UCSC Remote Access Requirements
The requirements and guidance below are intended to reduce the risk associated with remote access of University information, systems or resources. They apply to people who do any of the following:
- use a computer to work from any non-University location
- use a non-University computer/device for University business
- connect to campus networks or systems from off-campus, including connecting to
- your workstation
- campus business systems, such as FIS/BANNER, PPS, AIS, DataWarehouse, InfoView, etc.
- departmental file systems, shared drives or shared servers
- conduct University business over a non-University network (wired or wireless)
- use a computer for University business that is shared by non-University individuals, including children, family or friends
- Also see ITS' Mobile Devices and Wireless page for related information about mobile device security.
Managers are responsible for making sure that employees engaging in any of the above activities are authorized to do so and receive appropriate education and training on the following information and other applicable UC, UCSC, and departmental policies.
PLEASE NOTE: All individuals with access to UC Santa Cruz electronic information, systems or resources are expected to be familiar and comply with campus policies, practices and guidelines relating to the use and access of these resources. Additional information is available on ITS' Security web site. An online glossary of terms is also available.
Campus information security requirements, including UCSC's Minimum Network Connectivity Requirements, apply to all devices used for University business purposes, regardless of ownership or location. ITS recommends that only University owned and supported devices be used for all remote access activities; however, the requirements and guidance below apply to any device used for remote access.
For questions or additional information about any of these practices, please see "Getting Help", below.
1. If you need to access your work computer remotely, work with ITS (contact info below) to ensure compliance with applicable policies and security standards for the types of information being accessed.
- ITS recommends that work computers allowing remote access are managed by ITS to ensure appropriate security.
- Supervisor approval is required for ITS staff to set up remote access to a work computer.
- Truncate, de-identify, or redact restricted data whenever possible.
- Restricted data may only be stored on appropriately protected systems.
- If you need to put a copy of restricted data on a properly-protected computer for analysis, store the minimum amount of restricted data necessary and securely delete it as soon as possible (see #3).
- Information about restricted data, including definitions and security requirements
3. Securely delete or destroy restricted data in email, attachments or other electronic documents when there is no longer a business need to keep it. Also be sure to securely erase or destroy data on computing equipment and mobile devices before disposing of them. For information on how to securely delete files, see: Mac or PC / email.
4. Make sure your computer has all necessary Operating System (OS) and application security updates or “patches,” as well as up-to-date anti-virus and anti-spyware. Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed. Anti-virus information.
5. Passwords and restricted data must be encrypted during transmission to reduce the risk of being intercepted and stolen.
- Web sites: Web pages that have https (not http) in the web address (URL) encrypt the information you enter. Many web browsers also have a little locked padlock that appears in the nav bar or a corner of the browser window to indicate that information is being encrypted. Check for these indicators before you enter sensitive or personal information, including your password, online. If they’re not there, don’t log in and don’t enter the information.
- Email Passwords: Make sure your email is configured for secure authentication (sign-in). Contact your email provider for their configuration information. Email configuration information for common email clients (Apple Mail, Thunderbird, Outlook,).
- Email and IM: Standard email and Instant Messaging (IM) are vulnerable to being intercepted by hackers. If you send or receive email, attachments, files, or IM containing restricted data, work with ITS (contact info below) to set up a way to do this more securely.
- Don’t use the same passwords for University systems as for non-University systems.
6. Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.
- See UCSC's Password Standards for information about creating complex passwords.
- Computers that access restricted and/or essential information are required to automatically lock or go to screensaver (or be turned off) when left unattended for an extended period of time (default is 20 minutes). Again, a password must be required to resume activity.
7. Turn on your computer's firewall. A host-based firewall is required for all devices connecting to UCSC networks or services. Default settings are typically fine.
8. Physical Security: All workstations containing electronic protected health information (ePHI/HIPAA data) must be physically secured. This is also recommended for any device that stores or accesses restricted data in general. Also see #14, below.
9. Special information for people who work with credit card or health information:
- If you are connected to the Internet via wireless, you may not send/transmit credit card data unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.
- UCSC employees may not store electronic protected health information (ePHI) on non-university equipment, even temporarily, even if it's encrypted.
- Unencrypted ePHI may not be stored on portable electronic devices, including laptop computers and portable storage devices, even if they are University owned.
- You must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.
10. Don't download or install unknown or unsolicited programs or files, click on links in unsolicited email or texts, or open unexpected email attachments. These can all infect your computer.
11. Be especially careful when using wireless. Information sent via standard wireless is especially easy to intercept.
- Don’t connect to unknown wireless hot spots/access points if you’re concerned about security, privacy or your passwords.
- Only use known, encrypted networks when working with sensitive information.
- UCSC students, faculty, and staff are encouraged to use eduroam secure wireless instead of CruzNet when connecting to wireless from campus locations. Once set up, you can also use eduroam at several other UC campuses and at many Universities worldwide.
- When connecting to the Internet from off campus, use the UCSC Campus VPN (virtual private network) to encrypt your Internet traffic and provide a secure (encrypted) connection to the UCSC network. The Campus VPN is available to all campus members with a CruzId and Gold password.
- Be aware that most coffee shop/hotel/airport-type wireless is not encrypted.
- If you’re not sure, assume it’s not encrypted.
- Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect. Auto-connecting to unknown networks could put your computer and data at risk.
12. Mobile Devices: Every day mobile devices are lost, stolen, and infected. Devices that store University information or are used to access University systems or email must be protected like any other computer. See Mobile Devices and Wireless for information about protecting mobile devices.
13. Special cautions when using a shared computer, including a shared home computer:
- Log out of all applications, clear web caches, cookies and history, and quit the browser and all programs when you are done. This will help clear what you were doing from the computer.
- Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer. Most programs and web browsers have a preferences or settings option that lets you control this.
- Make sure sensitive files and applications are password protected so that others don’t have access. See “Getting Help”, below, for assistance.
- Create a separate user account for use when working on university business from a shared computer, and don't share this account with anyone.
14. Physical security is important in a remote work environment. Be especially careful with portable equipment, including laptop computers. These items are extra vulnerable to theft and loss.
- Don’t leave sensitive information lying around.
- Physically secure (lock down) workstations whenever possible.
- Keep laptop computers and other portable devices (phones, tablets, data sticks/flash drives, CD/DVDs, etc.) secure at all times. Keep them with you or lock them up before you step away, even if for a very short time.
- Don't leave laptops or other portable devices that contain restricted data in an unattended vehicle, even if the vehicle is locked. Not even in the trunk.
- Be sure your workstation is set up so that passers-by, including family members, can’t see sensitive information on your monitor.
- Also see #8 for specific physical security requirements.
15. Encryption: Encryption is strongly recommended for restricted data. This is especially important for portable devices. Contact the ITS Support Center (contact info below) for recommended tools and software. Also see Encryption Information. (Support Center staff: See ITR tech-only KB article 16260)
16. Make backup copies of files or data you are not willing to lose -- and store the copies very securely.
Immediately report suspected computer security problems, such as an infected computer or possible disclosure of restricted data, to your supervisor and the ITS Support Center (contact info below). See Report a Security Incident for additional information.
Also see How to Stay Secure for more information about implementing many of the above requirements.
Rev. Sept 2015