7.1.7 Enterprise Mobility Management
A. Purpose
To provide the requirements and guidelines for information security practices at the University.
B. Persons Affected
All individuals (employees, faculty, students, alumni, agents, consultants, contractors, volunteers, vendors, temporary workers, etc.) with access to University of Texas Health Science Center at Tyler (the "University") Information Resources and all information that is created, acquired, transmitted, stored, printed or processed by a computer system, or device connected to the University's network or telecommunications hardware.
C. Definitions
D. Policy
The University's Enterprise Mobility Management Program (Program) is applicable to all individuals who elect to create or access University data on a personal smart phone or other device that results in storage of University data on the device. This policy outlines the means by which University will protect the confidentiality, availability and integrity of data relating to all stakeholders involved with patient care, research, administration and education at the University.
Under the EMM Program, applications will be installed on a smart phone or other device (device) that is subject to the Program if the device stores any University data. This will enable the University Information Technology and Information Security departments to access:
- The device and network ID, and information on storage capacity, operating system, carrier, and firmware of the device (to identify the device if it's lost or stolen).
- Applications installed as part of the Program, but not any personal apps installed on the device.
- Add/remove accounts (to set up Email and Calendars if the user opts in).
- Add/remove restrictions (to establish minimum device management best practices such as requiring a device passcode and auto lock).
- Remotely erase University data residing on the device if the device owner leaves employment with the University, loses access privileges to University data, or the device is lost or stolen.
- Information about Jailbreak or root detection to determine if any University required security features are or become disabled.
For each device, the University will collect and store the following:
- Name of Owner
- UDID (Unique Device Identifier)
- Wi-Fi MAC address
- Phone number
- Cellular technology Cellular network ID Model
- Time of enrollment in the Program and the time of access to the services by the device.
For each device, the University will not access or collect any other information concerning the device or the device's owner, including, but not limited to:
- Non-University Program Application Data
- Voicemails
- Call history or directories
- Texts or text directories or histories
- Other personal data including photos, music, browser histories
- The device owner's location or location history.
The Program will not be used for any reason other than to maintain the security of University data that is stored on the device. Specifically, University officers, employees and agents may not use or authorize the use of any application installed as part of the Program for e-discovery, litigation purposes, investigative or inventory or investigative searches related to the device owner's employment, or collection of information responsive to a Texas Public Information request. In the event the University receives a subpoena, search warrant or request from a law enforcement agency, including University police, to access data on a device through the Program, the request or warrant will be forwarded by the recipient to the Office Legal Affairs for handling and response. The Program will be conducted in accordance with all applicable federal and state privacy laws and University policies.
Any event that results in theft, loss, unauthorized use, unauthorized disclosure, unauthorized modification, unauthorized destruction, or degraded or denied services of Information Resources constitutes a breach of security and confidentiality. Violations may include, but are not limited to, any act that:
- Exposes University to actual or potential monetary loss through the compromise of Information Resources security.
- Involves the disclosure of sensitive or confidential information or the unauthorized use of University data or resources.
- Involves the use of University Information Resources for personal gain, unethical, harmful, or illicit purposes.
Violation of this policy may result in disciplinary action, up to and including termination for employees and temporaries, a termination of vendor relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.
E. References
Texas Administrative Code Title 1, Part 10, Chapter 202, Information Security standards
UTS165 Information Resources Use and Security Policy
Health Information Portability and Accountability Act (HIPAA)
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023