UCSC Remote Access Requirements
Overview
CONTENTS:
ITS recommends that only university owned and supported devices be used for all remote access activities. However, use of non-university computers and other devices, on or off campus, is sometimes necessary. Campus information security requirements, including the UC Minimum Security Standard, apply to all devices used for university business, regardless of ownership or location. The following requirements, guidelines, and recommendations must be considered when using non-university devices and remotely accessing UC Santa Cruz networks and systems.
Device Requirements
If you use any computer to work from a non-university location, or use a non-university computer for university business from any location, you must:
- Be aware of the specific security requirements and best practices for P3-P4 data.
- Ensure that your computer has all necessary Operating System (OS) and application security updates or “patches,” as well as up-to-date anti-virus and anti-spyware.
- Shut down or restart your computer at least weekly, and whenever your programs tell you to, in order to install updates.
- Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.
- Turn on your computer's firewall. A host-based firewall is required for all devices connecting to UC Santa Cruz networks or services. Default settings are typically fine.
- Encrypt your device.
- Avoid using the same passwords for university systems as for non-university systems.
- Practice Physical Security.
Network Requirements
If you connect to campus networks or systems from off-campus, you must:
- Be aware of the specific security requirements and best practices for P3-P4 data.
- Work with ITS to ensure compliance with applicable policies.
- Use the Campus Virtual Private Network (VPN).
- Use Multi Factor Authentication (MFA), also known as two-step verification.
- Make sure your email is configured for secure authentication.
Special Requirements for Credit Card Data (PCI) and Electronic Protected Health Information (PHI)
If you work with Credit Card Data (PCI) or Electronic Protected Health Information (ePHI), you:
- Must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.
- May not send/transmit credit card data via wireless internet unless your department has received formal approval from the Campus Controller and you are using an approved, secure method of transmission.
- May not store ePHI on non-university equipment, even temporarily, even if it's encrypted.
- May not store unencrypted ePHI on portable electronic devices, including laptop computers and portable storage devices, even if they are university owned.
Additional Guidelines
In addition to the above requirements, the following practices are highly recommended:
- Don't download or install unknown or unsolicited programs or files, click on links in unsolicited email or texts, or open unexpected email attachments.
- Be especially careful when using wireless internet. Most coffee shop/hotel/airport wireless is not encrypted. If you’re not sure, assume it’s not encrypted.
- Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect.
- Protect Mobile Devices.
- Make backup copies of files or data you are not willing to lose, and store the copies securely.
Recommendations for Shared Computers
When using a shared computer, including a shared home computer:
- Log out of all applications, clear web caches, cookies, and history, and quit the browser and all programs when you are done.
- Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer.
- Make sure sensitive files and applications are password protected so that others don’t have access.
- Create a separate user account for use when working on university business from a shared computer, and don't share this account with anyone.
Get Help
Contact the ITS Support Center for help with any of the above information.
See "How to Stay Secure" for more information about implementing many of the above requirements.
Immediately report suspected information security problems, such as an infected computer or possible disclosure of sensitive data, to your supervisor and the ITS Support Center. See Report a Security Incident for additional information.
- IT Policies
- Data and IT Resource Classification
- Protection Levels for UC Institutional Information
- Security Web Site
- Availability Levels for UC Institutional Information
- IT Policy Glossary
- IS-3: Information Security Policy
- IS-12: IT Recovery Policy
Need Help?
Call: (831) 459-HELP (9-4357)
Email: help@ucsc.edu
