Be Secure

IT SECURITY GUIDANCE FOR REMOTE WORK

University employees have the ability, in many cases, to access the University’s information systems from computing devices and locations other than their regular workspace and outside of the University’s network.

Remote access puts systems at higher risk for attacks and unauthorized access because if the system is accessible to employees/faculty and students from outside of the University’s network, it is also accessible to hackers and criminals. This translates to an increased likelihood that University information could be impacted from a confidentiality, integrity, or availability perspective. Additional precautions should be taken by employees when working remotely.

Security Measures

If you access University information systems remotely from a non-CSUDH device, the Information Security Office encourages you to consider the following:

  • Use anti-virus/anti-malware software and configure it to automatically update.
  • Configure your operating system and applications to  apply automatic updates (e.g., Microsoft updates or Mac updates).
  • Don’t use the “remember my password” feature when accessing University information on a shared device.
  • Download free antivirus below, or email ISO@csudh.edu to request campus enterprise antivirus. (For Mac and windows)

Windows 10: Malwarebytes

Mac OS:  Bitdefender

Follow these security tips when using CSUDH devices:

  • Don’t share or re-use passwords used to access University information and systems.
  • Protect passwords used to access University information.
  • Consider using a password manager. 
  • Use encryption whenever possible when storing University information on portable devices.
  • Use anti-virus/anti-malware software to scan portable storage devices, e.g., USB drives or external hard drives when you first plug them in.
  • You should not consider your online activity to be private when using public Wi-Fi networks.
    • Use VPN software to protect your communications when you connect to public Wi-Fi networks.
  • Use eduroam to connect to Wi-Fi if visiting participating campuses and institutions worldwide. Connect using your CSUDH credentials.
  • If a device containing University information is lost, stolen, or compromised report the incident to the appropriate delegated authority. Please send an email to ISO@csudh.edu
  • Email Security – Do not send Level 1 information (confidential data) in an email message and be on alert for phishing scams. Report any suspicious emails to ISO@csudh.edu.

Securing Zoom Meetings

CSU message on appropriate practices to prevent Zoom-bombing

It is important to consider the security implications of the Zoom meetings that you set up. Participants may share sensitive data and if you are recording the meetings, the data will be stored. Preventing uninvited guests from joining and sharing the recording via Dropbox will help keep your meeting secure.

FBI Warning of Virtual Hijackers

The FBI has issued a warning regarding cyber actors who "will exploit increased use of virtual environments".  Beware of intruders who will hijack your Zoom meetings and disrupt "by inserting pornographic images, hate images, or threatening language."

IMPORTANT - Secure your Zoom meetings:

  1. Create a unique meeting ID. Do NOT host meetings using your Personal Meeting ID (PMI). Instead use Zoom random meeting IDs for meetings.
  2. Require a password to join your meeting.
  3. Use the Waiting Room feature to control who is admitted to your meetings.
  4. Manage participants in meetings by muting participants, putting participants on hold, and more.
  5. When using Zoom for classes (Faculty), share the session link only in Blackboard.
  6. Remove disruptive participants. On the Zoom control panel, click on “Participants”, then select “More”, and “Remove” the participant.
  7. Control screen sharing for participants.  The Zoom default allows only the host to share screens.  Please only share the screen you select and when needed. 

Visit the IT Zoom Knowledge Base for more information on Zoom.

Participants

It is very important to make sure that we are properly accounting for the participants in our meeting. If, despite these precautions, someone shows up in your meeting that you don't know, you should take it seriously, because it's possible that these incidents may constitute a phishing attempt to obtain confidential information or access to CSUDH services. 

Recordings

If you set up a video meeting, it is important to secure the recording, especially if employee and/or student health data is involved or non-CSUDH participants are attending your meetings.

HOW TO SECURE YOUR MEETING PASSWORDS

We strongly recommend that you set a strong password for all meetings and webinars.

While scheduling a meeting, under Meeting Options, check Require Meeting Password, then specify a strong password.

 Make your password at least eight characters long and use at least three of the following types of characters:

  1. lowercase letters
  2. uppercase letters
  3. numbers
  4. symbols

Before joining your meeting, participants will be asked to enter this password.

DISABLE "JOIN BEFORE HOST"

If you are scheduling a meeting where sensitive information will be discussed, we recommend leaving Enable join before host (found in the Meeting Options section while scheduling a meeting) turned OFF. See Zoom's Join Before Host help page for more information.

