1.0 Policy Purpose
The use of desktops, laptops, mobile, and other Endpoint Devices (hereafter referred to as Endpoint Devices) are integral to a modern working environment. Many Endpoint Devices are increasingly mobile, which significantly increases the risk to the security of Brown University data both contained on and accessed by these devices. This policy addresses that risk by establishing the responsibilities of both Users and the Office of Information Technology (OIT) to maintain the security of University data that is stored, accessed, or transmitted via Endpoint Devices.
2.0 To Whom the Policy Applies
This policy applies to all members of the Brown community who have authorization to access University data (i.e., Users); and to any Endpoint Device, whether personally or Brown-owned, that is used to store, access, or transmit University data.
3.0 Policy Statement
- Best practices of security and access management
- Partnership and awareness of community needs
- Stewardship of University resources and data
- High standards of professionalism and conduct to be able to manage machines
All members of the community who use an Endpoint Device to access University data are responsible for securing such devices, regardless of ownership, against data compromise according to this policy. Security standards for devices can be found at Security Standards for Desktop, Laptop, Mobile and Other Endpoint Devices.
All software installed on Brown-owned Endpoint Devices must be suitably licensed for use. Installation or use of any software in violation of its license, or of pirated software, is not allowed.
All Brown-owned Endpoint Devices must be properly enrolled in an OIT approved IT Security and Device Management System, where technically possible.
Employees may choose to use personally owned devices for University business. However, employees do so entirely at their own expense with no reimbursement from the University, and should have no expectation of support from Brown personnel for such devices.
In compliance with the terms of the Electronic Information Access Policy, Brown reserves the right to access and review any Brown-owned Endpoint Device, without advance notice.
Brown will comply with applicable law and applicable Brown policies before accessing, reviewing, using or disclosing any content, activity or data that is stored on a Brown-owned Endpoint Device, but users must be mindful of this limited expectation of privacy in any information or activity conducted, sent, performed or viewed on or with any Brown-owned Endpoint Device.
If an employee uses a personal Endpoint Device to conduct Brown business, the employee must provide a copy of the Electronic Information that relates to Brown if requested for the purposes of an investigation, or in accordance with a Litigation Hold.
Any exceptions to this policy must be approved by Brown’s Director of Information Technology Security or their designee.
For the purpose of this policy, the terms below have the following definitions:
- Endpoint Device(s):
Any device, regardless of ownership, that has been used to store, access, or transmit University data, not classified as a Server. These devices are intended to be accessed directly by individuals and include, but are not limited to desktops, laptops, mobile phones, and tablets.
Electronically Stored Information and digital formats.
- IT Security and Device Management System:
One or more device management services available at Brown, administered by OIT or by departments or centers with OIT approval. These services depend on a software utility installed on a Brown-owned Endpoint Device, to provide remote status information, ensure baseline system configuration, and monitor or manage software updates in a consistent and automated fashion. These systems are limited in use and subject to oversight as defined in the Electronic Information Access Policy.
A computer program or device that provides functionality to other clients. In the context of this policy, clients would be Endpoint Devices. Servers provide dedicated functionality and are normally managed by professional information technology (IT) practitioners.
A faculty member, student, staff member, consultant, vendor, contractor, or any other person who has authorized access to Brown University data.
All individuals to whom this policy applies are responsible for becoming familiar with and following this
policy. University supervisors and employees with student oversight duties are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure and enforce compliance with it.
User Responsibilities: When using an Endpoint Device, whether personally or Brown-owned, to access University data or resources, all Users must be aware of, agree to, and adhere to the following:
- Comply with the Brown University Acceptable Use Policy.
- Meet the minimum security standards for Desktop, Laptop, Mobile and Other Endpoint Devices.
- Comply with the requirements described in the Brown University Litigation Hold Policy.
- Report a known or suspected compromise of any Endpoint Device, that may contain University data or has stored credentials providing access to University data, to the Information Security Group (ISG) immediately.
- Report theft or loss of any Endpoint Device that may contain University data or has stored credentials providing access to University data, to Brown’s Department of Public Safety and ISG immediately.
- Delete all University data from all personally owned devices upon termination of employment or relationship with Brown University.
In addition, if using a Brown-owned device, the User must be aware of, agree to, and adhere to the following:
- Follow Brown’s procurement policies for Brown-owned Computers and Cellular Devices.
- Only allow authorized individuals to use Brown-owned Endpoint Devices; Brown-owned Endpoint Devices may only be used by those individuals with a legitimate business need and may only be used by individuals authorized to access University data.
- When a Brown-owned Endpoint Device reaches its end of useful life and will no longer be used, work with ITSC/DCC to ensure that all devices get securely wiped and disposed of, especially those devices storing Brown University data as specified in the Electronic Equipment Disposition Policy and the companion document, Data Removal Recommendations.
- Not use the Brown-owned Endpoint Device for political purposes or for personal economic gain.
OIT Responsibilities: OIT shall publish and maintain up-to-date minimum security standards for Endpoint Devices and shall assist Users in understanding those requirements.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures; or for non-employees may result in the suspension or revocation of the User’s relationship with Brown.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.
7.1 Related Policies:
7.2 Related Procedures:
7.3 Related Forms: