UCSC Remote Access Requirements

Overview

ITS recommends that only university owned and supported devices be used for all remote access activities. However, use of non-university computers and other devices, on or off campus, is sometimes necessary. Campus information security requirements, including the UC Minimum Security Standard, apply to all devices used for university business, regardless of ownership or location. The following requirements, guidelines, and recommendations must be considered when using non-university devices and remotely accessing UC Santa Cruz networks and systems.

Device Requirements

If you use any computer to work from a non-university location, or use a non-university computer for university business from any location, you must:

  • Be aware of the specific security requirements and best practices for P3-P4 data
  • Ensure that your computer has all necessary Operating System (OS) and application security updates or patches, as well as up-to-date anti-virus and anti-spyware software. 
  • Shut down or restart your computer at least weekly, and whenever your programs tell you to, in order to install updates. 
  • Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.
  • Turn on your computer's firewall. A host-based firewall is required for all devices connecting to UC Santa Cruz networks or services. Default settings are typically fine.
  • Encrypt your device
  • Avoid using the same passwords for university systems as for non-university systems.
  • Practice physical security.

Network Requirements 

If you connect to campus networks or systems from an off-campus location, you must:

Special Requirements for Credit Card Data (PCI) and Electronic Protected Health Information (PHI)

If you work with credit card data (PCI) or electronic protected health information (ePHI), you:

  • Must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.
  • May not send/transmit credit card data via wireless internet unless your department has received formal approval from the Campus Controller and you are using an approved, secure method of transmission.
  • May not store ePHI on non-university equipment, even temporarily, even if it's encrypted.
  • May not store unencrypted ePHI on portable electronic devices, including laptop computers and portable storage devices, even if they are university owned.

Additional Guidelines 

In addition to the above requirements, the following practices are highly recommended:

  • Don't download or install unknown or unsolicited programs or files, click on links in unsolicited emails or texts, or open unexpected email attachments. 
  • Be especially careful when using wireless internet. Most coffee shop/hotel/airport wireless is not encrypted. If you’re not sure, assume it’s not encrypted.
  • Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect. 
  • Protect mobile devices
  • Make back-up copies of files or data you are not willing to lose, and store the copies securely.

Recommendations for Shared Computers

When using a shared computer, including a shared home computer:

  • Log out of all applications, clear web caches, cookies, and history, and quit the browser and all programs when you are done. 
  • Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer. 
  • Make sure sensitive files and applications are password protected so that others don’t have access. 
  • Create a separate user account for use when working on university business from a shared computer, and don't share this account with anyone.

Get Help

Contact the ITS Support Center for help with any of the above information.

See How to Stay Secure for more information about implementing many of the above requirements.

Immediately report suspected information security problems, such as an infected computer or possible disclosure of sensitive data, to your supervisor and the ITS Support Center. See Report a Security Incident for additional information.