Mobile Application Implementation Policy

Originally Issued:

October 2015

Contacts:

Download Policy Document (PDF)

Policy:

Any campus constituent or unit planning to develop or procure a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets., or hire a vendor to assist in the development of a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets., must seek formal approval to proceed if the application meets any one of the following criteria:

  • Accesses dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from or pushes dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc.
  • Accesses or collects dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. that is protected by federal or state laws/regulations or NSHE/UNLV regulations or policies
  • Requires infrastructure servicesInformation technology services including, but not limited to, hardware, software, database, and/or cloud systems. managed by UNLV
  • Will be branded as a UNLV product which must be done to adhere to both UNLV graphic identity standards and in accordance with the UNLV Licensing Program

Mobile applications must comply with UNLV security policies and procedures.


Statement of Purpose:

The purpose of this policy is to:

  • Coordinate development and growth of the institution's mobile technology environment.
  • Ensure mobile applications published under the UNLV brand reflect positively on the university.
  • Ensure mobile applications meet university security requirements.

Related Documents

Procedures to Accompany the Mobile Applications Implementation Policy


Entities Affected By Policy:

Entities affected by this policy include individuals planning to develop or procure a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. or hire a vendor to assist in the development of a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets..


Who Should Read This Policy:

Individuals planning to develop or procure a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets., or hire a vendor to assist in the development of a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets., should read this policy.


Exceptions:

  • There are no predefined exceptions to the Mobile ApplicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. Implementation Policy.
  • Exceptions will be made on a case-by-case basis.

To request an exception, please complete the OIT Policy Exception Form.

Exception requests will be processed within 10 business days of receipt of the request. If an exception is created, the exception will be audited on an annual basis. The developer of the application or the contact for the third party developer must respond to the annual audit and verify that the exception is still required.

Changes to the exception may only be requested by the developer of the application or the contact for the third party developer.


Frequently Asked Questions:

How do I know if the policy applies to me?

This policy applies to you if you are planning to develop or procure a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. that meets any one of the following criteria:

  1. Accesses dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from or pushes dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc.

  2. Accesses or collects dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. that is protected by federal or state laws/regulations, or NSHE/UNLV regulations or policies

  3. Requires infrastructure servicesInformation technology services including, but not limited to, hardware, software, database, and/or cloud systems. managed by UNLV

  4. Will be branded as a UNLV product

The policy also applies to you if you are hiring a vendor to assist in the development of a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. that meets the criteria above.

What do you mean by “UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. ”?

An enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. is a large-scale application software package that supports business processes, information flows, reporting, and dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. analytics in complex organizations.

Examples at UNLV include but are not limited to:  student information system, human resources system, finance system, learning management systemThe management of university-owned computers remotely. Automates regular computer support activities such as deploying critical security updates for operating systems and applications; installing software; and tracking inventory for each connected computer., identity management systemThe management of university-owned computers remotely. Automates regular computer support activities such as deploying critical security updates for operating systems and applications; installing software; and tracking inventory for each connected computer., space management systemThe management of university-owned computers remotely. Automates regular computer support activities such as deploying critical security updates for operating systems and applications; installing software; and tracking inventory for each connected computer., etc.

What do you mean by “access dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from” a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. ?

“Accessing dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from” means using or displaying dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. .

For example, the mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. is designed to list all students enrolled in a particular class (e.g., SOC 101 Section 1001). The dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. would be pulled from UNLV’s student information system (i.e., MyUNLV).

What do you mean by “push dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to” a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. ”?

“Push dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to” means adding new dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to, updating existing dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. in, or deleting dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. from a UNLV enterprise systemA large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations. Example at UNLV include, but are not limited to: student information system, human resources system, finance system, learning management system, identity management system, space management system, etc. .

For example, the mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. is designed to take attendance in a particular class (e.g., SOC 101 Section 1001) and transfer the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. to the learning management systemThe management of university-owned computers remotely. Automates regular computer support activities such as deploying critical security updates for operating systems and applications; installing software; and tracking inventory for each connected computer. (i.e., WebCampus).

What type of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. likely to be used in a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. would be subject to protection by federal or state laws/regulations, or NSHE/UNLV regulations or policies?

The dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. likely to be used in a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. is the same type of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. used in many other environments on campus (e.g., web page, within an application, in a paper document). If the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. being used in a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. must be protected in any other environment it must meet the same level of protection in the mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets..

The type of dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. protected by federal or state laws/regulations, or NSHE UNLV regulations or policies includes sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. which is defined as:

Any information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. does not include publicly available directory information that may be lawfully disclosed (Definition taken from BreachUnauthorized acquisition of data that compromises the security, confidentiality, or integrity of sensitive, personal information maintained by the university or its employees. Good faith, but unauthorized, acquisition of such sensitive, personal information by an employee or agent of UNLV for university business is not a breach for purposes of this policy, provided that the information is not subject to further unauthorized disclosure. of Information Notification Policy available at: https://oit.unlv.edu/about-oit/policies/breach-information-notification-policy).

How do I know if a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. would require infrastructure servicesInformation technology services including, but not limited to, hardware, software, database, and/or cloud systems. managed by UNLV?

Mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. using the following types of services provided by UNLV would be using infrastructure servicesInformation technology services including, but not limited to, hardware, software, database, and/or cloud systems. managed by UNLV:

  • Authentication services (e.g., ACE, MyUNLV login services, etc.)

  • DataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. storage

  • Database

  • File services

  • Web and/or application servers

Where do I find UNLV graphic identity standards?

Information about logos, colors, and other graphic identity standards is available on the university identity website at: http://www.unlv.edu/identity/.

Where do I find information about using the UNLV brand (UNLV Licensing Program)?

Information about UNLV’s Licensing Program for commercial and non-commercial use is available on the university identity website at: https://www.unlv.edu/identity/licensing. The UNLV Licensing Program ensures the control and proper presentation of the UNLV brand and protects the appropriate use of those trademarks, service marks, logos, and insignias that have come to be associated with the university.

What security policies and procedures are relevant if I am developing or procuring a mobile applicationA software application designed to be installed and run on mobile devices such as smart phones or tablets.?

All applications developed or purchased for use at UNLV must be designed to protect the confidentiality, integrity, and availability of university dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. and the privacy of members of the university community as well as the users of the application.

A number of precautions must be taken to minimize the impact of the vulnerabilities associated with mobile applications. These include but are not limited to:

  • Access to any potentially sensitive information requires authentication that meets UNLV password standards.

  • All potentially sensitive, personal informationAny information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed. must be encrypted in transit and when cached for use on the mobile device.

  • Any downloaded dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. must be protected against access by other programs.

  • No sensitive dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. should be stored on the mobile device once the application is terminated.

  • Applications must not expose location information without the explicit consent of the user.

More information on the special security vulnerabilities mobile applications and the devices upon which they reside is available in the security section of the Procedures to Accompany the Mobile ApplicationA software application designed to be installed and run on mobile devices such as smart phones or tablets. Implementation Policy.

How can I post my app to the Apple App Store?

To deploy an app through the Apple App Store, you must participate through the Apple Development Program. Details can be found in the App Distribution Guide found at:

https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html

Does UNLV’s have an Apple Development Program (ADP) membership?

UNLV does maintain an Apple Development Program membership. If you wish to use the UNLV ADP membership please contact the Mobile Applications Group at mobileappsgroup [at] unlv [dot] edu.

How can I have my app listed on the UNLV Mobile App page?

For information about having your app listed on the UNLV Mobile App page, please contact the Mobile Applications Group at mobileappsgroup [at] unlv [dot] edu.