Information Security Statement on Web Conferencing Solutions

The use of web conferencing technology is essential for all aspects of University life, particularly now with so many of our teaching, learning and work-related activities being moved online. When reviewing technology solutions the Information Security team always takes a balanced approach which considers the needs of students, staff and faculty, while maintaining high security standards to ensure we are protecting our data and the reputation of the University.

 

Supported Web Conferencing Solutions

In order to offer choice to the campus community and meet as many needs as possible, there are three sanctioned platforms offered today:

  1. Zoom for academic instructional use supported by OpenEd
  2. Cisco Webex for University business supported by CCS
  3. Microsoft Teams for University business supported by CCS.

CCS-supported solutions are provided at no cost to the entire campus community. Training and documentation is also available as needed.

At this time, the Information Security team strongly recommends against the use of Zoom for non-academic instructional purposes and with accounts outside of OpenEd's existing contract with Zoom. However, the Office of the Chief Information Officer (CIO) will review exemption requests where the use of Zoom in non-academic situations is required. To request an exception, see Exception Process for Zoom in Non-Academic Situations below.

 

Zoom Security Concerns

There have been a number of security concerns raised recently with the Zoom platform. These include concerns around data collection and sharing practices, data privacy issues, misleading and inadequate encryption practices, insecure default user settings, and encryption key storage practices which can potentially make call information available on Zoom servers worldwide including high-risk countries. These concerns are also shared by other Canadian higher education institutions and to that end there have been several conversations with our peers to better understand these concerns and the risks associated with them.

To their credit, Zoom’s parent company has largely acknowledged these issues and has stated they have instituted plans to address security going forward. However, given that we already offer other trusted solutions on campus that are available to all members of the campus community, we strongly advocate for the use of Cisco Webex or Microsoft Teams for University business, especially in situations where sensitive, proprietary or confidential information will be shared.

OpenEd’s instance of Zoom addresses a significant number of these concerns due to the additional security controls afforded by its integration with CourseLink and Single Sign-On. However, those concerns remain for other Zoom users where these controls are not in place.

 

Web Conferencing Security Best Practice Statements

  1. Zoom should never be used to share confidential or sensitive University information. This type of meeting must be conducted using Cisco Webex or Microsoft Teams following these security guideline: https://www.uoguelph.ca/ccs/infosec/secureconferencing
  2. Zoom meetings should be configured to be as secure as possible. Specific configuration settings for creating secure meetings include:
    • Require a password for meetings.
    • Use the Waiting Room feature to manage attendees and prevent unwanted guests.
    • Disable the ability for participants to share content without first requesting permission.
    • Automatically mute participants and disable video upon entry.
    • Disable chat to prevent unwanted messages from being shared.
    • Disable file sharing to prevent malicious software distribution.
    • Immediately remove participants that become disruptive and disable “Allow Removed Participants to Rejoin” so that they cannot rejoin.
  3. When using Zoom, review and adhere to the OpenEd guidelines:

 

Exception Process for Zoom in Non-Academic Situations

Given the extraordinary circumstances we are currently experiencing, the Office of the Chief Information Officer (CIO) will review exemption requests where the use of Zoom in non-academic situations is warranted. 

The exception process is as follows:

  1. Exception requests are to be sent to the Information Security team for review (infosec@uoguelph.ca) and must identify requirements for Zoom, along with the functionality and features which are not offered in the other centrally-supported platforms.
  2. All requests will be reviewed by Information Security and the CIO. 
  3. If approved, the request will then be shared with OpenEd to assist with the purchase of Zoom licenses through OpenEd's existing contract, to take advantage of pricing discounts and better security and privacy through integration with CourseLink and SSO. OpenEd support can be contacted at courselink@uoguelph.ca.
  4. Any individual instances of Zoom are not sanctioned or supported as they may pose security and privacy risk to the University if not set up properly. If you feel the supported solutions and exception process will not meet your needs, please reach out to infosec@uoguelph.ca to discuss how we can find a solution.

All exceptions will be temporary and will be revisited by the CIO and Chief Information Security Officer once we transition back to regular operations and/or if there are new developments or technology changes that warrant a review.
 

 

CCS Information Security
Last Updated: May 29, 2020