Body
At UW Green Bay, the data we handle daily is classified into three categories: high risk, moderate risk, and low risk. Regardless of the classification, all data must be protected, and the highest level of protection is provided on university-owned and managed computers. Our antivirus and other security software are supported by UW System Security.
For more information on data classification, please refer to the following link: UW System Data Risk Classifications
Another set of security is when employees sign into the university owned devices employees are required to sign in with their university login credentials. We also have a group policy setting to ensure that computers automatically lock after a period of inactivity. In contrast, personal computers can be customized to remain unlocked indefinitely or even lack password protection.
Additionally, the requirement for unattended endpoints to lock after 15 minutes can be found here: UW System Endpoint Protection Standards
According to the definition of an IT asset on the following UW System Policy site, Definition of an IT Asset, “UW System data in any form, and the equipment used to manage, process, or store UW System data, that is used in the course of accomplishing UW System research and education” must be on university-owned and managed devices. Personal devices are not mentioned because all university data, regardless of its form, must reside on university-owned and managed devices.
As outlined in UW System Policy 1036, endpoint protection controls must be installed “on all UW System owned or leased endpoints, irrespective of funding source and where technically feasible, that store or process data used to accomplish University research, teaching, learning, operations, or administration.” More details can be found here: UW System Security Endpoint Protections.
Additional Concerns:
- If an audit reveals that HIPAA and other university data is stored on a personal computer, the UW System has the authority to audit the personal device.
- We do not have security on these personal devices so if the personal device was lost or stolen, we would have no real confirmation as to what level or type of data was on the computer.
- If there is a FOIA request targeting an employee, their personal device would be included in scope including all personal information on it.
- We cannot verify or ensure that data on personal devices is secure and compliant with UW System policies.
- Personal devices cannot access university resources such as printers, shared drives, and software, which are available on campus-owned and managed devices.