DOES THIS APPLY TO ME?
The requirements and guidance below are intended to reduce the risk associated with remote access of University information, systems or resources. They apply to people who do any of the following:
- use a computer to work from any non-University location
- connect to campus networks or systems from off-campus, including
- your workstation
- campus business systems
- departmental file systems, shared drives or shared servers
- conduct University business over a non-University network (wired or wireless)
- use a computer for University business that is shared by non-University individuals, including children, family or friends
- use a non-University computer for University business
- Also see InCHIP IT’s Mobile Devices and Wireless page for related information about mobile device security.
Managers are responsible for making sure that employees engaging in any of the above activities are authorized to do so and receive appropriate education and training on the following information and other applicable UConn, InCHIP, and departmental policies.
Please note: All individuals with access to electronic information, systems or resources are expected to be familiar and comply with campus policies, practices and guidelines relating to the use and access of these resources.
Campus information security requirements, including InCHIP IT’s Minimum Network Connectivity Requirements, apply to all devices used for University business purposes, regardless of ownership or location. InCHIP recommends that only University owned and supported computers be used for all remote access activities; however, the requirements and guidance below apply to any computer used for remote access.
For questions or additional information about any of these practices, please see “Getting Help“, below.
1. If you need to access your work computer remotely, work with InCHIP (contact info below) to ensure compliance with applicable policies and security standards for the types of information being accessed.
- InCHIP IT recommends that work computers allowing remote access are managed by InCHIP to ensure appropriate security.
- Supervisor approval is required for UConn staff to set up remote access to a work computer.
2. Specific security requirements exist for restricted data, regardless of where it is stored or accessed. These include:
- Truncate, de-identify, or redact restricted data whenever possible.
- Restricted data may only be stored on appropriately protected systems.
- If you need to put a copy of restricted data on a properly-protected computer for analysis, store the minimum amount of restricted data necessary and securely delete it as soon as possible (see #3).
3. Securely delete or destroy restricted data in email, attachments or other electronic documents when there is no longer a business need to keep it. Also be sure to securely erase or destroy data on computing equipment before disposing of it.
4. Make sure your computer has all necessary Operating System (OS) and application security updates or “patches,” as well as up-to-date anti-virus and anti-spyware. Shut down or restart your computer at least weekly — and whenever your programs tell you to in order to install updates. Shutting down or restarting your computer regularly helps to make sure software and security updates are properly installed. Anti-virus information.
NOTE: InCHIP & University imaged machines will perform these tasks automatically.
5. Passwords and restricted data must be encrypted during transmission to reduce the risk of being intercepted and stolen.
- Web sites: Web pages that have https (not http) in the web address (URL) encrypt the information you enter. Many web browsers also have a little locked padlock that appears in the nav bar or a corner of the browser window to indicate that information is being encrypted. Check for these indicators before you enter sensitive or personal information, including your password, online. If they’re not there, don’t log in and don’t enter the information.
- Email Passwords: If you access your UConn email through a non-UConn Internet provider (AT&T, cable, Yahoo, Google, etc.), make sure your email client (Apple Mail, Thunderbird, Outlook, etc.) is configured for secure authentication (sign-in).
NOTE: This applies to people who are not using Exchange (UConn or InCHIP)
- Email and IM: Standard email and Instant Messaging (IM) are vulnerable to being intercepted by hackers. If you send or receive email, attachments, files, or IM containing restricted data, work with InCHIP IT to set up a way to do this more securely.
- Don’t use the same passwords for University systems as for non-University systems.
6. Make sure a complex password is required for access to your computer, and that you always shut down, lock, log off, or put your computer to sleep before leaving it unattended.
- See InCHIP IT’s Password Standards for information about creating complex passwords.
- Computers that access restricted and/or essential information are required to automatically lock or go to screensaver (or be turned off) when left unattended for an extended period of time (default is 20 minutes). Again, a password must be required to resume activity.
7. Turn on your computer’s firewall. A host-based firewall is required for all devices connecting to UConn networks or services. Note: InCHIP Imaged computers will have this controlled by Active Directory.
8. Physical Security: InCHIP IT policy requires that reasonable measures must be taken to ensure the physical security of University computing equipment. This also extends to non-University devices that store or access restricted data. Note: All workstations containing electronic protected health information (ePHI) must be physically secured. Also see #14, below.
9. Special information for people who work with credit card or health information:
- If you are connected to the Internet via wireless, you may not send/transmit credit card data unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.
- Do not store electronic protected health information (ePHI) on non-university equipment, even temporarily.
- Unencrypted ePHI may not be stored on portable electronic devices, including laptop computers and portable storage devices, even if they are University owned.
- You must have authorization from your supervisor to work remotely with ePHI, and all required protections, including encryption where required, must be in place before you do so.
10. Don’t download or install unknown or unsolicited programs or files, click on links in unsolicited email, or open unexpected email attachments. These can all infect your computer.
11. Be especially careful when using wireless. Information sent via standard wireless is especially easy to intercept.
- Don’t connect to unknown wireless hot spots/access points if you’re concerned about security, privacy or your passwords.
- Only use known, encrypted networks when working with sensitive information.
- UConn students, faculty, and staff are encouraged to use UCONN-SECURE instead of UCONN-GUEST when connecting to wireless from campus locations.
- When connecting to the Internet from off campus, use the InCHIP VPN or UConn Campus VPN (virtual private network) to encrypt your Internet traffic and provide a secure (encrypted) connection to the UConn network. The Campus VPN is available to all campus members with a NetID.
- Be aware that most coffee shop/hotel/airport-type wireless is not encrypted.
- If you’re not sure, assume it’s not encrypted.
- Check the wireless preferences/settings for your computer and portable devices to make sure they aren’t set up to auto-connect to any wireless network they detect. Auto-connecting to unknown networks could put your computer and data at risk.
12. Mobile Devices: Every day mobile devices are lost, stolen, and infected. Devices that store University information or are used to access University systems or email must be protected like any other computer. See Mobile Devices and Wireless for information about protecting mobile devices.
13. Special cautions when using a shared computer, including a shared home computer:
- Log out of all applications, clear web caches, cookies and history, and quit the browser and all programs when you are done. This will help clear what you were doing from the computer.
- Make sure that shared computers do not remember passwords that you have entered. Clear any stored passwords before you leave the computer. Most programs and web browsers have a preferences orsettings option that lets you control this.
- Make sure sensitive files or applications are password protected so that others don’t have access.
- Create a separate user account for use when working on university business from a shared computer, and don’t share this account with anyone.
14. As mentioned above (#8), physical security is important in a remote work environment. Be especially careful with portable equipment, including laptop computers. These items are extra vulnerable to theft and loss.
- Don’t leave sensitive information lying around.
- Physically secure (lock down) workstations whenever possible.
- Keep laptop computers and other portable devices (data sticks/flash drives, CD/DVDs, PDAs, phones, etc.) secure at all times. Keep them with you or lock them up before you step away, even if for a very short time.
- Don’t leave laptops or other portable devices that contain restricted data in an unattended vehicle, even if the vehicle is locked. Not even in the trunk.
- Encryption is strongly recommended for restricted data on portable devices. Contact InCHIP IT for recommended tools and software.
- Be sure your workstation is set up so that passers-by, including family members, can’t see sensitive information on your monitor.
15. Make backup copies of files or data you are not willing to lose — and store the copies very securely.