Mobile Application Implementation Policy

Originally Issued: October 2015

Contacts: Don Diener Lori Temple

Download Policy Document Download Procedure Document

Policy

Any campus constituent or unit planning to develop or procure a mobile application, or hire a vendor to assist in the development of a mobile application, must seek formal approval to proceed if the application meets any one of the following criteria:

  • Accesses data from or pushes data to a UNLV enterprise system
  • Accesses or collects data that is protected by federal or state laws/regulations or NSHE/UNLV regulations or policies
  • Requires infrastructure services managed by UNLV
  • Will be branded as a UNLV product which must be done to adhere to both UNLV graphic identity standards and in accordance with the UNLV Licensing Program

Mobile applications must comply with UNLV security policies and procedures.

Statement of Purpose

The purpose of this policy is to:

  • Coordinate development and growth of the institution's mobile technology environment.
  • Ensure mobile applications published under the UNLV brand reflect positively on the university.
  • Ensure mobile applications meet university security requirements.

Entities Affected by Policy

Entities affected by this policy include individuals planning to develop or procure a mobile application or hire a vendor to assist in the development of a mobile application.

Who Should Read This Policy

Individuals planning to develop or procure a mobile application, or hire a vendor to assist in the development of a mobile application, should read this policy.

Exceptions

  • There are no predefined exceptions to the Mobile Application Implementation Policy.
  • Exceptions will be made on a case-by-case basis.

To request an exception, please complete the IT Policy Exception Form.

Exception requests will be processed within 10 business days of receipt of the request. If an exception is created, the exception will be audited on an annual basis. The developer of the application or the contact for the third party developer must respond to the annual audit and verify that the exception is still required.

Changes to the exception may only be requested by the developer of the application or the contact for the third party developer.

Frequently Asked Questions

How do I know if the policy applies to me?

This policy applies to you if you are planning to develop or procure a mobile application that meets any one of the following criteria:

  1. Accesses data from or pushes data to a UNLV enterprise system

  2. Accesses or collects data that is protected by federal or state laws/regulations, or NSHE/UNLV regulations or policies

  3. Requires infrastructure services managed by UNLV

  4. Will be branded as a UNLV product

The policy also applies to you if you are hiring a vendor to assist in the development of a mobile application that meets the criteria above.

What do you mean by “UNLV enterprise system”?

An enterprise system is a large-scale application software package that supports business processes, information flows, reporting, and data analytics in complex organizations.

Examples at UNLV include but are not limited to:  student information system, human resources system, finance system, learning management system, identity management system, space management system, etc.

What do you mean by “access data from” a UNLV enterprise system?

“Accessing data from” means using or displaying data from a UNLV enterprise system.

For example, the mobile application is designed to list all students enrolled in a particular class (e.g., SOC 101 Section 1001). The data would be pulled from UNLV’s student information system (i.e., MyUNLV).

What do you mean by “push data to” a UNLV enterprise system”?

“Push data to” means adding new data to, updating existing data in, or deleting data from a UNLV enterprise system.

For example, the mobile application is designed to take attendance in a particular class (e.g., SOC 101 Section 1001) and transfer the data to the learning management system (i.e., WebCampus).

What type of data likely to be used in a mobile application would be subject to protection by federal or state laws/regulations, or NSHE/UNLV regulations or policies?

The data likely to be used in a mobile application is the same type of data used in many other environments on campus (e.g., web page, within an application, in a paper document). If the data being used in a mobile application must be protected in any other environment it must meet the same level of protection in the mobile application.

The type of data protected by federal or state laws/regulations, or NSHE UNLV regulations or policies includes sensitive, personal information which is defined as:

Any information about the individual maintained by the university, including the following: (a) Education, financial transactions, medical history, and criminal or employment history; and, (b) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. [38 USCS § 5727(19)] Sensitive, personal information does not include publicly available directory information that may be lawfully disclosed (Definition taken from Breach of Information Notification Policy available at: https://oit.unlv.edu/about-oit/policies/breach-information-notification-policy).

How do I know if a mobile application would require infrastructure services managed by UNLV?

Mobile application using the following types of services provided by UNLV would be using infrastructure services managed by UNLV:

  • Authentication services (e.g., ACE, MyUNLV login services, etc.)

  • Data storage

  • Database

  • File services

  • Web and/or application servers

Where do I find UNLV graphic identity standards?

Information about logos, colors, and other graphic identity standards is available on the university identity website at: http://www.unlv.edu/identity/.

Where do I find information about using the UNLV brand (UNLV Licensing Program)?

Information about UNLV’s Licensing Program for commercial and non-commercial use is available on the university identity website at: https://www.unlv.edu/identity/licensing. The UNLV Licensing Program ensures the control and proper presentation of the UNLV brand and protects the appropriate use of those trademarks, service marks, logos, and insignias that have come to be associated with the university.

What security policies and procedures are relevant if I am developing or procuring a mobile application?

All applications developed or purchased for use at UNLV must be designed to protect the confidentiality, integrity, and availability of university data and the privacy of members of the university community as well as the users of the application.

A number of precautions must be taken to minimize the impact of the vulnerabilities associated with mobile applications. These include but are not limited to:

  • Access to any potentially sensitive information requires authentication that meets UNLV password standards.

  • All potentially sensitive, personal information must be encrypted in transit and when cached for use on the mobile device.

  • Any downloaded data must be protected against access by other programs.

  • No sensitive data should be stored on the mobile device once the application is terminated.

  • Applications must not expose location information without the explicit consent of the user.

More information on the special security vulnerabilities mobile applications and the devices upon which they reside is available in the security section of the Procedures to Accompany the Mobile Application Implementation Policy.

How can I post my app to the Apple App Store?

To deploy an app through the Apple App Store, you must participate through the Apple Development Program. Details can be found in the App Distribution Guide found at:

https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html

Does UNLV’s have an Apple Development Program (ADP) membership?

UNLV does maintain an Apple Development Program membership. If you wish to use the UNLV ADP membership please contact the Mobile Applications Group at mobileappsgroup@unlv.edu.

How can I have my app listed on the UNLV Mobile App page?

For information about having your app listed on the UNLV Mobile App page, please contact the Mobile Applications Group at mobileappsgroup@unlv.edu.