UCSC Remote Access Requirements

DOES THIS APPLY TO ME?

The requirements and guidance below are intended to reduce the risk associated with remote access of University information, systems or resources. They apply to people who do any of the following:

• use a computer to work from any non-University location
• use a non-University computer/device for University business
• connect to campus networks or systems from off-campus, including connecting to
  
  • your workstation
  • campus business systems, such as FIS/BANNER, PPS, AIS, DataWarehouse, InfoView, etc.
  • departmental file systems, shared drives or shared servers
• conduct University business over a non-University network (wired or wireless)
• use a computer for University business that is shared by non-University individuals, including children, family or friends
• Also see ITS' Mobile Devices and Wireless page for related information about mobile device security.

Managers are responsible for making sure that employees engaging in any of the above activities are authorized to do so and receive appropriate education and training on the following information and other applicable UC, UCSC, and departmental policies.

PLEASE NOTE: All individuals with access to UC Santa Cruz electronic information, systems or resources are expected to be familiar and comply with campus policies, practices and guidelines relating to the use and access of these resources. Additional information is available on ITS' Security web site. An online glossary of terms is also available.

REMOTE ACCESS REQUIREMENTS

Campus information security requirements, including UC Minimum Security Standard, apply to all devices used for University business purposes, regardless of ownership or location. ITS recommends that only University owned and supported devices be used for all remote access activities; however, the requirements and guidance below apply to any device used for remote access.

For questions or additional information about any of these practices, please see "Getting Help", below.

1. If you need to access your work computer remotely, work with ITS (contact info below) to ensure compliance with applicable policies and security standards for the types of information being accessed.

• ITS recommends that work computers allowing remote access are managed by ITS to ensure appropriate security.
• Supervisor approval is required for ITS staff to set up remote access to a work computer.

2. Specific security requirements exist for P3-P4 data, regardless of where it is stored or accessed. These include:

• Truncate, de-identify, or redact P4 data whenever possible.
• P3-P4 data may only be stored on appropriately protected systems.
• If you need to put a copy of Personally Identifiable Information PII data on a properly-protected computer for analysis, store the minimum amount of PII data necessary and securely delete it as soon as possible (see #3).
• Information about protected data, including definitions and security requirements

3. Securely delete or destroy P3-P4 data in email, attachments or other electronic documents when there is no longer a business need to keep it. Also be sure to securely erase or destroy data on computing equipment and mobile devices before disposing of them. For information on how to securely delete files, see: Mac or PC / email.

4. Make sure your computer has all necessary Operating System (OS) and application security updates or “patches,” as well as up-to-date anti-virus and anti-spyware. Shut down or restart your computer at least weekly -- and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed. Anti-virus information.

5. Passwords and P3-P4 must be encrypted during transmission to reduce the risk of being intercepted and stolen.

• Web sites: Web pages that have https (not http) in the web address (URL) encrypt the information you enter. Many web browsers also have a little locked padlock that appears in the nav bar or a corner of the browser window to indicate that information is being encrypted. Check for these indicators before you enter sensitive or personal information, including your password, online. If they’re not there, don’t log in and don’t enter the information.
  • UCSC students, faculty, and staff are encouraged to use eduroam secure wireless instead of UCSC-Guest when connecting to wireless from campus locations, and the Campus VPN (virtual private network) when connecting from off campus.
• Email Passwords: Make sure your email is configured for secure authentication (sign-in). Contact your email provider for their configuration information. Email configuration information for common email clients (Apple Mail, Thunderbird, Outlook,).
• Email and IM: Standard email and Instant Messaging (IM) are vulnerable to being intercepted by hackers. If you send or receive email, attachments, files, or IM containing P4 data, work with ITS (contact info below) to set up a way to do this more securely.
• Don’t use the same passwords for University systems as for non-University systems.

6. Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.

• See UCSC's Password Standards for information about creating complex passwords.
• Devices used to store or access Institutional Information or IT Resources classified at P2 or higher must employ lockout/screen-lock mechanisms or session timeout in order to block access after a defined period of inactivity (15 minutes). Mechanisms must require re-authentication before returning to interactive use.

