This policy establishes guidelines for
procurement, possession and appropriate use of College-owned Mobile
Communications Devices (MCD). It also establishes guidelines for
approval of an employee’s use of a MCD. This policy is designed to
reduce unnecessary MCD costs to the College and to help ensure the
confidentiality of College information.
MCDs are provided to improve customer
service and to enhance business efficiencies. MCDs are not a personal benefit
and shall not be a primary mode of communication, unless they are the most
cost-effective means to conduct College business. Possessing an MCD is a
privilege and all employees are expected to use them responsibly. Misuse of the
College MCD may result in its revocation and possible disciplinary action
against the employee.
Security Committee - A committee
comprised of the College’s Personal Information Security Officers, the Vice President
and General Counsel, the Director of Student Financial Services, the Associate
Vice President for Human Resources and the Controller whose role is to identify
and assess internal and external risks to the security, confidentiality, and
integrity of sensitive paper and electronic records which contain Personal Information.
- The director/manager of
the department in which the employee works, or that individual’s designee. When
this is ambiguous, the appropriate College Vice President is to be consulted
Encryption-Encryption is the conversion of electronic
data into a code which cannot be read by anyone except authorized parties.
personal calls - These are defined as personal calls of minimal duration and
frequency that are essential to allowing the employee to continue working and
cannot be made at another time or from a different telephone. Examples of
essential personal calls are calls to arrange for unscheduled or immediate care
of a dependent or a family emergency, to alert others of an unexpected delay
due to a change in work or travel schedule.
Communications Device - An MCD is a mobile phone, or smartphone, with
PC-like functionality having features like email and internet browsing.
Examples include: iOS, Android, and Windows Mobile. For purposes of this policy, the MCDs considered in scope are limited
to iOS, Android, and Windows phones.
Personal Information – As defined under Massachusetts General Law Chapter
93H, an individual’s first name and last name or first initial and last name in
combination with one or more of the following data elements: social security
number, driver’s license number or state-identification card number, or
financial account number, or credit or debit card number, with or without any
required security code, access code, personally identifiable identification
number or password, that would permit access to a resident’s financial account.
For the purposes of this Policy,
Personal Information is deemed to include education records as defined under
Sensitive Information – Data whose disclosure would not result in any business,
financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The
security and protection of this data is dictated by a desire to maintain
employee and student privacy.
This policy affects faculty and staff
who are authorized to use an MCD and associated wireless services for College
business and who receive a College-provided MCD or who receive reimbursement from the College to offset the cost of a
personal MCD for business-related communications. This policy also governs MCDs
acquired via grants and contracts awarded in Babson College’s name. It is
effective as of January 1, 2015.
In general, Babson College will own MCDs
or carry MCD contracts for permanent assignment to individual employees in
limited cases as specified below. Employees whose job duties require the frequent
use of MCDs may at the College’s election be given a monthly or a one-time reimbursement
to compensate for business use of a personal MCD.
The College may provide MCDs to the
· President and
members of the President’s Cabinet
Deans, Associate Vice President for Facilities Management and Planning, and Associate Vice President for Human Resources
· Crisis Management
· Director of
Public Safety or other critical safety personnel who are on call 24/7 as
determined by the Department Head.
· Director of
Campus Life, Facilities Services, ITSD and critical employees who are on call
24/7 within these units as determined by the Department Head.
Communications Device Provision Justification
Justification for an MCD is determined
by considering (but not limited to) the following criteria:
requirements dictate that having mobile/remote communication capabilities is an
integral part of performing job duties.
· More than 50% of
work is conducted away from the employee’s work station and the employee is
required to be contacted on a regular basis.
· Employee is
on-call outside of normal work hours.
· Senior officer or
other critical decision maker.
· Employee monitors
and administers mission critical information systems during non-business hours.
· The job requires
the employee to be immediately accessible to receive and/or make frequent
business calls outside of working hours.
· Other special
circumstances approved at the President’s Cabinet level.
The Department Head is responsible for
submitting the Mobile Communications
Device Request/Justification Form to the IT Service Center (ITSC). All MCDs
will be distributed through the ITSC. No MCD will be dispensed without having
the required MCD Request/Justification Form on file.
ITSC will provide advice on the most appropriate MCD equipment; will determine
appropriate plans; and will maintain overall responsibility for the
distribution and billing for all MCDs. The Department/Division Head (or
designee) is responsible for reviewing the monthly billing charges for MCDs
provided within the Telecommunications monthly billing report and ensuring that
overages, as a result of personal use, are paid by the employee. A
detailed breakdown of billing charges is available from the ITSC upon
request. If an employee is terminated, resigns, transfers or for any
reason is no longer eligible for an MCD, the Department/Division Head (or
designee) will return the MCD to the ITSC. When applicable, the ITSC may
transfer the MCD to another employee within the Department/Division or to a new
employee hired within ninety (90) days.
