skip to primary navigationskip to content
 

Information security best practice for working from home

It’s important you are compliant with data protection laws (GDPR/DPA 2018) while working remotely. Please read the important security guidance about working from home and keeping safe online to prevent compromising the security of the University’s data.

Please always check with your local IT staff for their policies and procedures for working from home. This is general guidance only and not specific to your institution.

It is also subject to change as new systems and practices come online to help you work from home, so we recommend checking this page regularly.

Contents

  1. Thinking about the device you will use to work from home
  2. How to connect to your work
  3. Managing your emails securely
  4. Working with documents, spreadsheets and other files
  5. Staying safe online
  6. Housekeeping and end-of-day routine

Thinking about the device you will use to work from home

If you have a work laptop, then use this at all times and endeavour to make sure it is encrypted. Please read further information about encryption on our storing and sharing personal data page.

If you don't have a work laptop, then you might be able to use your own personal laptop, or desktop computer, by taking a few precautions with technical security measures (see below) and using a clear screen policy.

If the device is shared by others in your family, consider taking further precautions such as following the clear screen and clear session policies and setting up other user accounts.

Whether shared or not, we recommend that your device:

  • uses an operating system that is still supported by the software vendor and is set to update automatically (so that all applications are patched regularly)
  • has up-to-date malware protection running (see installing malware protection, which is available free of charge from the University)
  • is encrypted (see the third paragraph of storing and sharing personal data on encryption)
  • has the local firewall enabled.

Remember, this is general advice. Please take advice from your local IT staff for how best to set up your home device to suit you and the work you do for your institution.

How to connect to your work

If you require a VPN (virtual private network) connection to access your resources (for example, a network shared drive such as k:/ or r:/ drives), please read our page on remote access.

If you have access to the University's Office365 suite, you can connect via your crsid@cam.ac.uk and your Raven password. Do not save your password to the device (click ‘No, Never’ when prompted in the dialogue box). Raven keeps you authenticated for most of the day, so please remember to lock your screen (clear screen) when you are not at the device.

If you do not currently have access to the University's Office365 suite, you can download it onto your home device as well as your other devices (such as your own personal tablets and phones) so that they can all synchronise. To easily install Office 365 ProPlus on your personal devices, see here .

Separately, you can gain access to online cloud storage through OneDrive for Business (it has 5TB of storage space for each person). 

Take advice from your local IT staff for how best to connect from home.

Managing your emails securely

Something to consider, when reading a document sent to you via email, is that Outlook will store it to a temporary folder and it will remain there until you save the document or delete it from the folder (this happens at work too). This means that every document or file that you read, but don't save, could, potentially, be accessible by others in your household. Take care especially with a reports from CHRIS, CHRIS62 forms, lists of student marks, staff appraisals and so on.

To avoid this, we recommend that you save the document immediately to a 'shared' drive (via VPN connection) or to a University OneDrive folder, or similar. See storing and sharing personal data for options.

If you cannot save it securely, ensure you have removed it as part of your logging out procedure (see the clear session policy).

We recommend you do not email lots of files home and back to work again. Rather than sending documents in an attachment via email, place the document in a shared folder on, for example, OneDrive and then send a link to the document to share it. This is also the recommended way to share all your documents and data at work – especially to larger groups. See working with documents, spreadsheets and other files.

Working with documents, spreadsheets and other files

USB drives or pen drives are not recommended to transfer data to and from work because they are easily dropped or lost and could cause compromise to the University. Think carefully before using these – including for creating backups.

The University has many document sharing platforms that are all GDPR-compliant, so we urge you to use them and not to use any of your own personal sharing platforms for University information. Please see storing and sharing personal data.

The advantages of using these platforms is that you can upload all your data from work onto folders that you can access at home, share with your colleagues and not have to send them via email to yourself or download them onto a USB stick – both of which are cumbersome and more insecure.

For further information on storing personal data, see storing and sharing personal data.

Remember, this is general advice. Please take advice from your local IT staff for how best to share data from home in your particular circumstances.

Staying safe online

We highly recommend that you do the online cyber security training, which explains how to spot fake Raven login pages, phishing emails and much more,in clear, non-technical terms. It mainly consists of 5 short videos, each just a few minutes long.

With the current flurry of Covid-19 scams, these two are highly pertinent just now: Phishing and Fake Websites. Each take less than 4 minutes. We would urge you to take the time to look through them but now that we are working from home, please always use a different device, to contact about a compromised device or account, rather than using the one that is compromised.

In addition, you may find the Data Protection Training from the Information Compliance Office useful, along with their pages of data protection guidance.

More information on how to spot a suspect email and how to stay safe online is available in the NCSC guidance on dealing with a suspicious email and UK safe online guidance.

There is also guidance from Jisc on Coronavirus scams: how to spot them.

Housekeeping and end-of-day routine

Clear screen policy: every time you leave your desk, lock your computer.

Clear session policy: when you finish working for the day:

  1. clear all data from the download folder
  2. clear all data from your temporary folders in emails
  3. clear all data from areas you may have temporarily saved on your device 
  4. log out from all your sessions (e.g. VPN, email and Moodle)
  5. if there are any security patches waiting, apply them, update and shut down

In summary, remember to:

  • use University storage and collaboration tools to access, store and share data
  • save emailed documents safely, and don't send documents or files via email if you don't have to
  • use an operating system that is still supported by the software vendor and is updated regularly
  • install an up-to-date malware protection system and update it regularly
  • verify that the local firewall on your device is enabled
  • get your device encrypted, if not already
  • say ‘no’ when asked if you want to save your Raven password to your home device
  • use the clear screen and clear session policies and shut down each day
  • use unique passcodes, passphrases and passwords, that you do not share, to access resources
  • only download software from a reputable source
  • take advice from your local IT department.

Further advice and guidance on security, including incident reporting and data breach reporting, see the pages on information and cyber security.

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

Urgent maintenance to increase VPN capacity 07:00-08:00 Thu 26 March

Mar 25, 2020

We are performing urgent maintenance to the remote access system between 07:00 and 08:00 tomorrow morning (Thursday 26 March) in order to increase its capacity.

Beware phishing scams: criminals are exploiting the COVID-19 crisis

Mar 23, 2020

The National Cyber Security Centre (NCSC) is urging people to stay vigilant and follow online safety advice as criminals are exploiting the COVID-19 crisis online.

View all news