data is a state-owned or contracted resource.
Sensitive state-owned data may not be stored on external cloud-based personal accounts.
8.3.4 Device and Application Support
Personally-owned devices and software are not eligible for support from USG departments.
Employees will make no modifications to personally-owned hardware or software that circumvents established USG security protocols in a significant way; e.g., replacing or overriding the operating system or “jail-breaking.”