ITSC also will determine whether the MCD should contain Encryption technology or
other safeguards that allow for destruction of Personal Information or
Sensitive Information if an MCD is lost or stolen.
Employees must comply with state and
municipal laws regarding the use of mobile devices while driving and prevent MCD
use that jeopardizes employee safety. The College does not condone any use of a
wireless MCD while driving.
MCD voice transmissions are not secure.
Employees must use discretion in relaying sensitive and/or personal Babson
College business related information over an MCD. Because MCDs may store Personal
Information, the Mobile Communications
Device Request/Justification Form must also provide departmental
authorization for such activity. No Personal Information shall be stored on an MCD
without the prior written approval of
the Data Security Committee. Employees who are granted authorization to store Personal
Information on an MCD must bring the MCD (if already distributed) to the ITSC for
a security screening.
Use of MCDs for Personal Calls: Babson College provides MCDs to employees primarily
for the purpose of conducting College business. However, with the recent
updates to IRS regulations, the use of College owned and issued equipment to
make or receive occasional, personal calls is allowed under reasonable
circumstances and in the event of an emergency. Employees must realize that
although personal calls made within the domestic calling region and under the
usage limits provided by the employee’s plan do not result in additional
charges, they do count toward the overall time limits established under the
service agreement for all College employees. It is expected that the plan
chosen will provide adequate coverage for all normal business needs and for any
overage. Long distance or other charges realized by the employee for personal
calls shall be the responsibility of the employee. Employees may arrange for
recurring payroll deductions to cover personal calls.
Assumption of Liability
From and after the effective date of this policy, employees who are eligible
for a College owned and issued MCD will not be allowed to transfer their
personal phone number to the College plan while employed at Babson.
MCD Data Plans: Data plans for MCDs are provided for the purpose of
conducting College business. Although personal use of data plans may not result
in additional charges, it may count toward the overall limits established under
a service agreement. It is expected that the plan chosen will provide adequate
data coverage for all normal business needs and any overage or other added
charges realized by the employee for personal use shall be the responsibility
of the employee.
International Calls and Travel: Employees needing international voice and data
services should contact the ITSC at x4357 or firstname.lastname@example.org at least two weeks in advance of any such requirement.
Where possible, international voice and data services will be activated only
for the duration of the travel period and will be deactivated at the end of the
travel period. Wi-Fi networks should be
used whenever possible and cellular voice/data plans reserved for special needs
while traveling and when Wi-Fi is not available. International MCD voice
and data coverage is not guaranteed, and it is the responsibility of the
employee to determine if there is voice and data coverage in the countries that
will be visited. All calls made and received, regardless of duration, and
all text/media messages sent and received are charged at an additional roaming
rate when traveling internationally, and the cost is the responsibility of the
employee’s Department/Division. Data usage may be charged additional fees when
roaming internationally, the cost of which is the responsibility of the
employee’s Department/Division. Note: The employee is responsible for notifying the ITSC when travel is
complete so that any additional/unnecessary international services may be
Other Costs: Employees are responsible for the costs
associated with applications (apps) and media not originally included with a
device. Departments may have need for additional applications beyond what is
provided with basic service plans, but these costs will be billed separately.
The ITSC will not provide ongoing
troubleshooting services for those employees who elect to purchase devices
which have not been recommended. The College will not assume liability for any
operating issues that result from loading College applications onto personal
MCDs with the employee’s authorization.
Employees utilizing MCDs are required to notify Public Safety at 781-239-5555
immediately upon the loss or theft of their device. Public Safety will take
appropriate action to ensure the confidentiality of College data, to the extent
technically feasible. If theft is suspected, employees must promptly file a
police report and cooperate with law enforcement that Personal Information and
Sensitive Information is preserved.
Devices and Data Security
MCDs pose special risks to data security
because they are highly portable and easily lost or stolen. In order to mitigate
those risks, the College requires the following features/restrictions for
·Power-on password: A password will be required to turn on the device from an off state
and from a timeout state. The password must be at least four characters in
length and will be preconfigured at the ITSC when the device is delivered to
the user. It is forbidden to use the same password that is used for any Babson
· Security timeout: The device will go into a locked state after 1 minute of inactivity
or when the device is locked manually. The power-on password will be required
to return the device to its active state.
· Failed login attempts: The device will allow 10 failed attempts to log into
the device. Immediately following the 10th failed login attempt, all data will be wiped clean from the device.
to comply with this policy regarding the use of MCDs may result in disciplinary
action to include termination of MCD privileges and collection of any fees
associated with the violation of this