skip to primary navigationskip to content
 

Information security best practice for working from home

It’s important you are compliant with data protection laws (GDPR/DPA 2018) while working remotely. Please read the important security guidance about working from home and keeping safe online to prevent compromising the security of the University’s data.

Please always check with your local IT staff for their policies and procedures for working from home. This is general guidance only and not specific to your institution.

It is also subject to change as new systems and practices come online to help you work from home, so we recommend checking this page regularly.

Contents

  1. Thinking about the device you will use to work from home
  2. How to connect to your work
  3. Managing your emails securely
  4. Working with documents, spreadsheets and other files
  5. Staying safe online
  6. Housekeeping and end-of-day routine

Thinking about the device you will use to work from home

If you have a work laptop, then use this at all times and endeavour to make sure it is encrypted. Further information about encryption is available on our storing and sharing personal data page.

UAS staff using managed desktops/laptops

If your work laptop isn't encrypted and you do not have the administrative rights to enable encryption yourself, please use the new Remote Access system for ACN users when working on sensitive data because this prevents data being downloaded to your local device.

IMPORTANT: When you have finished working it is important that you explicitly sign out of the Remote Access system and do not leave the session running on your machine.

Preventing automatic file syncing to your local drive

When you are not connected to the Remote Access system, many file storage services such as OneDrive, Google Drive and Dropbox give you the ability to sync or download files to your local hard drive. Think carefully about the security level of any files you choose download. To prevent unnecessary data being downloaded automatically, you can disable file synching as follows:

OneDrive | Google Drive | Dropbox

Using personal devices

If you don't have a work laptop, then you might be able to use your own personal laptop, or desktop computer, by taking a few precautions:

  • separate your work data from your home data by setting up another user account.
  • always use the clear screen policy
  • make sure your device uses an operating system that is still supported by the software vendor and is set to update automatically (so that all applications are patched regularly)
  • make sure your device has up-to-date malware protection running (see installing malware protection, which is available free of charge from the University)
  • encrypt your device (see the third paragraph of storing and sharing personal data on encryption)
  • make sure your device has the local firewall enabled
  • use unique pass-codes, passphrases and passwords, that you do not share, to access resources (Find out more about how you can choose a strong password and keep your password safe. You may also wish to consider using a password manager)
  • only download software from a reputable source

Remember, this is general advice. Please take advice from your local IT staff for how best to set up your home device to suit you and the work you do for your institution.

How to connect to your work

If you require a VPN (virtual private network) connection to access your resources (for example, a network shared drive such as k:/ or r:/ drives), please read our page on remote access.

If you have access to the University's Office365 suite, you can connect via your crsid@cam.ac.uk and your Raven password. Do not save your password to the device (click ‘No, Never’ when prompted in the dialogue box). Raven keeps you authenticated for most of the day, so please remember to lock your screen (clear screen) when you are not at the device.

If you do not currently have access to the University's Office365 suite, you can download it onto your home device as well as your other devices (such as your own personal tablets and phones) so that they can all synchronise.

Separately, you can gain access to online cloud storage through OneDrive for Business (it has 5TB of storage space for each person). 

Take advice from your local IT staff for how best to connect from home.

Managing your emails securely

Something to consider, when reading a document sent to you via email, is that Outlook will store it to a temporary folder and it will remain there until you save the document or delete it from the folder (this happens at work too). This means that every document or file that you read, but don't save, could, potentially, be accessible by others in your household. Take care especially with a reports from CHRIS, CHRIS62 forms, lists of student marks, staff appraisals and so on.

To avoid this, we recommend that you save the document immediately to a 'shared' drive (via VPN connection) or to a University OneDrive folder, or similar. See storing and sharing personal data for options.

If you cannot save it securely, ensure you have removed it as part of your logging out procedure (see the clear session policy).

We recommend you do not email lots of files home and back to work again. Rather than sending documents in an attachment via email, place the document in a shared folder on, for example, OneDrive and then send a link to the document to share it. This is also the recommended way to share all your documents and data at work – especially to larger groups. See working with documents, spreadsheets and other files.

Working with documents, spreadsheets and other files

USB drives or pen drives are not recommended to transfer data to and from work because they are easily dropped or lost and could cause compromise to the University. Think carefully before using these – including for creating backups.

The University has many document sharing platforms that are all GDPR-compliant, so we urge you to use them and not to use any of your own personal sharing platforms for University information. Please see storing and sharing personal data.

The advantages of using these platforms is that you can upload all your data from work onto folders that you can access at home, share with your colleagues and not have to send them via email to yourself or download them onto a USB stick – both of which are cumbersome and more insecure.

For further information on storing personal data, see storing and sharing personal data.

Remember, this is general advice. Please take advice from your local IT staff for how best to share data from home in your particular circumstances.

Staying safe online

We highly recommend that you do the online cyber security training, which explains how to spot fake Raven login pages, phishing emails and much more,in clear, non-technical terms. It mainly consists of 5 short videos, each just a few minutes long.

With the current flurry of Covid-19 scams, these two are highly pertinent just now: Phishing and Fake Websites. Each take less than 4 minutes. We would urge you to take the time to look through them but now that we are working from home, please always use a different device, to contact about a compromised device or account, rather than using the one that is compromised.

In addition, you may find the Data Protection Training from the Information Compliance Office useful, along with their pages of data protection guidance.

More information on how to spot a suspect email and how to stay safe online is available in the NCSC guidance on dealing with a suspicious email and UK safe online guidance.

There is also guidance from Jisc on Coronavirus scams: how to spot them.

Housekeeping and end-of-day routine

Clear screen policy: every time you leave your desk, lock your computer.

When you finish working for the day:

  1. log out from all your sessions (e.g. VPN, email and Moodle)
  2. if there are any security patches waiting, apply them, update and shut down

In summary, remember to:

  • use University storage and collaboration tools to access, store and share data
  • save emailed documents safely, and don't send documents or files via email if you don't have to
  • use an operating system that is still supported by the software vendor and is updated regularly
  • install an up-to-date malware protection system and update it regularly
  • verify that the local firewall on your device is enabled
  • get your device encrypted, if not already
  • say ‘no’ when asked if you want to save your Raven password to your home device
  • use the clear screen policy and shut down each day
  • use unique passcodes, passphrases and passwords, that you do not share, to access resources
  • only download software from a reputable source
  • take advice from your local IT department.

Further advice and guidance on security, including incident reporting and data breach reporting, see the pages on information and cyber security.

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

TechLink Community programme and updates: October 2020

Oct 29, 2020

More than 100 TechLink members registered to join UIS Director, Prof. Ian Leslie's online TechLink Community event on Tuesday 20 October.

Lecture capture update: phase one roll-out complete

Oct 28, 2020

The lecture capture team, which includes colleagues from Estate Management, UIS, and the Education Quality and Policy Office, has completed the first phase of rolling out recording equipment across the University to support online teaching and learning.

View all news