Security Guidelines for Working Remotely

Quick Links

Securing your Office Workspace for Remote Work

  • Backup important files (physical or digital) and secure them properly
  • Lock up documents, flash drives, files, external hard drives, etc. that contain sensitive content
  • Turn off any devices that are not needed while you are out (desktop computer, printer, fax machines, copiers, etc.)
  • Setup primary/alternate/formal/informal communication methods with your staff/supervisor
  • Setup call forwarding and/or be familiar with retrieving voicemail messages
  • Ensure that you have the proper equipment to work remotely (Mouse/Keyboard, Camera, Microphone, etc.)
  • Check with your IT support staff for specifics in connecting to your campus and/or department resources (such as a file servers, shared drives, etc.).

Securing Your Remote Workspace

Dedicate a working area that is suitable for teleworking. The working area should be physically secured and not accessible to the public. Listed below are considerations for securing your physical working environment:

  • Your workspace should include locked doors/rooms and windows to prevent unauthorized access to devices. If a dedicated room is unavailable, devices should enable a screen lock and be stored in a secured location when not in use.
  • Do not leave devices unattended and place them in a secured location when not in use.
  • Do not let friends/family use work devices

Securing Your Remote Workspace Network

Your remote workspace network should utilize secure protocols and be configured to block public access to your network. Listed below are configurations to secure your network:

  • Set a strong password for your Wi-Fi network (SSID) and restrict access if possible. Some routers allow for the creation of guest networks for your personal devices, friends, and family.
  • Configure your Wi-Fi network to utilize WPA3 or WPA2 at a minimum
  • Change your remote workspace router’s default username and password.
  • Update your remote workspace router’s firmware and ensure it is kept up-to-date
  • Do not utilize any public or “free” networks

Securing Your Devices

Device Considerations

If possible, utilize a UH-owned device such as a UH provided laptop for remote work. If you are unable to utilize a UH-owned device, your device should be dedicated to work-related activities. All devices used for remote work must be running fully supported Operating Systems and be able to meet the UH Minimum Security Standards.


Listed below are specific configurations to secure your devices:

  • Ensure automatic updates are enabled on your device and confirm that your devices are running the latest Operating System (OS) version.
  • Uninstall software that are not required for work-related responsibilities. Ensure all authorized software are kept up-to-date.
  • Ensure that your device’s host-based firewall is enabled.
  • Ensure your device’s user account(s) are configured with strong and unique passwords (Minimum 12 characters long)
  • Enable screen locking/login protection; recommend 10 minutes or fewer
  • Enable Full-Disk Encryption on your device. For instructions on how to enable encryption, see https://www.hawaii.edu/infosec/resources-tips/encryption/
  • If you have media with Sensitive/Regulated data such as hard drives, utilize full-disk encryption to encrypt them.
  • Ensure your device’s built-in anti-malware capabilities are enabled (Defender for Windows and X-Protect on Mac). If your device is UH-owned, ensure that Sentinel One is installed.
  • Utilize the UH Minimum Security Standards Implementation Guides which contain practical instructions on configuring your device to meet the UH Minimum Security Standards

When Working Remotely

Listed below are procedures to follow when working remotely:

  • Separate personal and work Internet use (e.g. use two different devices)
  • Avoid downloading sensitive material onto home devices
  • If downloading sensitive material is necessary, use HTTPS and file encryption. Avoid printing sensitive material.
  • Do not print materials that contain Protected Data or bring such materials from your workplace to your remote work location, except on an as-needed basis subject to supervisor prior approval if applicable. Printed materials should be stored in a secured locked cabinet or room when not in use and documents must be shredded and destroyed promptly once they are no longer needed.
  • Never use email to send sensitive material, use UH FileDrop instead
  • For high risk transactions, verify email senders using alternate methods (e.g. phone call)
  • Watch out for phishing, malicious attachments, scams, etc.
  • Utilize headphones to protect the confidentiality of phone calls and video conferencing.
  • Do not plug in any personal or unauthorized external media devices such as USB drives, external hard drives, etc.
  • Disconnect authorized external devices such as external hard drives when not in use
  • Always disconnect shared drives on a department file server when done working
  • Disconnect from the UH VPN when you are done working

Protecting your Virtual Meetings

Utilize the ITS Recommended Zoom Settings [PDF] to ensure that you don’t have “uninvited” guests joining your Zoom sessions.

