Securing Laptops and Mobile Devices

Because personal computing devices are becoming more and more portable — laptops, smart phones, USB thumb drives, even smart watches and other wearable devices—securing the sensitive information stored on those devices is more important than ever. And there have been laws passed, holding individuals personally and fiscally liable in the event of information disclosure. Because of this, Stanford is now requiring encryption for all devices used to connect to Stanford resources. IRT Security wants to help protect you from any accidental information disclosure; follow the security practices outlined below in order to use your mobile device(s) responsibly.

If you have an iPhone, iPad or iPod Touch, there's an easy way to set up and maintain proper security practices on your device. Mobile Device Management (MDM) is free to install, and automatically configures your device to be optimized for the Stanford environment—from email settings to security settings.

For more information about the service, visit our MDM page.

• To install MDM: From a browser on the device itself, navigate to the MDM Installer to get started. At the question: "Will you use this device to access Restricted data?", answer YES.
• For Step-by-Step Installation Instructions: Visit "Installing a Profile" and follow either the video tutorial (requires Flash) or the written online instructions.
• To Manage Your MDM Devices: Visit the "My Devices" page (mdm.stanford.edu)

After installation, a number of settings will be changed, including the following, which you have more direct control over:

1. Passcode.

• Go to Settings > General > Passcode to turn on the Passcode Lock.
• We recommend you set it to require a passcode "Immediately" (after sleep) and turn on "Erase Data" (if an incorrect passcode is entered ten times in a row).
• To maximize security, turn off "Simple Passcode," allowing you to select a longer, alphanumeric passcode or passphrase.

2. Data Protection. 

• This feature enhances the built-in hardware encryption for the device. If it's been turned on, at the bottom of the "Passcode Lock" screen (Settings > General > Passcode) you should see the words "Data Protection is Enabled."
• Data Protection is built in for devices that shipped with iOS 4  and later (iPhone 4, iPhone 3GS, 3rd generation or later iPod touch and all iPad models).
• To use Data Protection on devices that shipped with iOS 3, you must restore the device. Since restoring the device will erase all data, you'll need to back up all your information first. Instructions and more info at:  http://support.apple.com/kb/HT4175

3. "Find my iPhone"

• "Find My iPhone," which is a part of iCloud, is a way to locate your missing iPhone, iPad or iPod Touch—you can make it ring, locate it on a map, and even remotely wipe the data. For detailed setup instructions, visit:  http://www.apple.com/icloud/setup/

The Apple Watch is still a new device, and we are still exploring the security options and requirements. The watch is still dependent on an iPhone for use, so we do not yet require Apple Watch users to specifically declare the devices in the security attestation or install MDM. This will change with the release of iOS 9, which will allow the Watch to run apps natively.

At this time, faculty, staff and students may use the Apple Watch for Stanford work, provided that users take the following security configuration steps:

1. Enable the "wrist detect" feature (this is on by default).  This will ensure the screen locks automatically whenever the watch is off your wrist.
   
2. Set a passcode.
   
3. Set the watch to erase data after 10 incorrect passcodes, to protect data on lost or stolen devices.

Instructions for completing these steps can be found in the Apple Watch User Guide.

Additional Security:

• If your device is lost or stolen, you can erase the contents of the Apple Watch, though the erase action will only be completed if the Watch is within range of the paired iPhone.
  
• You can remove payment cards from a lost/stolen Apple Watch whether the device is in range or not; sign in to your account at iCloud.com, go to Settings > My Devices, choose the device, and click Remove All. You can also call the issuers of your cards.
  
• For more help, visit the user guide.
  

If you have an Android phone or tablet, it may be compatible with Stanford's Mobile Device Management (MDM) software. MDM requires Android OS 4.0 or later, and does not operate on the Kindle Fire. See if your Android device is MDM compatible.

MDM automatically configures your device to be optimized for the Stanford environment—from email settings to security settings.

For more information about the service, visit our MDM page.

• For Step-by-Step Installation Instructions: Different Android devices will require slightly different steps to complete the process. Visit "Android MDM Installation" for complete instructions and tutorials.
• To Manage Your MDM Devices: From either another machine or your Android device, visit the "My Devices" page (mdm.stanford.edu)

After installation, a number of settings will be changed, including the following, which you have more direct control over:

1. Passcode.

• Go to Settings > Password to change your passcode. Stanford requires a 4-digit passcode, though some manufacturers already require more than that.
  
• MDM will automatically set your phone to lock after a certain period of inactivity, and require a passcode to re-awaken it. You can change that length of time in Settings.
  

