Remote working can leave your business IT network, systems and devices vulnerable. The first step for managing security when working remotely is to understand where there are risks. You should understand how your actions may compromise security and what steps you must take to protect University networks and systems.
IT security policies do apply and are associated with remote working. Same actions need to take place if your remote work has been exposed the University to a cyber attack.
The following top recommendations provide an excellent starting point for all to protect University information and assets while working remotely:
- Use your University-provided laptop to work remotely and securely.
- Keep mobile devices and laptops safe
- If you do not have a University-provided laptop, remotely access your work desktop from a personal computer.
- If you must use a personal computer to remotely access your work desktop, ensure you follow the security guidelines below:
Due diligence is necessary to secure University data on your personal computer. When working remotely, all University information security policies and related schedules apply (Policy 116, Policy 117, and Policy 118).
- Your University password(s) must not be shared.
- Ensure anti-virus software is installed and up to date. Don’t have anti-virus software for your personal computer? We recommend Sophos.
- Secure your computer with the latest version and updates for Windows or Mac operating systems and applications.
- Do not leave your computer unattended. Lock your computer if you step away from it.
- Mac: simultaneously hold Control + Command + Q
- Windows: simultaneously hold Ctrl + Alt + delete
- If you are using VPN to access resources on the uOttawa network, ensure you disconnect from VPN and your shared drives when you are done working.
- Avoid storing University data on your home computer. If you must, dispose of all information securely (including from the Download folder of your browser and recycle bin) when you are done working.
- Refrain from storing University data on personal USB / flash drive devices.
- Avoid printing work-related documents at home. If you must print documents, destroy them immediately when they are no longer needed.
Management of confidential and personal information
These guidelines are intended to provide employees with good practices relating to the management of confidential and personal information, whether paper or electronic while working remotely.
The University is subject to the Freedom of Information and Protection of Privacy Act ("FIPPA") of Ontario. Consequently, all employees must comply with FIPPA whether working at university workplace or working remotely.
Information Management and Privacy Special Considerations
First consider whether it is a necessary part of your job that requires taking or accessing records containing personal information remotely. If you need to carry records with you when travelling or if you need to take them home or access them remotely to do work, you should speak to your immediate manager or supervisor in advance. The manager/supervisor should evaluate if the personal information is necessary to be removed from the office for the performance of the employee's duties and discuss with the employee the conditions under which these records will be removed or accessed remotely with a view to reducing risks of unauthorized access to the records. A “RECORD” means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise that can be recovered, reproduced and accessed.
The manager/supervisor should have a description of the records that the employee intends to take with him/her and if at all possible, the employee should avoid taking the original version of paper records.
Employees should be cautious when using cell phones and avoid discussing personal information as they can be easily overheard or intercepted by those around them.
Employees can use Liquidfiles, a secure online service that allows you to send large or confidential files to any email address quickly and securely.
Other considerations when working remotely:
- Employees must not leave their University-provided laptop or mobile device unattended.
- Employees must avoid storing University information on a personal computer. If employees are using their personal computer, they must save all information to a shared workspace (P:Drive or Docushare) or personal workspace (H:Drive or One Drive) and dispose of all electronic copies, securely, on their personal computer, when they are done working.
- Employees must refrain from storing University information on unencrypted personal USB / flash drive devices.
- Employees must avoid printing work-related documents to consult remotely. If they must, employees must ensure that they remain under their control and not left unattended. They must ensure that they are securely destroyed when no longer needed.
- Employees must not dispose of paper information of confidential nature or containing personal information in their recycle bin at home or in a public area.
- Employees must avoid opening or viewing information in a venue were the information or the display panel of their portable device may be seen by unauthorized individuals.
- Employees must check their “downloads” folder to ensure that information automatically saved there is deleted such as from web browser and from download folder on personal computer hard drive.
- Employees must empty their personal computer recycle bin.
The list above is not meant to be a complete list but is meant to establish basic measures that an employee must take to protect the records.
End of day check list when working from a personal computer or device
- Make sure info is properly saved on a shared workspace (P:drive) or on a personal workspace such as One Drive;
- Delete records from your download folder from your web browser and any other areas when information could have been saved;
- Empty your computer’s recycle bin; and
- Make sure you properly disconnect from the VPN when you are no more working on your computer.
Employees must report Privacy Breaches to their immediate manger/supervisor and the Access to Information and Privacy Office. See Procedure 20-8 – Privacy Breach Response Protocol for more information.
Access to Information and Privacy Office
550 Cumberland Street, Room M407
Ottawa, ON K1N 6N5
Tel.: 613-562-5800, extension 1851