Technology Standards for Remote Computing and Telecommuting

Category: Information Technology

Responsible Office: VPCIO

Responsible Executive: J. Brice Bible

Date Established: September 10, 2021

Last Edited: November 9, 2021

The following standards support the university’s Data Risk Classification Policy and should be implemented on all technology being used to access and work with Category 1-Restricted and/or Category 2-Private university data from an off-campus location.

Security of data and systems is paramount to the academic and research missions of the University at Buffalo (UB, university). It is vital that security best practices keep abreast with telecommuting, remote work and remote learning modalities.

All UB Policies and standards apply regarding UB and UB data, regardless of work location. Members of the university who wish to access and work remotely with restricted or private data must adhere to the following standards to ensure the policies and responsibilities set forth in the Data Risk Classification Policy are being met.

• The theft of university-owned stolen equipment or personal equipment that was used to store or access university data must be reported immediately to sec-office@buffalo.edu and appropriate law enforcement agencies.
• Any device used to conduct university business may be subject to subpoenas or E-discovery.

• Endpoints may not be left unattended or viewable by anyone not authorized to view sensitive information, whether at home or in a public setting.
• Personally owned devices may not be used to store, render, or process Category-1 Restricted Data. Access to this high-risk data is only permitted through university issued and managed technology assets.
• Category-1 Restricted Data cannot be processed or stored on any personal devices. Any exceptions must be reviewed and approved by the Information Security Officer.
• Category-1 Restricted Data cannot be sent via email.
• Category-2 Private Data may only be accessed and/or processed with a university-issued and managed technology asset or a personally owned computing endpoint that meets the University’s Minimum Security Standards.
• Endpoints must be restricted to a single user who is authorized to access university data. This is particularly important in a remote work or telecommuting setting where multiple members of a residence may have physical access to a device or endpoint.

It is strongly recommended that a UB-owned and managed computing endpoint be used when accessing and working with category2 data types. This type of data is involved in most university business, research or academic administrative functions (remote learners typically do not fall into this category).

Personally-owned computing endpoints used to access and work with Category 2 data must follow the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices. Owners of personal devices are responsible for ensuring adequate and appropriate security configurations including the following:

• Only use supported and current operating systems to conduct UB business.
• Enable all automatic patching and updates and ensure that the system contains up-to-date software, which can be accessed in the Control Panel on PCs or System Preferences on Macs. Be sure to update both your operating system and all applications.
• Use an up-to-date antivirus and firewall client like Windows Defender which is included with the Windows operating system, or, for Macs, AVG. Ensure the computing endpoint is password-protected with a strong password required at start-up and login.
• Enable the password-protected screen saver to ensure that your personal computer is password protected when you’re not using it.
• Work related items should be saved to UBbox or MS OneDrive instead of to a personal machine or shared media.
• Limit downloading of games or other non-essential apps, which are often a source of infection/compromise.
• Be cognizant of surroundings and what university business or information may be picked up by a webcam or microphone.

• Ensure all devices on your home network are patched.
• Disable all internet sharing and IoT or smart-device controlling software when connected to UB.
• Ensure routers have the most recent updates to address security issues.
• Secure Wi-Fi
  • Secure your Wi-Fi connection at home. Public and/or unsecured networks may not be used.
    • The administrative password for the router must be secure, and may need to be changed.
    • A firewall must be enabled on your router.
    • WPA2 password protected encryption must be used. Older networks encrypted with WEP encryption are not sufficiently secure to support university business with Category-2 information.
    • Additional suggestions for how to secure your home network can be found on How to Enhance Your Home Wireless Network Security: A step-by-step guide to secure your Wi-Fi Router and connected devices.

• Be vigilant. Attackers always take advantage of chaos to launch phishing and social engineering attacks. Be especially alert for phishing attacks masquerading as communications around COVID-19.
• Expect phishing attempts where attackers try to masquerade as UB leaders.
• Report phishing to abuse@buffalo.edu.

Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

Employees are responsible for knowing and meeting policy and standards requirements, standards and guidelines regardless of work location.

• The policies most relevant to working at a remote location include, but are not limited to:
  • Computer and Network Use Policy
  • Data Risk Classification Policy
  • Protection of University Data Policy
  • UBIT Password Policy
  • UB Minimum Standards for Desktops, Laptops, Mobile and Other Endpoint Devices
  • Remote Access to Administrative Systems and Data Policy
• Other relevant UB policies can be found on the UB Policy Library.
• Other relevant UBIT policies and guidance documents can be found on the IT Policies webpage.