Employees are strongly encouraged not to sync their UCSB Google Connect email with their personal devices (phones, tablets, laptops, etc.). Instead, employees should access University email though the UCSB web interface. If email syncing to a personal device is necessary, the following security guidelines should be followed.

It is against University Policy to sync data or information protected by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) to personal devices. If there is a chance that protected Personally Identifiable Information (PII) or Personal Health Information (PHI) data is included in email, then employees should access messages only via web interface or via university provided equipment.

Security of Personal Devices
There is a risk of data loss or unauthorized access when sensitive data or information is accessed or maintained on personal devices. Employees have an obligation and responsibility to secure data by properly managing the privacy and security settings on personal devices.

Keep in mind that personal devices are not just personal computers, laptops, smartphones, or tablets, but also media players and removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another.

Device Security
Employees should maintain up-to-date, device-appropriate security safeguards as well as comply with appropriate safeguards required by state and federal regulations. Questions about privacy regulations can be addressed to Jennifer Lofthus, Campus Privacy Official or Sam Horowitz, Chief Information Security Officer.

• Use a Strong Password – Create a strong, unique password or pass phrase (sequence of words, typically longer than a password) for each device and do not share it with others. Passwords are recommended to unlock smartphones and tablets, and PINs must be 6 digits or more. Passwords used to secure your devices should not be used for access to any services or web sites.
• Physically Secure Devices – Portable devices should not be left unattended or given to others to use. Devices in offices or homes should be locked when they are unattended.
• Manually Lock Device Screen – When a device is unattended, either turn it off or activate the screen lock that requires a password to resume activity.
• Set Screensaver to Automatically Activate – Set the device’s automatic screen to lock after a maximum of 10 minutes of inactivity, and preferably less if the device supports it.
• Set the Device to Wipe Local Memory After Too Many Failed Login Attempts – For devices that back up to the cloud, this will prevent data from being accessed through the device, while still allowing it to be restored later.
• Review Privacy Settings – Configure device to limit applications’ access to location, contacts, and other personal information such as reminders, etc.
• Apply Updates and Patches - Employees are responsible for having all critical Operating System (OS), application, and browser security updates applied and kept up to date with all new security updates as they are released. Configure automatic updates wherever possible, and when patches are finished installing, follow any prompts to reboot the device to ensure proper functionality.
  • Windows updates and other protection tools and advice.
  • Apple updates or via iTunes.
         Updates for most products can generally be found by going to the company website and searching for updates.
• Install and Use Antivirus Software – There are many vendors with inexpensive or free options. Antivirus software is required for all Windows, Macintosh, and Android devices.
• Enable Device Firewall – Most operating systems have built-in firewalls and enhanced security settings that can be turned on and configured.
• Enable Device Encryption – Most Android and all Apple mobile devices are encrypted by default. Encryption must be enabled on Windows, Apple, and some Android devices. Device encryption generally has no noticeable impact on device performance. It has the ability to render the device unusable in the event it is lost or stolen.

Separate Personal and University Information
If University information is stored on a personal device, even if it is not sensitive, always keep it separate from your personal information and files as much as possible and securely delete information as soon as it is no longer needed.

Securely Erase all Devices once Use Ceases
Before personal devices are sold, transferred, returned, gifted or disposed of, the device must be securely wiped. This will protect the information retained on the hard disc or the device from disclosure to and used by persons who are not authorized to have the information. Instructions for securely wiping a device are unique to each operating system. Please refer to the manufacturer’s instructions.

Incident Reporting
When personal devices that access or maintain sensitive university data or information are lost, stolen, have been subject to unauthorized access, or otherwise compromised:

• Incidents must be reported the Security Operations Center by completing this form.
• Passwords on all email accounts and any other affected accounts should be changed.

These should be done as soon as possible after the discovery of the theft, loss, or unauthorized access.

The following resources provide more information on securing University information on personally owned devices:
UCSB Information Security
UCSB Cyber Security Check-Up for on- and off-campus devices