This policy will be reviewed by: 1
This policy establishes guidelines for procurement, possession and appropriate use of College-owned Mobile Communications Devices (MCD). It also establishes guidelines for approval of an employee's use of a MCD. This policy is designed to reduce unnecessary MCD costs to the College and to help ensure the confidentiality of College information.
MCDs are provided to improve customer service and to enhance business efficiencies. MCDs are not a personal benefit and shall not be a primary mode of communication, unless they are the most cost-effective means to conduct College business. Possessing an MCD is a privilege and all employees are expected to use them responsibly. Misuse of the College MCD may result in its revocation and possible disciplinary action against the employee.
Data Security Committee - A committee comprised of the College's Personal Information Security Officers, the Vice President and General Counsel, the Director of Student Financial Services, the Associate Vice President for Human Resources and the Controller whose role is to identify and assess internal and external risks to the security, confidentiality, and integrity of sensitive paper and electronic records which contain Personal Information.
Department Head - The director/manager of the department in which the employee works, or that individual's designee. When this is ambiguous, the appropriate College Vice President is to be consulted for clarification.
Encryption - Encryption is the conversion of electronic data into a code which cannot be read by anyone except authorized parties.
Essential personal calls - These are defined as personal calls of minimal duration and frequency that are essential to allowing the employee to continue working and cannot be made at another time or from a different telephone. Examples of essential personal calls are calls to arrange for unscheduled or immediate care of a dependent or a family emergency, to alert others of an unexpected delay due to a change in work or travel schedule.
Mobile Communications Device - An MCD is a mobile phone, or smartphone, with PC-like functionality having features like email and internet browsing. Examples include: iOS, Android, and Windows Mobile. For purposes of this policy, the MCDs considered in scope are limited to iOS, Android, and Windows phones.
Personal Information – As defined under Massachusetts General Law Chapter 93H, an individual's first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver's license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident's financial account. For the purposes of this Policy, Personal Information is deemed to include education records as defined under FERPA.
Sensitive Information – Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain employee and student privacy.
This policy affects faculty and staff who are authorized to use an MCD and associated wireless services for College business and who receive a College-provided MCD. This policy also governs MCDs acquired via grants and contracts awarded in Babson College's name. It is effective as of January 1, 2015.
Policy Content and Guidelines:
In general, Babson College will own MCDs or carry MCD contracts for permanent assignment to individual employees in limited cases as specified below.
The College may provide MCDs to the following employees:
- President and members of the President's Cabinet
- Associate/Assistant Deans, Associate Vice President for Facilities Management and Planning, and Associate Vice President for Human Resources
- Crisis Management Team members
- Director of Public Safety or other critical safety personnel who are on call 24/7 as determined by the Department Head.
- Director of Campus Life, Facilities Services, ITSD and critical employees who are on call 24/7 within these units as determined by the Department Head.
Mobile Communications Device Provision Justification
- Justification for an MCD is determined by considering (but not limited to) the following criteria:
- Safety requirements dictate that having mobile/remote communication capabilities is an integral part of performing job duties.
- More than 50% of work is conducted away from the employee's work station and the employee is required to be contacted on a regular basis.
- Employee is on-call outside of normal work hours.
- Senior officer or other critical decision maker.
- Employee monitors and administers mission critical information systems during non-business hours.
- The job requires the employee to be immediately accessible to receive and/or make frequent business calls outside of working hours.
- Other special circumstances approved at the President's Cabinet level.
Department Head Responsibilities
The Department Head is responsible for submitting the Mobile Communications Device Request/Justification Form to the IT Service Center (ITSC). All MCDs will be distributed through the ITSC. No MCD will be dispensed without having the required MCD Request/Justification Form on file.
The ITSC will provide advice on the most appropriate MCD equipment; will determine appropriate plans; and will maintain overall responsibility for the distribution and billing for all MCDs. The Department/Division Head (or designee) is responsible for reviewing the monthly billing charges for MCDs provided within the Telecommunications monthly billing report and ensuring that overages, as a result of personal use, are paid by the employee. A detailed breakdown of billing charges is available from the ITSC upon request. If an employee is terminated, resigns, transfers or for any reason is no longer eligible for an MCD, the Department/Division Head (or designee) will return the MCD to the ITSC. When applicable, the ITSC may transfer the MCD to another employee within the Department/Division or to a new employee hired within ninety (90) days.
