Periodically, when working with a campus employee, they’ll mention that they always (or sometimes) work from their personally-owned machine. Here are four reasons why this puts the university and employees at risk
The first reason is access to departmental data. If a person uses their home computer, they may have institutional information and work products (images, documents, etc.) stored locally. Should this person go on vacation, medical leave, or otherwise be unavailable, the department can’t access their work. Additionally, if the work isn’t saved to a server or cloud service (such as Google Drive), it may not be backed up. Therefore, the data could be lost permanently if the computer is stolen or damaged.
The second reason is about security. Home computers may not be adequately protected and some may run outdated software, or even be shared with others in the household. Also, home machines may have extra “stuff” like games, apps, media players, etc. Each additional piece of software can be an opening through which the computer can be attacked.
The University of California has policies regarding using personally owned computers for university business:
-
The Electronic Information Security Policy (IS-3) outlines the requirements for protecting institutional information and IT resources, regardless of the device's ownership.
-
Our Minimum Security Standards for Networked Devices (MSSND) state that all devices, regardless of ownership, that are connected to a Berkeley network or used with institutional information must follow certain protocols, like being updated regularly, having anti-malware tools, and only running software necessary for normal campus operations.
-
Our Minimum Security Standards for Electronic Information (MSSEI) outline the basic protections needed for UC Berkeley's institutional information and IT resources and apply to all devices that handle that type of data. The requirements are relevant no matter who owns the device and apply in any location, including on-site, off-site, or cloud.
The third reason is financial. All security protections, maintenance, and repairs for your home computer are your responsibility -- including those required to meet campus security requirements. When the operating system is no longer supported (e.g., Win 10), you must replace it. Plus, IT Client Services provides limited support for personal devices, so troubleshooting any computer problems is your responsibility.
The fourth reason is privacy. The campus policy on Acceptable Use of Technology Resources outlines that “Individuals may have rights of access to information about themselves contained in computer files, as specified in international, federal, and state laws. Files may be subject to search under court order. In addition, system administrators may access user files as required to protect the integrity of computer systems.” This means your personal computer could be searched in response to a public records request, data breach, lawsuit, or other legal requests for university records.
