These Information Security Telework Guidelines (“Guidelines”) are adopted by the Vice President of Information and Instructional Technology to provide guidance to employees who are approved to perform job duties and responsibilities at a location other than a traditional office setting or an Eligible Employee’s usual and customary worksite, including but not limited to, the Eligible Employee’s home, satellite office or telework center (“Telework”) by Anne Arundel Community College (“College”). These Guidelines provide information regarding expectations for communications, protection of College information and data that is confidential and sensitive, protection of the security of College information and information systems while Teleworking, and other expectations regarding Telework.
Whether an employee works from an assigned office at a location assigned by the College (“College Location”) and/or a Telework Location, the work environment must be utilized appropriate privacy and security safeguards to effectively complete tasks associated with employee’s job duties. Often, a task is not completed from just one location and must be actively worked on from multiple locations. Students, faculty, staff, and members of the public who communicate with an employee who has been approved to Telework (“Eligible Employee”) as part of the Eligible Employee’s job duties must be able to reach the Eligible Employee during scheduled work hours by one of the following methods; phone, email, and/or video conference. Eligible Employees must plan and prepare for working from each location by complying with the guidelines below:
Protection of College Data and Information
- An Eligible Employee must protect College information and data used or stored at the Telework Location from unauthorized disclosure, damage, or destruction in the same manner as the Eligible Employee is required at a College Location.
- All records, documents, and correspondence, either in paper or electronic form must be safeguarded.
- An Eligible Employee must obtain permission from the Supervisor to download and/or store confidential or sensitive information at the Telework Location.
- An Eligible Employee must update passwords when required by Information and Instructional Technology (“IIT”).
- An Eligible Employee must utilize multi-factor authentication and any other security protocol adopted by IIT.
- All remote access involving information and data stored on the College’s network should be encrypted.
- IIT will provide the encryption mechanism that is appropriate for the level of access and the data involved.
- Confidential or sensitive data should not be included in an email unless the Eligible Employee uses a form of encryption or secure file transfer system approved by IIT when sending the email.
- When use of the data, information, or document, whether in paper or electronic form, is no longer needed, the data, information, or document must be disposed of in a secure manner, with approval from the employee to whom the Eligible Employee reports (“Supervisor”). A Supervisor may require paper documents to be shredded at a College Location.
- An Eligible Employee must ensure that other people are not present when the Eligible Employee is discussing confidential or sensitive information at the Telework Location.
- Computer screens must not be left open for viewing by others while Teleworking.
- Employees must abide by all existing policies standards and guidelines.
Dedicated Work Space
- An Eligible Employee should have a designated work space at the Telework Location that allows the employee to concentrate and focus on the work being performed.
- Ideally, the work space should have a door set apart from other areas of the location, but at a minimum, should allow for privacy so that other members of the household cannot overhear confidential and sensitive work discussions.
- Computing devices can be stationed at both your College Location and/or the Telework Location or transported between locations, such as by using a laptop and a docking station.
- The Eligible Employee should work with the Supervisor and IIT to determine the equipment needs for the Eligible Employee’s College Location and/or Telework Location.
- If computing devices and/or accessories will be transported between the College and Telework Locations, the Eligible Employee should use appropriate computer bags for computing devices and accessories to protect such equipment.
College-Owned Equipment and Supplies
- Requests for the College to provide equipment in order for the Eligible Employee to perform job duties from the Telework Location must be submitted to the Supervisor and IIT for approval at the time the Telework Agreement is requested but may be submitted after a Telework Agreement is approved if additional needs are identified. Such requests are approved on a case-by-case basis and subject to funding availability, based on the type of job duties performed by the Eligible Employee, and should be documented in the Telework Agreement.
- An Eligible Employee must protect College-owned equipment from theft, damage, and unauthorized use.
- Use of College-owned equipment is limited to authorized persons for business purposes only and must not be used by household members, guests, or visitors.
- The College will provide software updates for any College-owned computing devices provided to the Eligible Employee, including, but not limited to, providing updates to required anti-malware software.
- The Eligible Employee is required to keep all College-owned computing devices on and connected to the Internet at night when working from a Telework Location in order to ensure that required updates are received.
- The College may require employees to have adequate bandwidth and be responsible for data costs.
- The Eligible Employee is not permitted to take College-Owned Equipment outside of the United States and may not log into College systems from outside of the United States.
Accessing College Information and Data from the Telework Location
- College information and data is stored in various forms using various methods. An Eligible Employee may need access to College information and data to effectively perform their job duties from outside of a College Location. Accessing College information is generally done through electronic access to College network resources, paper documents, cloud-based applications, and cloud-based information storage. Employees should be aware of the file storage location that will need to be accessed from the Telework Location.
- It is preferred that files be accessed electronically through the College’s network, rather than through paper documents, CDs/DVDs, flash drives, thumb drives, external hard drives, or other removable media. By doing so, network files can be encrypted, backed up, and secured more readily.