7. Turn on your computer's firewall. A host-based firewall is required for all devices connecting to UCSC networks or services. Default settings are typically fine.

8. Physical Security: All devices and Institutional Information must be physically secured.  See #14, below. 

9. Special information for people who work with credit card or health information:

• If you are connected to the Internet via wireless, you may not send/transmit credit card data unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.
• UCSC employees may not store electronic protected health information (ePHI) on non-university equipment, even temporarily, even if it's encrypted.
• Unencrypted ePHI may not be stored on portable electronic devices, including laptop computers and portable storage devices, even if they are University owned.
• You must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.

ADDITIONAL GUIDANCE – TO HELP REDUCE THE RISK

10. Don't download or install unknown or unsolicited programs or files, click on links in unsolicited email or texts, or open unexpected email attachments. These can all infect your computer.

11. Be especially careful when using wireless. Information sent via standard wireless is especially easy to intercept. 

• Don’t connect to unknown wireless hot spots/access points if you’re concerned about security, privacy or your passwords.
• Only use known, encrypted networks when working with sensitive information.
  • UCSC students, faculty, and staff are encouraged to use eduroam secure wireless instead of UCSC-Guest when connecting to wireless from campus locations. Once set up, you can also use eduroam at several other UC campuses and at many Universities worldwide.
  • When connecting to the Internet from off campus, use the UCSC Campus VPN (virtual private network) to encrypt your Internet traffic and provide a secure (encrypted) connection to the UCSC network. The Campus VPN is available to all campus members with a CruzId and Gold password.
• Be aware that most coffee shop/hotel/airport-type wireless is not encrypted.
  • If you’re not sure, assume it’s not encrypted.
• Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect. Auto-connecting to unknown networks could put your computer and data at risk.

12. Mobile Devices: Every day mobile devices are lost, stolen, and infected. Devices that store or access Institutional Information or IT Resources must be protected like any other computer. See Mobile Devices and Wireless for information about protecting mobile devices.

13. Special cautions when using a shared computer, including a shared home computer:

• Log out of all applications, clear web caches, cookies and history, and quit the browser and all programs when you are done. This will help clear what you were doing from the computer.
• Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer. Most programs and web browsers have a preferences or settings option that lets you control this.
• Make sure sensitive files and applications are password protected so that others don’t have access. See “Getting Help”, below, for assistance.
• Create a separate user account for use when working on university business from a shared computer, and don't share this account with anyone.

14. Physical security is important in a remote work environment. Be especially careful with portable equipment, including laptop computers. These items are extra vulnerable to theft and loss.

• Don’t leave sensitive information lying around.
• Physically secure (lock down) workstations whenever possible.
• Keep laptop computers and other portable devices (phones, tablets, data sticks/flash drives, CD/DVDs, etc.) secure at all times. Keep them with you or lock them up before you step away, even if for a very short time.
• Don't leave laptops or other portable devices that contain P3-P4 data in an unattended vehicle, even if the vehicle is locked. Not even in the trunk.
• Be sure your workstation is set up so that passers-by, including family members, can’t see sensitive information on your monitor.

15. Encryption: Laptops and mobile devices must be encrypted. Also, Institutional Information classified at P3 or higher must be encrypted when stored.

Contact the ITS Support Center (contact info below) for recommended tools and software. Also see Encryption Information. (Support Center staff: See ITR tech-only KB article 16260)

16. Make backup copies of files or data you are not willing to lose -- and store the copies very securely.

REPORTING A COMPUTER SECURITY INCIDENT

Immediately report suspected computer security problems, such as an infected computer or possible disclosure of sensitive data, to your supervisor and the ITS Support Center (contact info below). See Report a Security Incident for additional information.

GETTING HELP

Contact the ITS Support Center for help with any of the above information, or to send feedback: itrequest.ucsc.edu, help@ucsc.edu, or 459-HELP (4357).

Also see How to Stay Secure for more information about implementing many of the above requirements.