Overview
The University of Oregon recognizes its crucial role as steward of the information it collects while engaging in its academic and research activities, no matter where those activities are performed. Remote work is work performed outside of the campus workplace, at times on devices or networks not belonging to or secured by the university.
- Policies support the university's mission by establishing clear standards for individual conduct, supporting operational efficiency, promoting legal compliance, and mitigating risk. It’s important to remember that university policies apply even when working remotely.
- Policies and recommendations specific to computer security requirements are based upon the type (low-risk or green, moderate-risk or amber, and high-risk or red) of information being accessed or used.
- University data stored on a device that you are using remotely or otherwise is subject to the same policies as data located on campus. According to university policy, you are the data consumer and responsible for all UO data on the computer you use.
It is your responsibility to know what types of data are on your device and to protect that data accordingly.
Requirements
1. Use UO-owned, Enterprise Device Management (EDM)-managed equipment
People in Information Services (IS) performing remote work will use a university-owned, EDM-managed computer (laptop or workstation), as it will be running the latest endpoint security tools, be configured for best security, and be kept up-to-date and patched automatically by the university. This is especially important for those who work with sensitive and financial information. Using a managed device ensures that your device meets the minimum requirements outlined in the university’s Minimum Information Security Controls Standard.
- An EDM-managed computer that is used for remote work shall:
- Be protected by data at rest encryption (BitLocker or FileVault 2).
- Have current endpoint security tools installed and active.
If the computer you are using or wish to use is not compliant with the above, contact your IT support to have the issues remedied.
2. Use a virtual private network (VPN) to access campus
Connecting to the UO network remotely increases the risk of data exposure or password compromise because you have to use networks that are not controlled by the UO. To minimize these risks, you should use the campus VPN when working with the university’s data. This will ensure that everything you do is encrypted as it goes over the network. An encrypted VPN protects your data from electronic eavesdropping and may be required to connect to some department and central resources from off campus. To find out how to install and use, see Getting Stated with UO VPN.
Most people in Information Services will use the Administrator Access VPN (AdminVPN) for privileged access/functions. Connecting to the AdminVPN segments your traffic from the rest of campus network traffic and it ensures that DUO two-step login is used.
3. Use a separate administrative account for privileged functions
The account associated with a Duck ID is a user-level account with limited permissions, allowing the user to access only the resources and perform only the actions that are explicitly granted to that account and necessary to perform the job function they are assigned. It is used for everyday activities, such as logging into the system, checking email, browsing the Internet, or working on documents.
A separate, elevated account shall be issued to and used by any IT professional that requires elevated privileges. Generally, the naming convention for this account is named by prepending adm- to the user’s Duck ID. This account shall only be used when needed for a non-user level function, and where possible, shall not be used in same capacity as your standard Duck ID account.
4. Take security awareness training
The UO Cybersecurity Basics Training Overview is available in MyTrack and shall be taken annually. Each employee’s direct supervisor is responsible for ensuring training is taken annually.
5. Report incidents
Any security concerns, incidents, or phishing messages should be reported, even when working remotely.
Additional Resources