Skip to main content

User-Managed Device Policy

Description

This policy is to outline management processes for devices that are not fully managed by PVFA or Technology Services but benefit the research or teaching missions of the college.

Implementation

When a device is identified as needing a shared device management plan, a ticket will be generated in TeamDynamix to coordinate with the customer and track progress. The ticket will have the PVFA Shared Device task template applied to it. The task template will outline the steps to be completed in order.

Procedure

  • Create an object in Sassafras for the information resource.

  • Send the PVFA – UMDP Initiate message template to the end user to determine if a UMDP is necessary.

    • If a UMDP is necessary, continue to next step.

    • If a UMDP is not necessary, continue to step 8.

  • Create a copy of the User-Managed Device Plan and have the customer complete steps 1-9

  • Complete a User-Managed Risk Assessment and attach it to the ticket.

    • Risk will be determined using data classification, compliance, network access, and human factors.

  • Add comments to the UMDP.

    • Include compensating controls and best practices that should be followed to mitigate risks.

  • Attach UMDP, risk assessment, data classification calculation, and any relevant documentation provided by the customer to the ticket and assign to the Technology Services – PVFA Associate Director for review and approval.

  • Send approved UMDP to customer for review and signature.

  • Attach all documentation to the Sassafras object (the Documents section) and close the ticket.

  1. Create an object in Sassafras for the information resource.

  2. Send the PVFA – UMDP Initiate message template to the end user to determine if a UMDP is necessary.

    1. If a UMDP is necessary, continue to next step.
    2. If a UMDP is necessary, continue to step 8.

  3. Create a copy of the User-Managed Device Plan and have the customer complete steps 1-9

  4. Complete a User-Managed Risk Assessment and attach it to the ticket.

    1. Risk will be determined using data classification, compliance, network access, and human factors.

  5. Add comments to the UMDP.

    1. Include compensating controls and best practices that should be followed to mitigate risks.

  6. Attach UMDP, risk assessment, data classification calculation, and any relevant documentation provided by the customer to the ticket and assign to the Technology Services – PVFA Associate Director for review and approval.

  7. Send approved UMDP to customer for review and signature.

  8. Attach all documentation to the Sassafras object (the Documents section) and close the ticket.

Monitoring & Risk Assessment

info

Device owners are responsible for ensuring that information resources are compliant with all applicable security controls or documented compensating controls. Technology Services will conduct continuous monitoring and periodic risk assessments to determine if these requirements are being met.

Monitoring

To ensure that user-managed devices are not introducing unacceptable risk to university systems, data, or operations, Technology Services reserves the right to perform network-based monitoring and vulnerability scanning on all university owned devices connected to institutional networks.

Devices found to present significant security risks may be temporarily isolated from the network until the issue is resolved.

Risk Assessment

Formal risk assessments will be conducted annually, or when significant changes occur with the information resource. Assessments will evaluate data sensitivity, access controls, and adherence to applicable controls. Results will be documented and any remediations will be implemented as required.