More Resources:

What is the UH VPN

VPN stands for “Virtual Private Network”. It enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. VPNs are generally used when a person wants to use a computer from a remote site (such as their home) to access “enterprise” (corporate) resources. The UH VPN allows you to become part of the UH network from anywhere.

Access to the UH VPN is only necessary if it is required by a specific institutional application. Most general applications (UH email, Lamaku, etc.) are accessible without having to use the UH VPN. Please verify with the application owner to see if VPN access is necessary. List of UH Services that require the UH VPN (Login Required)

Specific details on using the UH VPN can be found at: http://www.hawaii.edu/its/vpn/

When working remotely, what do you need to consider when it comes to your work data?

  1. Determine the level of sensitivity of the data you work with
    UH has four data classification categories: Public, Restricted, Sensitive, and Regulated. They are listed in order based on increasing levels of sensitivity and risk. The following table describes the four groups. Looking at the type of data you work with, identify the category with the highest level of sensitivity. That will determine the security guidelines you need to follow. For example, if you work with a mix of Public, Restricted, and Sensitive data, follow the security guidelines for Sensitive data.

    Review the table on the data governance site (login required): https://datagov.intranet.hawaii.edu/institutional-data-classification-levels/

    More information is available at EP 2.214, Institutional Data Classification Categories and Information Security Guidelines.

  2. Review data security guidelines
    The Security Guidelines for Working Remotely provides guidance on how to protect your work data in accordance with UH policies and the UH Telework Policy and Guidelines. The most common types of applications are listed in the table below. If an application is not listed or you need further clarification, contact the Information Security Team at infosec@hawaii.edu
Services
System Public/Restricted Data Sensitive/Regulated Data
Audio and video conferencing (Zoom, Google Hangouts Meet, WebEx, etc.)

To schedule recurring conferences and/or classes on Zoom: https://www.hawaii.edu/its/videoconferencing/desktop/

No restrictions Yes, issue passwords to participants to prevent unauthorized individuals from accessing the link or recording the session without permission or plan to secure the file (recording) properly.

If you are part of JABSOM and will be using Individually Identifiable Health Information (IIHI), please contact JABSOM IT

Online Document management (Google@UH: Docs, Sheets, Forms, etc.) No restrictions Google Drive, Docs, Sheets, Forms, etc. are not authorized for the storage of Sensitive/Regulated data. The UH Enterprise Dropbox should be used instead.
Document management (MS Office: Word, Excel, etc.) No restrictions Yes, at a minimum, password protect your file.
Email (Gmail, Outlook, Thunderbird, etc.) No restrictions Yes, do not send data/information via email.

The data needs to be encrypted when stored and when transmitted.

Use UH FileDrop to send sensitive/regulated documents
Storage (Downloading or saving work to your personal computer at home) No restrictions If necessary to save files to your local computer, it must be encrypted and deleted from your local computer when it’s no longer needed.

Learn more about encryption here: https://www.hawaii.edu/infosec/resources-tips/encryption/
File transmission (FileDrop)
https://www.hawaii.edu/filedrop/ 		Not required Yes, use to receive or transmit files. Files can be exchanged with non-UH parties as long as one party has a UH username.

References

Contact Information

ITS Help Desk

Phone: (808) 956-8883
Toll Free: (neighbor isles) (800) 558-2669
Fax: (808) 956-2108
Email: help@hawaii.edu
Phone and Email Support

24 hours a day, 7 days a week
Open during all Holidays