Bring Your Own Device (BYOD) Policy
Overview
Bring your own device (BYOD) is the act of using a personal computing device (computer, tablet, phone, etc.) for work- or business-related activities. Eastern Illinois University (EIU) does not require employees to use self-purchased devices for business operations. Employees who wish to use personal devices must abide by the policy outlined below. EIU is not responsible for the purchase or costs associated with the use of personally owned devices. In response to an increase in personally owned devices being used in the work environment, EIU has established an official Bring Your Own Device (BYOD) policy.
Purpose
This policy applies to employees, faculty, student workers, and any other user who utilizes the network or computing resources provided by EIU for business-related usage via a personally owned device such as:
- Computers: Desktop and Laptops
- Portable storage media: USB storage devices, flash memory cards, CD/DVD ROM
- Mobile devices: Mobile smartphones, tablet computers
Policies
EIU allows staff and faculty to be able to purchase and use their own smartphones, tablets, laptops, or other mobile devices of their choosing to perform work related duties while on campus or at home for their convenience. EIU reserves the right to revoke this allowance if employees do not adhere to the policies and procedures outlined below.
This policy is intended to protect the confidentiality, integrity, and availability of EIU’s internal or sensitive data and its technology infrastructure. EIU’s data classification guidelines provide more information on what constitutes internal, confidential, and public data.
EIU Data Classification: https://www.eiu.edu/panthertech/policies_classification.php
EIU reserves the right by request and upon an approved security evaluation to provide limited exceptions to this policy to grant variations in devices and platforms.
No matter the device in use, all EIU students, faculty and staff must abide by EIU’s Acceptable Use Policy.
EIU Acceptable Use Policy: https://castle.eiu.edu/auditing/129.php
Security Requirements
- Information classified as Confidential or restricted by any laws or regulations should not reside on the personal device.
- Classification: https://www.eiu.edu/panthertech/policies_classification.php
- EIU ITS encourages the use of Microsoft OneDrive as a cloud storage and file sync service that is secure, supported, and encrypted for use with internal and confidential data. EIU email, along with any personal email, is discouraged for use in sending and receiving internal and confidential data.
- All mobile devices such as laptops, tablets, smartphones (iOS/Android), or USB-connected drives and devices used to view, process, or store EIU internal or confidential data must be encrypted.
- Most modern smartphones are encrypted by default, but many laptops are not. EIU Information Technology Services (ITS) recommends Microsoft BitLocker for Windows and macOS FileVault for Mac and Apple computers and devices. Please check https://www.eiu.edu/panthertech/pcinfo.php for the latest information.
- All mobile devices used to view or process internal or confidential EIU data must have the ability to be remotely wiped in case of loss, theft, or EIU ITS detecting a data breach and exfiltration of EIU internal or confidential data.
- To prevent unauthorized access, all devices must be password protected using the device’s features; a strong password is required to access the EIU business network.
- The computer should lock itself with a password or PIN if it is idle for 15 minutes or more; 2 minutes or more in the case of a mobile device.
- All due diligence must be used to separate personal use from work use on the same device or across devices. One of the best ways to accomplish this is to create and use a separate user account for work purposes only. If a separate account cannot be created for work use, then maintain separate web browsers for work and personal use. Do not sync a personal web browser account with a work account or devices.
- To prevent attacks and weakness vulnerabilities, all BYOD devices should have developer-supported operating systems with all security patches installed. Please check https://www.eiu.edu/panthertech/pcinfo.php for the latest requirements.
- To prevent malware and attack vectors, all devices should have anti-malware software installed. Please check https://www.eiu.edu/panthertech/pcinfo.php for the latest requirements.
User Responsibilities
As a user of EIU resources, you have the following responsibilities:
- You are responsible for all traffic originating from your networked devices.
- You are responsible for abiding by all applicable laws set forth by federal, state, and local governments.
- You are responsible for protecting your privacy.
- You are responsible for not violating the privacy of others.
Devices and Support
Technical Support for personally owned devices is limited to the following:
- Troubleshooting network connection issues while on the campus network.
- Troubleshooting and installation of approved EIU software resources.
- Configuration of email clients for connection to the Panthermail (Outlook) system.
- Configuration of the SSL VPN client to allow approved access to secure resources.
- Providing software application support if the software is required to perform job functions as determined by the EIU ITS department.
- Users must notify EIU if a device is acting strange or infected with malware.
Technical Support for services that will not be provided, but not limited to the following:
- Troubleshooting device performance or hardware problems.
- Installation of new or replacement hardware.
- Troubleshooting software applications or cloud services not supported by EIU business functions.
- Installing operating system updates, patches or software applications not required for EIU job functions.
- Backing up device data or migration to another device.
- Third party email clients or accounts.
Risks and Disclaimers
EIU employees who elect to participate in BYOD accept the following risks, liabilities, and disclaimers:
- Lost or stolen devices containing EIU data may be wiped. While EIU will take precautions to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, photos, music, etc.
- At no time does EIU accept liability for the maintenance, backup, or loss of data on a personal device.
- EIU ITS provides limited security for wireless access and at no time does the university accept any liability for the security of BYOD devices when accessing the wireless network.
- EIU may elect to discontinue providing computing resources to the BYOD devices at any time.
- EIU reserves the right to block individual devices from accessing the EIU wired or wireless networks if it is deemed a security risk.
- Any BYOD devices that perform EIU business functions are subject to search and review because of Freedom of Information Act requests or litigation that involves the university. Litigation includes warrants, subpoena, and other legal requirements.
- No employee or student worker should expect a guarantee of privacy in communications over the internet or the EIU network.
- Violations of this policy may be discovered by routine maintenance and monitoring of EIU’s electronic communication systems and network, any method stated in this BYOD Policy, or pursuant to any legal means. All employees and student workers consent to EIU ITS monitoring, accessing, investigating, preserving, using and/or disclosing any electronic communications that utilize EIU’s networks in any way, including data, voicemail, telephone logs, Internet use, network traffic, etc., to the extent permitted by law. EIU reserves the right to review, retain or release personal and EIU-related data on personal computing devices to any government agencies or third parties during an investigation or litigation.
- Lost or stolen devices used to view or process internal or confidential EIU data must be reported to EIU ITS within 24 hours by contacting the IT Security Officer at (217) 581-1939, Executive Director for ITS at (217) 581-1942 or EIU ITS Help Desk at (217) 581-HELP. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
EIU Information Technology Security Incident Reporting Policy: https://www.eiu.edu/panthertech/policies_incident.php
Reimbursement
Computer technology purchased for personal use will not be reimbursed by the University. This includes all hardware, software, licenses, internet connectivity, and technology services, including repair or technical support services purchased with personal funds, regardless of intended use.
Compliance
Violations of this policy will be subject to disciplinary action based on the nature of the offense, including - but not limited to - loss of network and computing access and other actions university administration deems appropriate to avoid security-related incidents and unnecessary exposure risks.
Last Date Reviewed: 06/13/2024