Mobile and Portable Computing Device Use and Data Security
MnDOT Policy #DM005
Revised: September 30, 2024
View/print signed policy (PDF)
Please go to the MnDOT Org Chart to find specific contact information: Org Chart.
Responsible Senior Officer: Deputy Commissioner/Chief Administrative Officer
Policy Owner: Director, Office of Administration
Policy Contacts:
- Office of Administration - Mobile Technology Section Manager
- Office of Administration - Technology Investment Management Program Manager
Policy statement
The Minnesota Department of Transportation (MnDOT) fully adopts the enterprise policy, Mobile Device Use, HR/LR #1438, which was issued by Minnesota Management and Budget and is incorporated herein by reference.
This policy establishes the minimum standard for appropriate use of all state mobile and portable computing devices. MnDOT employees may not use personal mobile or portable computing devices to conduct state business and/or access state data or networks, except that employees may use personal or public devices to access email through a web browser or to access state data or networks through a MNIT-supplied remote access solution. Additionally, employees are authorized to use a personal mobile device for multi-factor authentication using an agency-approved authentication application such as Microsoft Authenticator. MnDOT employees may not download or store government data on a personal mobile or portable computing device.
By using a state mobile or portable computing device to conduct state business or to access state data, networks, or other IT resources (e.g., email, voice communication, data, text, messaging, etc.), employees acknowledge, understand, and agree to comply with this policy and all applicable enterprise or agency policies. Employees who violate this policy may be subject to discipline, up to and including discharge.
Employees must protect the security, availability, and integrity of MnDOT and State of Minnesota data stored, accessed, transmitted, or processed on a mobile or portable computing device. Mobile and portable computing devices constitute a unique risk to MnDOT’s data, and must be authorized, managed, and used so that there is no unauthorized disclosure of not public data, and the use of these devices does not pose a security threat to any of MnDOT’s information resources. Use of these devices must comply with other related policies, including:
- Records Retention and Disposal Policy
- MN Government Data Practices Act
- Legal Holds Policy
- Appropriate Use of Electronic Communication and Information Technology Policy
- Code of Ethical Conduct Policy and Minnesota Statutes §43A.38, subd. 4
Reason for policy
Data is a vital MnDOT asset and requires protection from unauthorized access, disclosure, or alteration, and protection from interruptions in access and use. Mobile and portable computing devices provide increased flexibility for employee productivity and the delivery of MnDOT services.
Because of their size and value, the use of these devices also results in an increased risk of theft or loss. The disclosure of not-public data through theft or loss poses a significant risk to the public’s trust in MnDOT. In addition, the use of these devices presents increased security issues.
MnDOT may provide mobile and portable computing devices and services for official state business use. This policy adopts the provisions of the enterprise policy and assigns MnDOT-specific responsibilities for mobile and portable computing devices. The Mobile Devices Section of the MnDOT Business Manual provides the procedures for obtaining and using a mobile device including phones, tablets, cellular data services for laptops, and modems requiring cellular service. Workstation Coordinators are the primary contacts in the offices and districts who monitor workstation asset assignment and facilitate their procurement and replacement.
The enterprise policy requires MnDOT to:
- Adopt and comply with the provisions of the enterprise policy.
- Authorize the use of state mobile devices based on business necessity.
- Ensure that employees are aware of the enterprise policy and MNIT Services’ standards.
- Maintain an escalation process to ensure lost or stolen devices are addressed promptly.
- Develop supplemental addenda as needed, to address agency specific needs that are consistent with the enterprise policy and the law.
- Procure state devices based on business necessity and manage applicable state contracts.
- Safeguard and maintain state devices and applicable software consistent with state security standards.
- Review monthly mobile device billings, just like any other type of billing the agency receives. MnDOT may use discretion in determining who performs this review.
- Conduct at least an annual review of the individual state mobile and portable computing device assignments to determine if there is a continuing business need that remains cost justified.
- Collect state mobile and portable computing devices when the employee separates from the agency or the business need for the state mobile or portable computing device ceases.
Minnesota Management and Budget is responsible for administering and maintaining the enterprise policy in conjunction with MNIT Services.
Applicability
All MnDOT employees must comply with this policy.
Key stakeholders with responsibilities under this policy include:
- Office of Administration
- Managers and Supervisors
- Central Office or District Mobile Coordinators
- Office or District Workstation Coordinators
- Employees
Definitions
Mobile and Portable Computing Device
A portable and self-contained electronic device that can store, access, process, or transmit data, text, or email. This can include individual, shared, and test devices.
Examples of mobile devices include mobile phones, smartphones, modems, cell service allowing laptops to connect to mobile data networks, iPads, and Jet Packs.
Examples of portable computing devices include laptops and tablets.
Multi-factor Authentication (MFA)
A layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.
MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.
MFA factors include:
- Something you know: Such as a password or secret question
- Something you have: Such as a USB device, smart card, or security key
- Something you are: Such as biometrics, which can identify individuals based on physiological characteristics
Not Public Data
Any data collected, created, maintained, or disseminated by a state agency which has a classification other than public. Not public data include data that are private, confidential, nonpublic, or protected nonpublic data as those terms are defined in the Minnesota Government Data Practices Act, Minnesota Statute §13.02.
