Skip Main Navigation
Official Nebraska Government Website
NITC Logo
Skip Side Navigation
Standards and Guidelines Icon

NITC 5-204: Linking a Personal Portable Computing Device to the State Email System

Category: Groupware Architecture
Applicability: Applies to all state government agencies, excluding higher education
History: Adopted on March 1, 2011. Amended on June 30, 2011 and December 10, 2013 (via amendments to NITC 8-101). Attachments A and B revised by the Technical Panel on February 14, 2012 and February 11, 2014.
Attachment A: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Managed Access Public" or "Public" (Attachment A: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Internal Use Only" or "Unclassified/Public" Adobe PDF Form, Attachment A: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Internal Use Only" or "Unclassified/Public" MS Word)
Attachment B: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Confidential" (Attachment B: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Confidential" Adobe PDF Form, Attachment B: Request to Link a Personal Portable Computing Device to the State Email System for Data Classified as "Confidential" MS Word)

1. Purpose

This standard provides for the requirements to connect a personal Portable Computing Device ("PCD") to the State's email system. This standard does not apply to PCDs provided by the agency.

2. Standard

2.1 Procedures for Requesting Authority to Connect a Personal PCD to the State's Email System

2.1.1

Prior to connecting any personal PCD to the State's email system, a request must be submitted to the State Information Security Officer ("SISO") for review. Attachment A is the request form to be used for data classified as "Managed Access Public" or "Public" and Attachment B is the request form to be used for data classified as "Confidential". Completed forms should be emailed to the SISO at siso@nebraska.gov.

2.1.2

The SISO will review each request. The SISO will either approve or deny a request and communicate the decision to the requesting agency within 14 days.

2.2 Requirements

2.2.1 Only the Native Microsoft Exchange active-sync method will be used as the syncing method for devices accessing the State email system.

2.2.2 Password protection

Personal smart devices must use a device password for access to the devices functionality. During the process of configuring the device for syncing to the State's email system, the password protection setting will be automatically enabled on the device. Other security controls may be enabled by the State email system at any time.

2.2.3 Storage of confidential information

Appropriate safeguards must be utilized when processing or storing sensitive information. At no time shall confidential information received be transferred or stored in a system not meeting required safeguards for information control and storage.

2.2.4 Physical safeguards

Appropriate physical security measures should be taken to prevent theft of portable devices and media. Unattended portable computing devices and media must be physically secured.

2.2.5 Theft or Loss

2.2.5.1 Reporting

Theft or loss of portable computing devices assumed to contain sensitive information must be reported immediately to the Office of the CIO ("OCIO"). Please call the OCIO help desk at 402-471-4636 or 800-982-2468.

2.2.5.2 Remote data delete

All devices that are capable of native syncing to the State's email system support the remote data wipe feature. The user is required to take steps to safeguard data which should include initiating the remote wiping process in the case of theft or loss. Mobile email devices can be removed from email access or wiped using the "options/Mobile Devices" selection after logging into your Exchange email account using Outlook Web Access (OWA) at https://mail.nebraska.gov

2.2.6 Disposal, Removal of data and Reuse

Personal PCD users must follow the State Data Disposal and Reuse policy to properly remove data and software from the PCD before its disposal and any State and Agency policies that may be implemented must be followed. All State information contained on a device must be removed on request by the Agency Director or State Information Security Officer. Section 4.5 of NITC 8-101 identifies base requirements for disposal and re-use. The removal of confidential information must be validated. The device may be "wiped" or cleared of all information remotely by the State without recourse and without compensation for personal data loss or the loss of service availability (including but not limited to the loss of personal contacts, music, messages, information and configuration).

2.2.7 Support

Personal device use is not supported by the OCIO. No State system will be reconfigured in order to make a particular device work and there is no guarantee that a specific device will or will not work with the current system configuration. There is no obligation on the part of the State or Agency to support any personal device.

2.2.8 Liability

The owner of the PCD is potentially liable for all criminal and civil penalties due to loss, theft or misuse of the confidential information accessed and stored on the personal device. The owner of the PCD may also be held liable for cost incurred by the State due to loss, theft, or misuse of confidential information accessed and stored on the personal device.

2.2.9 Encryption

All reasonable attempts must be made to encrypt all confidential information stored on the device. Encryption must be enabled for primary and secondary storage of confidential data if the device includes that functionality.

2.2.10

All information must be protected to the extent required based on applicable State and Federal laws and regulations, and agency policies.

2.2.11

No "jail broken" or devices modified beyond manufacturers expectations will be used to process or store sensitive information.

3. Definitions

Portable Computing Device (PCD): includes but is not limited to notebook computers; tablet PCs; handheld devices such as Portable Digital Assistants (PDAs), Palm Pilots, Microsoft Pocket PCs, RIM (Blackberry); smart phones; and converged devices.

4. Related Documents