The following guidelines are recommended for phones that will be storing a Caltech password vault:
- Phone must be encrypted
- Phone must have the ability to be wiped remotely
- In the event a phone is lost or stolen, a remote wipe must be initiated within 24 hours from when loss/theft was detected.
- The event must be reported to Information Security at firstname.lastname@example.org
- Phone must be fully patched/updated, such that it is consistent with the spirit of the IMSS Safe Computing Policy
- Password repository vault must be opened via a sufficiently complex password or biometrics (thumb scan, face scan, etc.)
- If biometric is not used to unlock the phone, a password of at least 8 characters should be used
- A password repository vault, if stored on the phone, must have its own encryption that is separate from the phone encryption.
- Phone must be securely wiped prior to e-wasting or transfer of ownership.
If there is a need to be granted an exception for any of the policies of this document, an exception request should be made to your director.
There are 2 password keeper vault scenarios:
- Vault is not stored locally and the phone connects remotely to a vault stored in a remote location
- In this scenario, there isn't much of a concern if the phone is lost or stolen since the phone does not contain a copy of the password vault.
- A loss of a phone that does not contain a copy of the password vault will not trigger an IMSS mass password change event.
- A copy of the vault is stored locally on the phone and synched with a vault that is stored in a remote location.
- If the phone and repository meet all the requirements listed above, a loss of a phone will not trigger an IMSS mass password change event.
- However, a remote wipe must be initiated within 24 hours from when loss/theft was detected.