UCSC Remote Access Requirements
The requirements and guidance below are intended to reduce the risk associated with remote access of University information, systems or resources. They apply to people who do any of the following:
- use a computer to work from any non-University location
- connect to campus networks or systems from off-campus, including
- your workstation
- campus business systems, such as FIS/BANNER, PPS, AIS, DataWarehouse, InfoView, etc.
- departmental file systems, shared drives or shared servers
- conduct University business over a non-University network (wired or wireless)
- use a computer for University business that is shared by non-University individuals, including children, family or friends
- use a non-University computer for University business
- Also see ITS' Mobile Devices and Wireless page for related information about mobile device security.
Managers are responsible for making sure that employees engaging in any of the above activities are authorized to do so and receive appropriate education and training on the following information and other applicable UC, UCSC, and departmental policies.
Please note: All individuals with access to UC Santa Cruz electronic information, systems or resources are expected to be familiar and comply with campus policies, practices and guidelines relating to the use and access of these resources. Additional information is available on ITS' Security web site. An online glossary of terms is also available.
Campus information security requirements apply to all devices used for University business purposes, regardless of ownership or location. ITS recommends that only University owned and supported computers be used for all remote access activities; however, the requirements and guidance below apply to any computer used for remote access.
For questions or additional information about any of these practices, please see "Getting Help", below.
1. If you need to access your work computer remotely, work with ITS (contact info below) to ensure compliance with applicable policies and security standards for the types of information being accessed.
- ITS recommends that work computers allowing remote access are managed by ITS to ensure appropriate security.
- Supervisor approval is required for ITS staff to set up remote access to a work computer.
- Truncate, de-identify, or redact restricted data whenever possible.
- Restricted data may only be stored on appropriately protected systems.
- If you need to put a copy of restricted data on a properly-protected computer for analysis, store the minimum amount of restricted data necessary and securely delete it as soon as possible (see #3).
- Information about restricted data, including definitions and security requirements
3. Securely delete or destroy restricted data in email, attachments or other electronic documents when there is no longer a business need to keep it. Also be sure to securely erase or destroy data on computing equipment before disposing of it. For information on how to securely delete files, see: Mac or PC / email.
4. Make sure your computer has all necessary Operating System (OS) and application security updates or “patches,” as well as up-to-date anti-virus and anti-spyware. Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed. Anti-virus information.
5. Passwords and restricted data must be encrypted during transmission to reduce the risk of being intercepted and stolen.
- Web sites: Web pages that have https (not http) in the web address (URL) encrypt the information you enter. Most web browsers also have a little locked padlock that appears in the nav bar or a corner of the browser window to indicate that information is being encrypted. Check for these indicators before you enter sensitive or personal information, including your password, online. If they’re not there, don’t log in and don’t enter the information.
- Email Passwords: If you access your UCSC email through a non-UCSC Internet provider (AT&T, cable, Yahoo, Google, etc.), make sure your email client (Apple Mail, Thunderbird, Outlook, etc.) is configured for secure authentication (sign-in). Email configuration information. Contact your Internet provider for their configuration information.
- Email and IM: Standard email and Instant Messaging (IM) are vulnerable to being intercepted by hackers. If you send or receive email, attachments, files, or IM containing restricted data, work with ITS (contact info below) to set up a way to do this more securely.
- Don’t use the same passwords for University systems as for non-University systems.
6. Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.
- See UCSC's Password Standards for information about creating complex passwords.
- Computers that access restricted and/or essential information are required to automatically lock or go to screensaver (or be turned off) when left unattended for an extended period of time (default is 20 minutes). Again, a password must be required to resume activity.
7. Turn on your computer's firewall. A host-based firewall is required for all devices connecting to UCSC networks or services.
8. Physical Security: UCSC policy requires that reasonable measures must be taken to ensure the physical security of University computing equipment. This also extends to non-University devices that store or access restricted data. Note: All workstations containing electronic protected health information (ePHI) must be physically secured. Also see #14, below.
9. Special information for people who work with credit card or health information:
- If you are connected to the Internet via wireless, you may not send/transmit credit card data unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.
- UCSC employees may not store electronic protected health information (ePHI) on non-university equipment, even temporarily.
- Unencrypted ePHI may not be stored on portable electronic devices, including laptop computers and portable storage devices, even if they are University owned.
- You must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.
10. Don't download or install unknown or unsolicited programs or files, click on links in unsolicited email, or open unexpected email attachments. These can all infect your computer.
11. Be especially careful when using wireless. Information sent via standard wireless is especially easy to intercept.
- Don’t connect to unknown wireless hot spots/access points if you’re concerned about security, privacy or your passwords.
- Only use known, encrypted networks when working with sensitive information.
- UCSC students, faculty, and staff are encouraged to use eduroam secure wireless instead of regular CruzNet when connecting to wireless from campus locations. Once set up, you can also use eduroam at several other UC campuses and at many Universities worldwide.
- Be aware that most coffee shop/hotel/airport-type wireless is not encrypted.
- If you’re not sure, assume it’s not encrypted.
- Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect. Auto-connecting to unknown networks could put your computer and data at risk.
12. Mobile Devices: Every day mobile devices are lost, stolen, and infected. These devices can store important business and personal information, and may be used to access University systems and email. Where this is the case, they need to be protected like any other computer. See Mobile Devices and Wireless for information about protecting mobile devices.
13. Special cautions when using a shared computer, including a shared home computer:
- Log out of all applications, clear web caches, cookies and history, and quit the browser and all programs when you are done. This will help clear what you were doing from the computer.
- Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer. Most programs and web browsers have a preferences orsettings option that lets you control this.
- Make sure sensitive files or applications are password protected so that others don’t have access. See “Getting Help”, below, for assistance.
- Create a separate user account for use when working on university business from a shared computer, and don't share this account with anyone.
14. As mentioned above (#8), physical security is important in a remote work environment. Be especially careful with portable equipment, including laptop computers. These items are extra vulnerable to theft and loss.
- Don’t leave sensitive information lying around.
- Physically secure (lock down) workstations whenever possible.
- Keep laptop computers and other portable devices (data sticks/flash drives, CD/DVDs, PDAs, phones, etc.) secure at all times by either keeping them with you or locking them up before you step away, even if for a very short time.
- Don't leave laptops or other portable devices that contain restricted data in an unattended vehicle, even if the vehicle is locked.
- Where feasible, encryption is recommended for restricted data on portable devices. Contact the ITS Support Center (contact info below) for recommended tools and software. Also see Encryption Information. (Support Center staff: See ITR tech-only KB article 16260)
- Be sure your workstation is set up so that passers-by, including family members, can’t see sensitive information on your monitor.
15. Make backup copies of files or data you are not willing to lose -- and store the copies very securely.
Immediately report suspected computer security problems, such as an infected computer or possible disclosure of restricted data, to your supervisor and the ITS Support Center (contact info below). See Report a Security Incident for additional information.
Also see Understanding UCSC's Minimum Network Connectivity Requirements for more information about implementing many of the above requirements.
Rev. August 2011