Coronavirus:Information for mobile working
This English translation is provided to you for informational purposes. It was largely produced using automatic translation software.
Increased working from home requires teachers, students and staff to show a high degree of personal responsibility, creativity and flexibility in reorganising their respective work processes.
Precisely because we currently cannot meet each other daily in the office, in a meeting, in the lecture hall or seminar room, new forms of working together and coordinating our work are required.
What can you, as a supervisor, employee, teacher or student, do now to maintain good communication with your colleagues and fellow students? What technical options can you use with your colleagues to maintain good communication and information exchange even at a distance?
Document: Use of videoconferencing in teaching and committee workEinsatz von Videoconferencing in der Lehre und bei Gremien (PDF, 08.05.2020)
Einsatz in der Lehre:
Die empfohlene Lösung für Videoconferencing in der Lehre ist daher BigBlueButton, welches von der GWDG lokal betrieben. Damit ist die Lösung aus Sicht des Datenschutzes zu bevorzugen. Diese Lösung ist technisch für bis ca. 25 Personen mit gleichzeitigen Videos oder ca. 50 Teilnehmer mit Audio-Teilnahme geeignet.
Im Vergleich erlaubt Zoom darüber hinaus Veranstaltungen auch für größere Nutzergruppen mit Videos. Aus Sicht des Datenschutzes ist eine Nutzung von Zoom für die Lehre für solche Szenarien, wo BBB nicht geeignet ist, vertretbar, sofern Randbedingungen eingehalten werden:
• Studierende sind nicht gezwungen, an der Veranstaltung teilzunehmen.
• Die Teilnahme in Zoom ist anonym und im Web-Browser ohne Einsatz der Zoom-App möglich.
• Es wird keine Klarnamen-Pflicht für Studierenden eingefordert.
Einsatz in Gremienarbeit, z.B. Berufungskommissionen:
Bei Verarbeitung von Daten mit besonderem Schutzbedarf ist die empfohlene Lösung für Videoconferencing BigBlueButton. Diese Lösung ist technisch für bis ca. 25 Personen mit gleichzeitigen Videos oder ca. 50 Teilnehmer mit Audio-Teilnahme geeignet. Dies sollte für die typischen Gremien, wie z.B. Senat, Fakultätsrat, Dekanekonzil, Professorien, Prüfungsausschüsse ausreichend sein.
Document: Data protection and information security for mobile workingThe handout on data protection and information security provides support for the currently required comprehensive use of digital technologies. The services technically available via the GWDG for videoconferencing, chat, storage, etc. have been identified with regard to their areas of application, especially with regard to sensitive data that must be protected, and are linked to recommendations or clear regulations. For sensitive data requiring special protection, especially personal data, compliance with data protection regulations must continue to be ensured. No compromises may be made in the area of information security.
We offer you this guide as a document (Information zu Datenschutz und Informationssicherheit beim mobilen Arbeiten: PDF, 29.03.2020) for downloading or as an accessible, readable version:
- 1 - Introduction
- 2 - Data storage
- 3 - Use of cloud solutions for communication
- 4 - Notes on the use of private hardware and software
- 5 - Processing of personal data
- 6 - Exploitation of the Coronavirus Crisis by Internet Crime and in Social Media
- 7 - Resources for Working from Home
1 - Introduction
This document sets out binding requirements and provides guidance for home office participants in the context of the Corona crisis. This document must be read and followed in full.
Effects of the Corona Crisis on Data Protection and Information Security
The spread of the novel coronavirus forces the University to look for new ways to maintain the University's ability to work as far as possible. As a result, assessments of the balance between the objectives of confidentiality, integrity and availability of information and information systems for the duration of the crisis are changing in the weighing up of opportunities and risks with regard to data protection and information security. Otherwise unusual methods are used during the crisis.
In order to be able to maintain the ability to work at all in the short term, even if limited, a massive expansion of mobile working or working from home is taking place during the crisis. Working from home during the coronavirus times is implemented less bureaucratically than would be expected during normal times.
Even from a technical point of view, paths are being taken that would otherwise not be chosen or only after a long consideration. For example, the use of private computers in the temporary home office is being resorted to because a sufficient number of business computers cannot be provided for this purpose at short notice, or external services in public clouds are being used, which would otherwise be avoided because the massive increase in use means that the company's own services are no longer able to cope with the onslaught.
In the following, rules and guidelines are given about how the core requirements of data protection and information security can be fulfilled as well as made possible under these conditions. However, the information can also help in the future with decisions within the regular "specific information security concepts" according to the University's information security guidelines (Georg-August-Universität Göttingen, "Richtlinie zur Informationssicherheit der Georg-August-Universität Göttingen / Georg-August-Universität Göttingen Stiftung Öffentlichen Rechts," Amtliche Mitteilungen I der Georg-August-Universität Göttingen, pp. 46-89, 24 January 2020.)
