From time to time, we hear that employees sometimes (or always) use their personal computers for university-related tasks. Here are four reasons why this practice can put both the university and its employees at risk.
1. Access to Departmental Data:
Using a personal computer may lead to institutional information and work products (such as images and documents) being stored locally. If the employee goes on vacation, takes medical leave, or becomes otherwise unavailable, the department might not have access to their work. Additionally, if these files are not saved to a server or a cloud service (like Google Drive), they may not be backed up. This means that the data could be lost permanently if the computer is stolen or damaged.
2. Security Concerns:
Home computers often lack adequate protection, may run outdated software, or may even be shared with other household members. Furthermore, personal machines may have various additional programs installed, such as games and media players. Each of these can create vulnerabilities that hackers could exploit.
The University of California has policies regarding using personally owned computers for university business:
-
The Electronic Information Security Policy (IS-3) outlines the requirements for protecting institutional information and IT resources, regardless of ownership of the device.
-
Our Minimum Security Standards for Networked Devices (MSSND) state that all devices, regardless of ownership, connected to a Berkeley network or used with institutional information must follow certain protocols, such as being updated regularly, using anti-malware tools, and running only software necessary for normal campus operations.
-
Our Minimum Security Standards for Electronic Information (MSSEI) outline the basic protections required for UC Berkeley's institutional information and IT resources and apply to all devices that handle such data. The requirements are relevant regardless of who owns the device and apply in any location, including on-site, off-site, or in the cloud.
3. Financial Responsibility:
Employees are responsible for all security, maintenance, and repairs related to their personal computers, including those necessary to meet campus security standards. When an operating system is no longer supported (e.g., Windows 10), the employee must replace it with a supported version. Additionally, IT Client Services offers limited support for personal devices, meaning that troubleshooting and resolving any computer-related issues falls on the employee.
4. Privacy Issues:
The campus policy on the Acceptable Use of Technology Resources states that individuals may have the right to access their personal information contained in computer files, as specified by applicable laws. However, files can be subject to search under a court order. Moreover, system administrators may access user files when necessary to maintain the integrity of computer systems. This means that personal computers could be searched in response to public records requests, data breaches, lawsuits, or other legal inquiries involving university records.
By understanding these risks, employees can better protect themselves and the university.