The ITSC also will determine whether the MCD should contain Encryption technology or other safeguards that allow for destruction of Personal Information or Sensitive Information if an MCD is lost or stolen.
Employees must comply with state and municipal laws regarding the use of mobile devices while driving and prevent MCD use that jeopardizes employee safety. The College does not condone any use of a wireless MCD while driving.
MCD voice transmissions are not secure. Employees must use discretion in relaying sensitive and/or personal Babson College business related information over an MCD. Because MCDs may store Personal Information, the Mobile Communications Device Request Form must also provide departmental authorization for such activity. No Personal Information shall be stored on an MCD without the prior written approval of the Data Security Committee. Employees who are granted authorization to store Personal Information on an MCD must bring the MCD (if already distributed) to the ITSC for a security screening.
Use of MCDs for Personal Calls: Babson College provides MCDs to employees primarily for the purpose of conducting College business. However, with the recent updates to IRS regulations, the use of College owned and issued equipment to make or receive occasional, personal calls is allowed under reasonable circumstances and in the event of an emergency. Employees must realize that although personal calls made within the domestic calling region and under the usage limits provided by the employee's plan do not result in additional charges, they do count toward the overall time limits established under the service agreement for all College employees. It is expected that the plan chosen will provide adequate coverage for all normal business needs and for any overage. Long distance or other charges realized by the employee for personal calls shall be the responsibility of the employee. Employees may arrange for recurring payroll deductions to cover personal calls.
Assumption of Liability
From and after the effective date of this policy, employees who are eligible for a College owned and issued MCD will not be allowed to transfer their personal phone number to the College plan while employed at Babson.
MCD Data Plans: Data plans for MCDs are provided for the purpose of conducting College business. Although personal use of data plans may not result in additional charges, it may count toward the overall limits established under a service agreement. It is expected that the plan chosen will provide adequate data coverage for all normal business needs and any overage or other added charges realized by the employee for personal use shall be the responsibility of the employee.
International Calls and Travel: Employees needing international voice and data services should contact the ITSC at x4357 or firstname.lastname@example.org at least two weeks in advance of any such requirement. Where possible, international voice and data services will be activated only for the duration of the travel period and will be deactivated at the end of the travel period. Wi-Fi networks should be used whenever possible and cellular voice/data plans reserved for special needs while traveling and when Wi-Fi is not available. International MCD voice and data coverage is not guaranteed, and it is the responsibility of the employee to determine if there is voice and data coverage in the countries that will be visited. All calls made and received, regardless of duration, and all text/media messages sent and received are charged at an additional roaming rate when traveling internationally, and the cost is the responsibility of the employee's Department/Division. Data usage may be charged additional fees when roaming internationally, the cost of which is the responsibility of the employee's Department/Division. Note: The employee is responsible for notifying the ITSC when travel is complete so that any additional/unnecessary international services may be suspended.
Other Costs: Employees are responsible for the costs associated with applications (apps) and media not originally included with a device. Departments may have need for additional applications beyond what is provided with basic service plans, but these costs will be billed separately.
The ITSC will not provide ongoing troubleshooting services for those employees who elect to purchase devices which have not been recommended. The College will not assume liability for any operating issues that result from loading College applications onto personal MCDs with the employee's authorization.
Lost or Stolen
Employees utilizing MCDs are required to notify Public Safety at 781-239-5555 immediately upon the loss or theft of their device. Public Safety will take appropriate action to ensure the confidentiality of College data, to the extent technically feasible. If theft is suspected, employees must promptly file a police report and cooperate with law enforcement that Personal Information and Sensitive Information is preserved.
Mobile Devices and Data Security
MCDs pose special risks to data security because they are highly portable and easily lost or stolen. In order to mitigate those risks, the College requires the following features/restrictions for College-owned MCDs:
Power-on password: A password will be required to turn on the device from an off state and from a timeout state. The password must be at least four characters in length and will be preconfigured at the ITSC when the device is delivered to the user. It is forbidden to use the same password that is used for any Babson account.
Security timeout: The device will go into a locked state after 1 minute of inactivity or when the device is locked manually. The power-on password will be required to return the device to its active state.
Failed login attempts: The device will allow 10 failed attempts to log into the device. Immediately following the 10th failed login attempt, all data will be wiped clean from the device.
Failure to comply with this policy regarding the use of MCDs may result in disciplinary action to include termination of MCD privileges and collection of any fees associated with the violation of this policy.
The following person may be approached on a routine basis in relation to this policy:
Director, IT Support Services