Personal Mobile or Portable Computing Device
Any mobile or portable computing device that is not provided by a state agency.
State Mobile or Portable Computing Device
Any mobile or portable computing device provided by a state agency.
Security Measures
Configurations, settings, and communication techniques on a mobile or portable computing device that control the security, integrity, and availability of the device’s data.
Responsibilities
Policy Owner (Director, Office of Administration)
- Provide awareness of this policy and MNIT Services’ standards to employees.
- Develop supplemental addenda as needed, to address agency specific needs that are consistent with the enterprise policy and the law.
- Review the policy every two years, or whenever MMB changes the enterprise policy, to ensure the policy remains up to date.
- Ensure documents and training associated with the policy remain current.
- Monitor state, federal, enterprise, agency, or other requirements that apply to the policy or procedures.
- Consult with the MnDOT Office of Chief Counsel to ensure the policy and procedures remain compliant with all state, federal, enterprise, agency, or other requirements.
- Ensure that necessary approvals by state or federal agencies are obtained before changes to the policy or procedures are implemented.
- Work with the Policy Coordinator to revise the policy and/or confirm its accuracy.
- Communicate policy revisions, reviews, and retirements to stakeholders.
Office of Administration
- Provide guidance and procedures for management of mobile and portable computing devices.
- Provide guidance and procedures for management of workstations to Workstation Coordinators.
- Procure mobile and portable computing devices based on business necessity and manage applicable state contracts.
- Maintain process to ensure lost or stolen devices are reported and addressed promptly.
- Ensure cell phones, jetpacks, and business modems are monitored for appropriate use via monthly reports.
- Collect, ensure reset, and manage mobile and portable computing devices.
- Process monthly workstation rates billing and coordinate usage review with office/district Financial Professional Group point of contact.
Managers and Supervisors
- Assign employees to serve as office or district mobile device and workstation coordinators.
- Authorize the use of mobile and portable computing devices based on business need.
- Ensure monthly mobile and portable computing device billings are reviewed.
- Conduct at least an annual review of the individual mobile and portable computing device assignments to determine if there is a continuing business need that remains cost justified.
- Ensure employees complete the Reporting Stolen, Lost, Damaged, or Recovered Property form and notify the local mobile coordinator within 24 business hours of first report by staff.
- Ensure employees return mobile or portable computing devices to the designated resource before the employee separates from the agency or when the business need for the mobile or portable computing device ceases.
- Work with the Office of Human Resources to take appropriate disciplinary or corrective action whenever persons they supervise violate MnDOT or state policy on mobile and portable computing devices.
Central Office and District Mobile Coordinators
- Ensure a documented method and process is in place and used for tracking mobile devices.
- Review monthly service invoices and ensure any irregularities are reported to the appropriate manager or supervisor for additional review, resolution, and documentation.
- Review monthly “no usage report” as well as “high usage.” Work with supervisor and employee to recommend changes to services or plans.
- Ensure all required “Acknowledgement of Receipt – Mobile Device Services and Equipment” forms are signed and retained according to the Record Retention Schedule.
- Ensure the lost/stolen reporting process is followed within 24 hours of first report by staff and suspend the line in question. Take additional steps as circumstances deem appropriate include potential wipe of device by Minnesota IT Services (MNIT).
Office or District Workstation Coordinators
- Follow the Computer Management Roles and Responsibilities for tracking portable computing devices.
Employees
- Comply with all provisions of this policy, the enterprise Mobile Device Use policy, the Appropriate Use of Electronic Communication and Information Technology policy, MNIT Services' security measures and standards, and the provisions for Mobile Devices outlined in the MnDOT Business Manual.
- Protect mobile and portable computing devices from theft, damage, abuse, and unauthorized use.
- Report lost or stolen mobile or portable computing devices immediately and not later than 24 business hours using the Reporting Stolen, Lost, Damaged, or Recovered Property form.
- Refrain from engaging in any activity to circumvent the security or other requirements for the use of mobile and portable computing devices.
- Upon separation from MnDOT, return all mobile devices to the mobile device coordinator and assist in the reset of devices.
- Upon separation from MnDOT, return all portable computing devices to the employee’s supervisor.
Resources and Related information
Forms
Processes, Procedures, and Instructions
- MnDOT Business Manual – Mobile Device Section
- Reporting Stolen, Lost, Damaged, or Recovered Property
Resources
- Mobile Device Use - HR/LR #1438
- Mobile Technology iHUB page
- Appropriate Use of Electronic Communication and Information Technology Policy
- Code of Ethical Conduct Policy
- Legal Holds Policy
- Records Retention and Disposal Policy
- MN Government Data practices Act
- Minnesota Statutes §43A.38, subd. 4
- Business Data Catalog (BDC) – accessible from employee Intranet
- MnDOT’s Policy Website
History and Updates
Effective
August 8th, 2012
Revised
- First Revision: August 23, 2023
- Second Revision: September 30, 2024
Policy Review
This policy's next scheduled review is due September 2026.