The join before host option can be convenient for allowing others to continue with a meeting if you are not available to start the meeting. However, if this option is enabled, the first person who joins the meeting will automatically be made the host and will have full control over the meeting.

As an alternative, we recommend assigning an Alternative Host prior to leaving the meeting.

  1. Click on Manage Participants in the meeting controls at the bottom of the Zoom window.
  2. Hover over the name of the participant who is going to be a co-host, and choose More.
  3. Click Make Co-Host.

It is still possible for a meeting to start with you (the host) even with Join Before Host disabled. If you have given someone Scheduling Privilege (which allows them to schedule meetings on your behalf), when that person joins a meeting before you, the meeting will start, and they will be made the host. This is typically not a problem, as our recommendation to disable Join Before Host is based on preventing unwanted/uninvited participants from hijacking a meeting. After you join, the role of Host can be reassigned to you.

SECURITY CONSIDERATIONS FOR SCHEDULING ZOOM MEETINGS WITH OUTLOOK

If you add a Zoom meeting to your calendar or create a Zoom meeting in your calendar using the Zoom Outlook Plug-in, note that the calendar entry may include the Zoom meeting password.

  • If you have set up your calendar so that it is open for colleagues to view the details of your meetings, this can expose the password to anyone who views your calendar.
    • We recommend making the calendar entry private or editing the entry to remove the Zoom meeting password.
REMOVE A PARTICIPANT FROM A ZOOM MEETING OR WEBINAR

If you have already begun a session and find an unwanted attendee has joined:

  1. If the Participants panel is not visible, select Manage Participants at the bottom of the Zoom window.
  2. Next to the person you want to remove, select More.
  3. From the list that appears, select Remove.
LOCK YOUR SESSION

The Zoom Host Controls allow the host or co-host to lock the meeting.

Once all your attendees have joined:

  1. If the Participants panel is not visible, select Manage Participants at the bottom of the Zoom window.
  2. At the bottom of the Participants panel, select More.
  3. From the list that appears, select Lock Meeting.
    1. Unlock the meeting following these same steps.

Important: When a meeting is locked, no one can join, and you (the host or co-host) will NOT be alerted if anyone tries to join, so it's best not to lock the meeting until everyone has joined.

POST MEETING SECURITY

If a meeting is recorded, the recording is located on the host’s local machine. Please be aware of the content and have all participants permissions in place before posting the meeting to a public site. We recommend securing and sharing the recording using Dropbox.

Dropbox

CSUDH Dropbox, also known as CSUDH Dropbox for Business accounts, is a cloud-based storage solution for students, faculty, and staff. Dropbox for Business offers unlimited storage and file-sharing capabilities for any size file, collaboration with team members, and the ability to showcase projects with partners and clients. Use your campus credentials to login and access files anytime, anywhere form any device, and changes sync across devices.

Dropbox is the only university approved cloud storage for to store Level 1 information as defined in the CSU Data Classification Standard. This information includes any information that is governed by federal, state or local law, or regulated by industry.

Dropbox is not approved for HIPAA data.

The responsibility for storing and maintaining documents and files resides with the person who stores the documents.  Judgment is required about how and where campus information will be stored.

What is Level 1 Data:
  • Personally Identifiable Information (SSN, account numbers, birth dates, driver’s license numbers, etc.)
  • Payment Card Industry Information (Credit Card Numbers, PINs, verification codes etc.)
  • Export Laws: Data subject to United States export control or trade embargo regulations.
  • Campus Authentication Credentials: This would be the campus issued account and password used to access your computer and email.
  • If you are unsure if you are handling legal or CSU protected data, please review the CSU Data Classification Standard and/or contact the campus Information Security Office.
Dropbox Integration with Microsoft

CSUDH Dropbox users are able to open Microsoft files using the Dropbox web interface.

https://www.youtube.com/watch?time_continue=2&v=vIiqbNVDr58&feature=emb_title

Dropbox Availability

Invitation sent to ALL Faculty and staff

Dropbox Active members: 912

Dropbox Invited members: 1855

Students can open IT ticket on Service-Now and request Dropbox account

Get Help

In-Person

Library 1531

Monday - Friday
8 AM - 6 PM

Phone

(310) 243-2500

Monday - Friday
8 AM - 6 PM