Information Security Statement on Web Conferencing Solutions

 

Table of Contents

 

The use of web conferencing technology is essential for all aspects of modern University life, particularly now with so many of our teaching, learning and work-related activities being hosted online. When reviewing technology solutions the Information Security team always takes a balanced approach which considers the needs of students, staff and faculty, while maintaining high security standards to ensure we are protecting our data and the reputation of the University.

 

Supported Web Conferencing Solutions

In order to offer choice and meet the varied needs of the campus community, there are three sanctioned platforms offered today:

Platform Information Security Approved Use Cases Support Information Licensing
Zoom
  • Academic instruction
  • Academic support purposes
  • Faculty/student engagement
  • Student clubs and associations
  • Conferences that do not involve sensitive or confidential data
  • Research that does not involve sensitive data (i.e., health information) and where the Research Ethics Board has classified the study as minimal risk 
Supported by Open Learning and Educational Support (courselink@uoguelph.ca)

Additional license required to host Zoom sessions. 

Zoom licenses should only be purchased through the University contract for additional security and cost savings.

Microsoft Teams
  • All of the above plus University administration
Supported by CCS (IThelp@uoguelph.ca) Available at no cost to the entire campus community.
Cisco Webex
  • All of the above plus University administration
Supported by CCS (IThelp@uoguelph.ca) Available at no cost to the entire campus community.

 

Attending Third-Party Zoom Calls

At this time, the Information Security team continues to advise against the use of Zoom for University business purposes. University staff and faculty may however attend Zoom calls setup by a third-party, such as a vendor, as long as the meeting content does not include the sharing of confidential or sensitive data.

 

Zoom Licensing

Zoom licenses to host web conferences must be purchased individually and should be purchased through the University contract supported by OpenEd, as opposed to purchasing Zoom licenses directly. If you are currently on a personal contract, this should be migrated at the next renewal. Utilizing the University contract will result in significant cost savings and additional security.

 

Zoom Security Concerns

Our primary concern with the use of Zoom is the confidentiality and sensitivity of the data shared via that platform. A number of security concerns remain with the Zoom platform around data collection and sharing practices, data privacy issues, encryption practices, insecure default user settings, and encryption key storage practices which can potentially make call information available on Zoom servers worldwide including high-risk countries. These concerns are also shared by other Canadian higher education institutions.

Given that the University offers other trusted solutions on campus that are available to all members of the campus community, we strongly advocate for the use of Microsoft Teams or Cisco Webex for University business, particularly in situations where sensitive, proprietary or confidential information will be shared.

OpenEd’s instance of Zoom addresses a significant number of these concerns due to the additional security controls afforded by its integration with CourseLink. However, those concerns remain for other Zoom users where these controls are not in place.

 

Web Conferencing Security Best Practices

  1. Zoom should never be used to share confidential or sensitive University information. This type of meeting must be conducted using Microsoft Teams or Cisco Webex following these security guidelines: uoguelphca.sharepoint.com/sites/ccs/SitePages/infosec/secureconferencing.aspx
  2. Zoom meetings should be configured to be as secure as possible. Specific configuration settings for creating secure meetings include:
    • Require a password for meetings.
    • Use the Waiting Room feature to manage attendees and prevent unwanted guests.
    • Disable the ability for participants to share content without first requesting permission.
    • Automatically mute participants and disable video upon entry.
    • Disable chat to prevent unwanted messages from being shared.
    • Disable file sharing to prevent malicious software distribution.
    • Immediately remove participants that become disruptive and disable “Allow Removed Participants to Rejoin” so that they cannot rejoin.
  3. When using Zoom, review and adhere to the OpenEd guidelines:

 

Exception Process for Zoom

The Office of the Chief Information Officer (CIO) will review exemption requests where the use of Zoom is warranted outside of the use-cases and guidance described above. 

The exception process is as follows:

  1. Exception requests are to be sent to the Information Security team for review (infosec@uoguelph.ca) and must identify requirements for Zoom, along with the functionality and features which are not offered in the other centrally-supported platforms.
  2. All requests will be reviewed by Information Security and the CIO. 
  3. If approved, the request will then be shared with OpenEd to assist with the purchase of Zoom licenses through OpenEd's existing contract, to take advantage of pricing discounts and better security and privacy through integration with CourseLink. OpenEd support can be contacted at courselink@uoguelph.ca.
  4. Any individual instances of Zoom are not sanctioned or supported as they may pose security and privacy risk to the University if not set up properly. If you feel the supported solutions and exception process will not meet your needs, please reach out to infosec@uoguelph.ca to discuss how we can find a solution.

All exceptions will be temporary and will be revisited by the CIO and Chief Information Security Officer at a later date and/or if there are new developments or technology changes that warrant a review.
 

 

 

CCS Information Security
Last Updated: June 14, 2021

© 2005 - 2024 ProProfs
-