2. Encryption. 

• This feature activates the built-in hardware encryption for the device. The MDM installer will automatically trigger the request for encryption. It's a good idea to start this process when your phone has a mostly full battery and is plugged in and charging—and when you're not going to use the device for at least an hour.

Stanford also recommends that you take these steps on your own to further secure your Android device:

1. Put your name and contact info on your device

• If your device has been lost, having a contact number or email address will increase the likelihood that you will retrieve it. You can either affix a physical label to the outside of the device, or else customise your lock screen to display contact information: Just go to Settings > Location and security and select Show Owner info on lock screen.

2. Turn off carrier backups

• Your carrier may have an automated "restore" function that is on by default. We recommend, however, that you turn off this function so you can manage your own backup and restore process. Otherwise, if you wipe the device remotely because it's been lost or stolen, the carrier can restore your info.
• To turn off automatic carrier backups, go to Settings > Accounts and sync and under Manage Accounts, uncheck the carrier sync. In the same section, make sure your Google sync is turned on.

3. Back up your device

• To ensure the safety and integrity of your data, follow these instructions to back up your Android device. Don't "root" your phone (that is, enable administrative access to its file system) because it could be compromised later by a third party. MDM will not work on a phone that has been "rooted."

4. Install a "lost phone" app

• MDM will allow you to remotely wipe your phone—but what if you just want to find it? Here are two popular solutions from the Google Play store:
  • Lookout Mobile Security – This application comes bundled on many Android devices, and it offers both free and "premium" security features. Among the free features are: "Missing Device," which allows you to produce a sound on the phone and also physically locate the phone on the map; a security scan, for malware; and a basic data backup. The Premium upgrade will also allow you to freeze and lock the phone, and wipe the data and any SD cards.
    
  • 
    Plan B – This application describes itself as "the 'find my phone' app that you download AFTER you lose your phone." You can download this app to find a lost phone, even if you don't have Lookout Mobile Security installed.
    

NOTE: According to the Minimum Security Standards, if you use your mobile phone, tablet, or portable storage device to store High, Medium, or Low-Risk Stanford data, you MUST install MDM and use a device capable of encryption.

If you DON'T use your mobile device for Stanford work, or for High/Moderate Risk data, it's still a good idea to protect it, for the sake of your own information. 

If you have further questions about securing smartphones, tablets, and portable storage devices, consult Stanford's Information Security Office's guidelines on securing mobile computing devices.  ISO's list of best practices for smartphones includes the following common-sense steps:

• Configure a passcode lock for access to your device, so only you can access your data—and set the device to lock when not in use. (And don't unlock it while it's plugged into a public charger: new research from Georgia tech proves that an unlocked, charging iPhone is vulnerable to attack over USB.)
• Keep all software up to date, including the operating system and apps.
• Do not "jailbreak" or "root" your device; it removes the manufacturer's protection against malware.

(You can also consult the IRT Personal Computing page about mobile devices, which focuses mostly on smartphones and tablets, ranging from information about pricing and purchasing to application support.)

Require a Password

• Make sure your laptop (just like your desktop) is set to require a login and password when a user logs in.
• Set up your screen to lock with a screensaver (instructions for Mac and Windows here), and require a password to unlock the screen.

Encrypt Your Computer

• Laptops used for Stanford-related work must be encrypted, whether they are Stanford-owned or personally owned.
• You can find out more about the laws and policies behind this, and how to encrypt your laptop, here.

Making regular backups of your data ensures that your information will always be available when you need it. Laptops have a higher likelihood of data loss, with rough handling. Addtionally, if you use your computer to access any Stanford information, the new minimum security requirements state that you back up your information at least once EVERY DAY.

If you use High or Moderate Risk (previously Prohibited or Restricted) Stanford information, your backups must be encrypted, so it's HIGHLY recommended that you use the CrashPlan centralized backup server—and for the School of Medicine, it's even free!

Find out more about the CrashPlan backups here.

Since computers and computing devices are getting smaller and easier to lose (and steal!), you need to keep your eye on them. Exercise common sense: never leave your laptop or mobile device unattended in a coffee shop, airport waiting area, on a speaker's podium or in other public places. Don't leave a device in the car, even in the trunk. When you're traveling, carry on your laptop and other devices; don't check them.

Any employee who has lost, or had stolen, a device used for Stanford business is responsible for following all school procedures. This includes reporting the situation immediately to the Stanford University Privacy Office. Click here for the reporting procedure for a missing device.