The below Bring Your Own Device (BYOD) policy and standard for employee-owned technology in use at the institution have been updated, approved by Cabinet, and issued:

IT.PO.410 – Bring Your Own Device (BYOD)

Purpose

The purpose of this policy is to empower Georgia Highlands College employees to utilize personal computing devices in order to work more effectively. Devices in scope of this policy must maintain a reasonable security configuration and be used responsibly in order to protect the confidentiality, integrity, and availability of institution systems, information technology resources, and data.

This policy (and associated standard) intends to balance the risks and benefits of personally-owned devices used for work by defining the basic safeguards that are necessary to prevent a security incident such as a data breach. Such an exposure could result in financial loss, reputational damage, irrevocable loss of data, and/or damage to critical applications. Therefore, all users employing a personally-owned device connected to an institution system or information technology resource must adhere to all applicable Georgia Highlands College policies and standards.

Scope

This policy applies to employees, vendors, and agents operating on behalf of Georgia Highlands College who use hardware and related software that is not owned by or licensed to the institution in order to access wired or wireless (Wi-Fi) networks, remote access virtual private network (VPN) services, or institution data. A device is defined in the context of this policy as any computing hardware or accessory capable of inputting, processing, storing, and/or outputting data.

Policy

All users within the scope of this policy must comply with the security requirements and restrictions as detailed in the IT Bring Your Own Device (BYOD) Standard.

This policy (and associated standard) is complementary to, and fully compliant with, the University System of Georgia BYOD Standard as specified in Section 8 of the USG IT Handbook. This policy and associated standard is also complementary to any previously implemented Georgia Highlands College policies and standards covering acceptable use, data access, data storage, data movement and processing, and connectivity of devices to any element of the enterprise network.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

IT.ST.410 – Bring Your Own Device (BYOD)

This document describes security requirements and restrictions applicable to employees, vendors, and agents operating on behalf of Georgia Highlands College (GHC) who use devices that are not owned by or licensed to Georgia Highlands College in order to access wired or wireless (Wi-Fi) networks, remote access virtual private network (VPN) services, or institution data.

Security Requirements and Restrictions for BYOD Devices

• BYOD users operating personally-owned devices and/or software to access institution data will ensure those devices employ effective logical access protection in the form of a password, passcode, security card or hardware token, and/or biometric technology such as facial recognition or fingerprint scan.
• Personally-owned devices must be capable of receiving software updates intended to mitigate security vulnerabilities. Devices that are ineligible for software updates, classified as ‘end-of-life’ by their manufacturer, or otherwise unsupported are not permitted to access institution systems, networks, services, or data.
• BYOD users operating personally-owned devices shall make every reasonable effort to keep those devices up-to-date and free of malicious software (malware) and viruses.
• BYOD users will make no modifications to personally-owned or non-college-owned hardware or software that circumvents established GHC security protocols in a significant way.
• Georgia Highlands College account credentials may not be stored unencrypted on BYOD devices.
• Personally-owned devices and related software that is used to access or store sensitive data requires explicit, documented approval from a department head or division chair and Information Technology. Additionally, these devices will be considered in scope of the IT Encryption Policy and Standard.
• Users agree to and accept that their access to institution networks may be monitored in order to identify unusual usage patterns or other suspicious activity. This monitoring is necessary in order to identify accounts/devices that may have been compromised.
• Determination of any equivalent security measures or mitigation controls for personally-owned devices is reserved to the Vice President for Information Technology, Chief Technology Officer, and/or delegated designees.

Administration and Documentation

• Department heads and division chairs, in consultation with Information Technology, are designated as approval authorities for the use of a personally-owned devices at Georgia Highlands College. BYOD approvals must be documented and signed by an approval authority and the employee seeking to use a personally-owned device using the IT BYOD form. Completed forms should then be submitted to IT.
• Approval authorities will implement a documented process by which employees acknowledge and confirm to have all GHC-sensitive data permanently erased from their personally-owned devices once their use is no longer required or authorized.
• BYOD users will immediately report to their department head or division chair any incident or suspected incidents of unauthorized data access, data or device loss, and/or suspicious activity from a personally-owned device. Department heads and division chairs should promptly report such incidents to the Information Security Officer, Director of Information Security and Network Services or Chief Technology Officer.
• Information Technology may remotely delete employee email accounts and associated data from a mobile device without prior notice on an employee’s last day of employment.

Intellectual Property

• The principal storage location of institution-owned data is an institution-owned or contracted resource.
• Institution-owned data may not be stored on external cloud-based personal accounts.

Device and Application Support

• Devices and software not owned or operated by the institution are not eligible for support from Information Technology.