Data protection and information security objectives, data categories
The aim of data protection is primarily the protection of personal rights when handling personal data. In addition to maintaining the confidentiality of such data, transparency for the data subject must also be implemented by providing information about the processing as well as rights of correction, blocking and deletion. Problems can arise when processing data on private computers or in the public cloud.
Information security aims to ensure confidentiality, integrity and availability of information (data) and information processing systems. Here, too, problems arise in ensuring that these goals are achieved as soon as information is processed on systems over which the University no longer has any influence.
In the following, reference is made to different types of data (or information). The terms used are explained below:
- Service data is any data that arises in the course of service transactions.
- According to Art. 4 No. 1 DSGVO, personal data is "any information relating to an identified or identifiable natural person ..." (e.g. student data, personal data, patient data).
- Protected data is defined as follows in the University's information security guidelines: personal data, company data (e.g. financial data, confidential internal information/protocols), patents and in individual cases, further data that has been classified by an IT user as data worthy of protection (e.g. research results)
The University provides information on its website which is constantly being updated on measures for protection against the coronavirus and on regulations and recommendations about the current situation.
The GWDG provides information on technical solutions and concrete IT systems on its Websites, especially as concerns mobile working.
2 - Data storage
In order to achieve the above-mentioned goals, service data should be stored on central storage systems of the University, if possible. Protected data must be specially secured and stored on central systems of the university.
Data can also be stored in the Home-Office in the University's SharePoint, in GWDG cloud share or the Academic Cloud operated by the GWDG without additional measures. Personal network drives and group drives (except for the central administration) are also available as on campus, if a secure connection via the GWDG VPN gateways has been established beforehand. Due to the additional effort of setting up a VPN connection and possible bottlenecks in VPN connections in the current situation, it should be checked whether storage in SharePoint or GWDG Cloud Share/Academic Cloud is preferable.
For non-personal, sensitive data, another way to avoid storing data on personal computers is to use remote desktop connections to University terminal servers (in the Central Administration Network for administrative staff or in the "Extended Administration Network" for other employees with access to administrative applications) or GWDG (general terminal server with access to network drives). As far as the required applications are provided on such servers, these services should be used preferentially, since here data is automatically stored on the storage systems of the university or GWDG.
The use of external cloud services for the storage of data that needs to be protected is generally not permitted and especially for home offices not necessary. This is also particularly important when using Office 365 from Microsoft (especially when Office 365 is activated for the use of the communication software Teams).
When using private computers, special attention must be paid to sensitive data that must be protected if cloud backups are used on the private computer to secure one's own data. In this case it must be ensured that sensitive data is not also included in the external cloud backup.
3 - Use of cloud solutions for communication
The coronavirus crisis is leading to the mass introduction of working from home. The services for telephone and video conferencing or online training, which are quantitatively designed for use in normal times, are partly overloaded due to the massive increase in usage. For this reason, additional services are currently being set up at short notice, but free and commercial external services are also being offered (see also the GWDG's instructions on mobile working).
Communication services also offer possibilities for data exchange in chats or via document storage or for recording conferences. Chats, data storage and recordings at external service providers should be avoided for data security risks. Those involved in communications must be informed and give their consent if data is recorded or stored.
The exchange of personal or other sensitive data or the recording of conferences on such content is in principle not permitted.
Software for video conferencing or remote support often also allows screen content to be released for presentation or even remote control. Allowing this release permanently is not permitted for workstation computers, even when working from home. Temporary approvals within the scope of video conferences are accepted as far as they are necessary for the fulfilment of tasks. Preferably, individual application windows should be released instead of the entire desktop.
4 - Notes on the use of private hardware and software
In Measure A.17, the University's Information Security Policy allows the use of private hardware and software only if the specific information security concepts for the data processed on the computer used and the used sub-areas of the infrastructure allow the use.
In the special situation caused by the coronavirus epidemic, permission to use private hardware was granted by order of the Presidential Board: Where possible and safe, the University management asks for the use of private hardware, since it is not possible to provide all persons with official equipment. For more information see this page.
The permission to use private hardware does not apply if official hardware is provided for home office activities, especially when processing sensitive data in the administration.
Even if the formal requirements for a "specific information security concept" are only fulfilled to a very limited extent with this instruction, this instruction must be accepted as a sufficient basis for the use of private computers in the special situation. The "Where this ... is safe" is firmed up in this chapter 4 Notes on the use of private hardware and software.
Safe configuration and safe use
For the use of private computers in a business context, the following requirements, which are otherwise imposed on business computers, must also be met. These are very general security requirements that should also be implemented in the private environment in your own interest:
- Keep the operating system and application software up-to-date. Use the update procedures of the operating system (e.g. Windows update) and the application software (e.g. activate automatic updates in Firefox and other applications). If an application software does not offer automatic updates, you should regularly check for new versions yourself. Fortunately, such software is rare today. Operating systems (e.g. Windows XP or Windows 7) or applications may no longer be used if the manufacturer no longer provides updates for them, because then security-relevant errors in the software will no longer be eliminated. This applies, for example, to Windows XP or Windows 7. These operating systems may not be used for home offices.
