BYOD

What is BYOD?

BYOD stands for Bring Your Own Device, often referring to both laptops and portable computers, and to cell or smart phones and tablets that are not purchased, paid for, or owned by the university. BYOD means personally-owned, not university-owned devices.

Confidentiality, privacy, and the proper handling of data apply regardless of the device.

CWRU and University Technology ([U]Tech) policies apply to devices connected to the university networks and systems, and to systems and devices processing or storing university data.

[U]Tech policies and requirements are available for review at: 020sashuiche.com/utech/departments/information-security/policies

BYOD is often considered "risky" as the devices may or may not be kept up-to-date, may not be patched for security vulnerabilities, and if lost or stolen, could have information on them the university would want to know about (but has no way to check, verify, or control). As such, BYOD is often the subject of specific policy or other requirements or guidelines in use and security.

Many companies do not permit any BYOD at work and for work-related activities, and supply workers with their devices instead. Some companies may have limitations on BYOD, especially on networks or in sensitive areas or lines of work. Higher Education typically relies heavily upon BYOD for all or many students, and some faculty and staff, unless they happen to work with very sensitive or valuable data ("Restricted Data"). Students often bring and use their own laptops, tablets, cell phones, and other devices but the university also supplies library/computing labs or virtual computing resources for student use.

University-owned laptops and desktop computers are common for workers, but mobile devices are often personal (and some people have both a university-supplied phone and their own personal phone). Faculty, staff, and student workers are required to use only university-owned devices if storing or handling Restricted Data. Restricted Data should not be stored locally, but secured using Box or other secure storage instead. BYOD should not be used for Restricted Data.

University-owned devices should be used for university work. If BYOD is used for university work-related purposes, the devices should follow the same security-related advice and recommendations as university-owned devices, and if lost, stolen, or misplaced, the university must be alerted (via the help desk or directly through management or UTech offices) as soon as possible to the loss.

No. Jailbroken or rooted devices are considered high risk for compromise, malware, etc. and should not be used on CWRU networks and with any CWRU data.

Help for students and faculty/staff BYOD is limited, but call the UTech Service Desk at 216-368-HELP (4357) for support.

University-provided software may only be used while you’re affiliated with the university and university-supplied software is available on the [U]Tech Software Center. If the software is licensed for personal use, you may use it on personally-owned devices as long as you’re still actively associated with the university. Details per software may vary, so always check the documentation for that software on the Software Center or as provided with the license.

Generally, no. It is not recommended that university data be stored on personally-owned devices, but it also depends upon the data type. Restricted data may not be stored on personally-owned devices. Any university data on personally-owned devices must be protected with controls equivalent to controls on university-owned devices.

No. There is no university requirement to backup BYOD, but it is highly recommended that device owners keep current and secured backups in case of device loss.

Report any lost or stolen device to your cellular provider as soon as possible, and if using a find-my-phone service, activate it. If your device has any university data or access and accounts & passwords saved on it, report the loss as soon as possible to the [U]Tech Service Desk. Any CWRU account information and passphrase(s) should be changed immediately. If your device is used for Multi-Factor Authentication (DUO), it should be removed/disabled in DUO immediately.

All property and data belonging to the university must be returned to the university prior to departure. Any accounts, data, or other university-related data should be removed and deleted upon departure.