UMBC Remote Work FAQ
What is UMBC’s policy regarding telework and remote Work?
Telework & Remote Work Policy and Agreements:
The UMBC Human Resources Department has established an agreement that all employees authorized for telework and remote work must sign.
What do I need to do to work remotely?
How To Work Remotely:
Review the UMBC TELEWORK & REMOTE WORK POLICY and AGREEMENT here.
Inform your supervisor that you want to work remotely.
Once a position has been identified as suitable for teleworking, the supervisor and employee shall review and sign the following documents linked at the end of the UMBC TELEWORK & REMOTE WORK POLICY and AGREEMENT:
UMBC Telework/Remote Work Agreement (which outlines terms and conditions between employee and supervisor for the duration of the telework/remote work project).
UMBC Telework or Remote Workplace Certification Checklist (which verifies that the worksite is suitable and functional for employee completion of assigned tasks).
UMBC Work Plan (which identifies the tasks to be completed off site).
Find out if your department is classified as a sensitive department. A rule of thumb is if you are working with confidential information such as SSNs or medical records, your department is considered sensitive. Ask your supervisor if you aren’t sure. This will identify whether you are required to use a UMBC owned device or not. More information on departmental sensitivity is found below.
Use the GlobalProtect VPN or the Virtual Desktop Environment when accessing your data, especially if you need to access sensitive data that can only be accessed from campus.
Only use UMBC approved technology services while working remotely.
Separate work and personal data. Always keep work-related information on work devices, and personal data on your personal devices. See the Personal Device Guidelines below.
Always make sure you are following good cyber practices, even from your own home. See the Cyber Safety section below for more information.
How do I safeguard UMBC’s information when working from home?
Cyber Safety From Your Own Home:
***Note that these guidelines apply to working from your own home. If possible, avoid using Wi-Fi services that are not under control (hotels, coffee shops, libraries, etc.)***
Secure Your Home Wi-Fi:
Ensure your home’s network is encrypted. A tutorial on how to encrypt your home network is below in the next section.
Make sure that only people you know and trust have access to your network.
Always make sure you set the default administrator password for your own router.
In order to remove any devices that have been previously connected to the network, change the Wi-Fi password and reconnect your personal devices.
Consider creating a secure Guest Network. This allows visitors to connect to the internet but keeps your main home network secure because they won’t be able to connect to any of the devices on your home network.
Use Unique Passwords:
Combine different letters, numbers, and special characters to create a password that will be difficult for others to guess but easy for you to remember.
Never share your passwords. Even with UMBC DoIT - we will never ask.
A good way to create a password is to make up a nonsensical or obscure sentence and use the first letter of each word as the characters of the password, then add punctuation marks, special characters, and numbers to the string of characters and change the capitalization of some of the letters.
Example: 0u@MDw1pw&w0m@q&cvofl
Key: Once upon a midnight dreary, while I pondered, weak and weary, over many a quaint and curious volume of forgotten lore
Secure Your Workplace:
Always make sure to lock your device whenever you get up to leave.
Keep monitors positioned so that only you can see the screen.
Never let friends or family use your UMBC device as they may infect the device or they may accidentally access, modify, or erase important files and information.
Never leave anything unattended in a public area, vehicle, shared living space, or visible for potential burglars.
Be Aware of Potential Scams and Phishing:
Forward all potential spam and phishing emails to Security@umbc.edu
Always be skeptical. If something sounds too good to be true, it probably is.
How Do I Encrypt My Home Network?
Note that these are general guidelines and that every router is a bit different.
Log in to your router's administrator console. This is done by accessing the router's IP address as a URL, such as http://192.168.1.1 or http://10.0.0.1. You will be prompted to enter the router's username and password.
Locate the wireless security settings. Your router might call this section Wireless Security, Wireless Network, or something similar.
Change the encryption option to WPA2-PSK or WPA3-SAE, if available. You might see an Enterprise setting. The enterprise version is intended for corporate environments and requires a complex setup process.
If WPA2 (or the newer WPA3 standard) isn't an option, you may have to upgrade the router's firmware or buy a new wireless router.
Make a strong password. This is what users enter when they need to get on your Wi-Fi network, so it should not be easy to guess or easy to remember.
A good way to create a password is to make up a nonsensical or obscure sentence and use the first letter of each word as the characters of the password, then add punctuation marks, special characters, and numbers to the string of characters and change the capitalization of some of the letters.
Example: 0u@MDw1pw&w0m@q&cvofl
Key: Once upon a midnight dreary, while I pondered, weak and weary, over many a quaint and curious volume of forgotten lore
Select Save or Apply to submit the changes. The router might have to reboot for the settings to take effect.
Reconnect your wireless devices by selecting the correct network name and entering the new password in each device's Wi-Fi settings page.
What do I need to do if my department is designated ‘Sensitive’?
Department Sensitivity and Remote Work Stations:
Within UMBC, departments are classified as “sensitive” if the business of that department requires the processing of confidential information (usually SSNs, but also personal finance, student academic, and health information, among other things.).
Sensitive Department Workstations:
Remote employees in sensitive departments pose additional risk to the institution.
We require that all remote workers in sensitive departments only use UMBC-owned and managed computing systems while working with confidential information remotely.
UMBC-owned and managed computing systems are classified as:
UMBC-owned physical laptop/desktop systems located off-premises
UMBC Virtual Desktop Systems that an employee uses from their personally owned physical device.
Non-Sensitive Department Workstations:
Workers in non-sensitive departments are not required to work solely through UMBC owned and managed devices, though this is always preferred.
Can I use my own personal devices for work?
Personal Device Guidelines:
For Sensitive Departments:
All staff, faculty, and UMBC community members working in sensitive departments are required to use a UMBC owned device that is configured by DoIT or Departmental IT staff, this will ensure compliance with all security requirements.
If you work in a sensitive department and it is not possible to use a UMBC owned computer to access confidential data, you must use the UMBC Virtual Desktop Environment (VDE) to ensure data security as a sandboxed location.
All Confidential information must be stored and managed in compliance with UMBC's Data Use Guidelines. You may not store any confidential data on a non-UMBC owned and managed device.
A personal device may only be used for simple tasks such as managing your calendar or checking your email.
For Non Sensitive Departments:
Non Sensitive departments are not required to use a UMBC owned device for remote work, however it is always preferred.
If you must use a personal machine, or you do not have access to a UMBC owned device, you must have the following protections in place:
Enable the machine’s host-based firewall
Run antivirus software
Configure automated patching
Limited and restricted use by other household members
Use the UMBC GlobalProtect VPN
Upon supervisor’s request or upon separation from the university, all institutional data must be returned to the university and then removed from the system.
What else should I know?
More Information on Remote Workstations:
The management of UMBC-owned remote workstations is the same as management of UMBC-owned workstations on-premises. We use the same tools and the same policies for UMBC-owned workstations regardless of the location.
In order to facilitate communication between remote workstations and our server environment, we set up an Active Directory domain controller that could be accessed from off-campus. This domain controller did not act as a file server or process any confidential information. It strictly provided licensing and policy information to workstations.
In order to protect this domain controller from attack, we established firewall rules that only allowed the remote IP addresses of UMBC community members to connect to it.
The Virtual Desktop provides the same level of security as a UMBC-owned physical device. It does not store UMBC data on the personal device. Unless being displayed or typed on the personal device, information remains in the UMBC systems.
It is not possible for most malware on a personal system to access the data on a Virtual Desktop system; however, users should still use caution if they believe their machine could have been compromised