- Install virus protection programs and keep them up-to-date. For current Windows operating systems, the "Windows Defender" virus protection included in the operating system is sufficient. Alternatively, you can install Sophos anti-virus software licensed by the University. The licence agreements expressly permit the use on private computers of university staff, as long as these computers are not also used for commercial purposes (e.g. in secondary employment).
- Do not work with privileged accounts (admin accounts). Admin rights should only be used if you want to administrate the computer, e.g. to install software. Use a simple user account for normal work. Unfortunately, the usual processes when setting up a new Windows computer tempt you to create only one account, which must then naturally be an admin account (at least one is required). So you have to become active yourself in order to create a simple user account as an account for daily work in addition to the admin account.
- Ensure data security when using mobile computers. Notebooks and tablets are designed to be used in different places and can be transported. This increases the risk that computers and the data stored on them will be damaged or lost. Protect the data on your computer against loss by backups. Also protect the data against access by third parties in the event of accidental loss or theft by encrypting the data on the computer. Windows versions for professional use (Windows Pro, Enterprise, Education) include Bitlocker encryption software. Unfortunately this is missing in the home versions. Here free software such as VeraCrypt can be used. But be careful with any use of encryption methods. Save the recovery key! If a key is lost, the data remains encrypted. Without the key nobody can read the data - not even you!
- Follow security rules when surfing the net and using email and other communication services. Do not click on links with unclear destinations, especially links for downloading and installing software. You should only open attachments to emails or other communications services if you can assume that they are safe, e.g. due to their origin and context. If you do not really expect an attachment, you should rather ask the (apparent) sender and make sure that you are communicating with the actual person that they claim to be. When using private computers, it is to be expected that private email accounts are also used there. Malware received via private e-mail can also lead to problems with business data. You may also be less protected against malware when using a private email account than when using the business account. All the more reason to be particularly careful here.
- Disable the automatic execution of macros. Cyber criminals prefer to use macros in Office documents to place malware on computers. Make sure that the automatic execution of macros is deactivated.
Storage and access
For regular teleworking, strict requirements apply to work rooms and work equipment. For the special situation of the temporary office at home in the context of fighting the coronavirus epidemic, these requirements cannot be implemented or demanded everywhere and/or not completely.
Nevertheless, private computers with data worthy of protection should be stored as securely as possible. Access to business data by strangers from the University's point of view should be prevented as far as possible. Strangers in this sense are also family members.
Ideally, the University member should only use the private computer themselves and not other family members. This will not always be possible. In such a case of multi-person use, the risk that access by family members could pose must be weighed up. If personal data are processed locally or if particularly confidential data are processed for other reasons, the private computer should not be used.
If it is decided that a private computer should be used although other family members also use it, a separate user account must be used, at least for work purposes. If sensitive data is stored on the computer at all, access rights to this data must be set in such a way that family members do not have access to it. Family members should also be instructed on how to use the computer safely, e.g. when surfing the Internet or using email and communication services.
5 - Processing of personal data
Unless individual institutions have issued special regulations (e.g. the human resources department), the following general rules apply.
Electronically stored data
Since the processing of personal data must be lawful and necessary, the rights of data subjects to transparency (information and disclosure), rectification, erasure, restriction of processing and opposition and withdrawal of consent remain applicable. The information obligations pursuant to Art. 13 and 14 DPA must continue to be complied with. Samples of these can be found on the homepage of the Data Protection Commissioner.
Information and deletion of personal data may only be provided from private computers via official channels (Data Protection Manager - Mr. Marcus Remmers, Head of IT -). The instruction of the data protection manager must be sought.
Paper files containing personal data should not be taken home, as they cannot be stored safely there. Their very appearance at home means that files could have become known to unauthorized persons!
If documents usually available in paper form are needed in the home office, processes are organized or should be organized to provide such documents in digital form. Scanning processes for digitalisation must take place on campus. The provision and storage takes place on data storage devices of the University.
6 - Exploitation of the Coronavirus Crisis by Internet Crime and in Social Media
Like all events that attract a lot of media attention, the coronavirus crisis is used by cybercriminals to entice you to download malicious software or make short-term payments by email, or simply to log on to a fake website to retrieve your password. The unusual work situation during the crisis can make it easier for criminals to induce you to make a mistake. Be particularly vigilant, check the sender and context of emails particularly thoroughly and, in case of doubt, better check once again (e.g. by telephoning back) whether the emails received really do come from the stated sender and whether all attachments and links are harmless.
7 - Resources for Working from Home
- GWDG - programmes and services for mobile working
- GWDG – video conferencing
- Digital Teaching and Learning Team
- Teaching and Learning in Higher Education
- Göttinger eResearch Alliance – Support for researchers with research data management and eResearch
- SUB - digital resources
- SUB - E-media