Best Practices for Telecommuting Securely

Please note: personally-owned computers used by multiple people in the household are unlikely to meet the Campus Minimum Security for Networked Devices (MSSND) Standard. Risks to consider with home systems include:

  • Multiple users with administrator access allow for download and spread of malware

  • Insecure configurations leave the systems vulnerable to attacks

  • Home use software installed that are not supported and may not be patched for vulnerabilities

  • Institutional information downloaded or cached to the machine may be exposed to other family member

Therefore, we highly recommend that remote workers use university-owned, and managed, equipment when working from home.  

If you do not have a work computer to use at home and need to access highly sensitive (P4) data, or are a Systems Administrator for P4 data, please contact security@berkeley.edu.


Digital Security

1. Keep Work Data on Work Computers

Using a personally-owned device to do University business puts both you and the Campus at risk. If you do not have a work computer to use at home, you must follow these practices:

2. Update and Patch

Update everything on your devices, including operating systems, web browsers, and apps. Attackers can exploit vulnerabilities in old versions of software.

Enable automative updates on Microsoft and macOS

3. Use Anti-Malware Software and a Firewall

Install anti-malware software (anti-spyware, anti-virus) and enable a firewall on your device(s). Default firewall settings are acceptable for current Macs and PCs, but be sure to verify that they’re turned on. 

4. Avoid Public Wi-Fi and Use the Campus VPN

Do not use public Wi-Fi when logging into campus systems or doing non-public work. Use the Campus Virtual Private Network (VPN) or your phone as a personal hotspot instead.

The bSecure Remote Access VPN (Virtual Private Network) service allows CalNet ID–authenticated users to securely access the UC Berkeley network from outside of campus and encrypts the information sent through the network. VPNs can protect your traffic and allow you to access Campus services only available to people “on campus.”

NOTE FOR VPN USE:  When accessing campus enterprise systems with moderate to high data classification (BFS, Blu, CalCentral, Library Services, etc.) connect to the Full Tunnel (listed as “Library Access and Full Tunnel”). This directs all traffic through the GlobalProtect client and VPN tunnel. However, limit non-essential web browsing and streaming to reduce the load on the system.

If you are only accessing email, Zoom, or campus websites, use the Split Tunnel

5. Protect the Data on Your Device

UC Berkeley's Minimum Security Standards for Electronic Information states that sensitive/notice-triggering data must not be stored on a laptop (or any other portable device) unless absolutely necessary and, if so, must be strongly encrypted. The two most common methods to protect data on laptops are "whole disk encryption" and "file encryption".

Enable a lock screen on your phone and be sure the settings are enabled to erase/wipe should the device get stolen.

6. Frequently Save and Backup Your Work

Frequently save your work to ensure you don't lose progress; especially when connected to remote systems. Backing up data is an important step in protecting it.

Approved backup locations will vary depending on the Protection Level Classification of your data. Certain data can be backed up using bConnected collaboration services

If you choose to backup to an external hard drive or USB key, be sure to encrypt the media and unplug it after backup to protect it from malware or ransomware.


Physical Security

1. Lock Your Doors and Never Leave Your Devices in the Car

Never leave your device unattended, always lock your doors, and never leave your device in a vehicle - not even in the trunk. Keep work laptops and devices secure at all times while working remotely.

2. Lock Up Your Laptop 

Lock up your laptop when you step away, even at home. Incidents happen, and it’s good practice to lock up your laptop when you are not using it. 

3. Password-Protect Your Devices

Create strong passwords by using a passphrase - a password made up of multiple words. Use a unique passphrase for every device or online account. That way if one passphrase is compromised, other accounts and devices are unaffected. 

Tip: use a password manager, which is a specialized program that securely stores your passphrases in an encrypted format. UC Berkeley offers free LastPass Premium to faculty, staff, and students.

Enable two-step verification whenever possible. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app that generates the code for you. Two-step verification is an easy step to protect online accounts.

4. Lock Your Screens

Configure your desktop to automatically lock after 15 minutes of inactivity and set your phone to lock the screen after no more than 15 minutes of inactivity. Shorter is even better. 

5. Use a USB Data Blocker when Charging Up at a Public Phone Charging Station

Charging a phone on an unknown USB port or unknown cables is risky; protect it with a USB data blocker to prevent data exchange and guard against malware. This type of USB protection allows the device to connect to power without exposing the data pins inside.