- Access to College network resources is provided through an encrypted virtual private network (“VPN”) or other methodology authorized by IIT. Employees who access the College’s network resources from outside a College Location must log on to the VPN or other methodology authorized by IIT before accessing electronic files stored on network resources.
- Authorized employees who require access to their work computers or the College network while Teleworking will utilize IIT approved networking communications protocols.
- IIT technicians may utilize various tools to diagnose and repair a user's system remotely and provide system maintenance.
- In order to maintain network security, employees wishing to connect to the College network remotely must first be approved by their Supervisor and IIT.
- IIT will work with the employee to install, prepare, train, and support the employee as needed.
- IIT staff can assist the employee at a College Location or via remote assistance.
- If requested by IIT staff, an employee may be required to bring devices to a College Location for any necessary troubleshooting, patching, or maintenance.
- An employee may use certain College-approved cloud-based applications, websites, and systems, such as Microsoft Teams (“Teams”), Outlook, OneDrive, Canvas, and certain training vendors, that allow access to information through Internet browsers, whether working at a College Location or a Telework Location.
Protection of Physical Documents
- If information is stored in paper format and must be transported between College Locations and the Telework Location, then, the Eligible Employee must use an appropriately secure method to transport, store, and dispose of the document.
- Original documents should not be removed from a College Location under any circumstances.
- An Eligible Employee may not take copies of restricted access materials or confidential and sensitive information, electronic or otherwise, from a College Location or to a Telework Location without written approval from the Supervisor.
- An Eligible Employee should limit transporting copies of paper documents between Telework and College Locations to the extent possible and with approval from the Supervisor.
- An Eligible Employee is responsible for knowing which paper documents were taken to or printed at the Telework Location and be sure to return such documents to the College Location.
- Loose documents must be in a folder or closed container.
- If information on a document is confidential or sensitive, such as student education records, then the document must be marked or labeled as confidential or sensitive and enclosed with a cover that does not show confidential or sensitive information that is contained in the document.
- To the extent possible, an Eligible Employee should limit the amount of paper documents that are stored at the Telework Location.
- If the Eligible Employee prints, transports, or maintains confidential or sensitive documents at the Telework Location, the documents must be stored in the same manner as if the documents were at a College Location, including but not limited to, requiring storage in a locked file cabinet, storage container, or desk at the Telework Location.
Reporting Unauthorized Access or Data Breach
- If an Eligible Employee becomes aware of unauthorized access or data breach to College confidential or sensitive information while Teleworking, in any form, including but not limited to, on a screen, a paper copy, or a flash drive, the unauthorized access must be reported to the Technical Service Desk (“TSD”) at firstname.lastname@example.org or (410) 777-4357 and an investigation will be conducted. This includes instances such as a household member, visitor, or guest viewing confidential or sensitive information on a screen or paper document.
- If a College-owned computing device malfunctions, identifies an anomaly, or experiences an issue, such as malware is detected, the computer is locked, or the computer cannot connect to the VPN or the College network resources, the Eligible Employee must contact the Technical Service Desk at email@example.com, (410) 777-4357, or TSD Client Portal.
- The Technical Service Desk representative may request remote access to a College-owned computing device, and the Eligible Employee may permit such access by following the representative’s instructions.
- If the issue cannot be resolved through remote access or the computing device is damaged or otherwise needs to be repaired or replaced, the Eligible Employee must return the computing device to the TSD.
Disclosure of College Data and Information
- Work-related data, information, and documents produced at the Telework Location are official College records, subject to all College policies and procedures as well as laws governing the disclosure and maintenance of College records, such as the Family Educational Rights & Privacy Act (“FERPA”), the Maryland Public Information Act (“MPIA”), and other applicable laws regarding the protection of personally identifiable information.
- An Eligible Employee should not respond to requests for College data, information, or documents from third parties, such as a request under the MPIA, a subpoena, or request from law enforcement, and should refer such requests to the Chief Compliance and Fair Practices Officer at firstname.lastname@example.org for response.
- Requests for student education records should be referred to the Registrar’s Office at email@example.com.
- Records may only be released or destroyed in accordance with applicable laws and College policies and procedures and with the knowledge of the Supervisor.
- An Eligible Employee must abide by the terms of all software licenses for any College-owned equipment.
- An Eligible Employee may not duplicate any College-provided software without written permission from an authorized employee at the College.
- An Eligible Employee may not download or install any software on College-owned equipment without permission from IIT.
Prohibited Telecommunications and Video Surveillance Equipment or Services
- An Eligible Employee is prohibited from using certain telecommunications equipment or services covered by Section 889 of the National Defense Authorization Act in the performance of College business, including the following:
- Telecommunication equipment produced by Huawei Technologies Company, ZTE Corporation, or any subsidiary or affiliate of these companies;
- Video surveillance and telecommunication equipment and services produced Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company, or any subsidiaries or affiliates of these companies;
- Telecommunications or video surveillance services provided by such entities or using such equipment; and
- Video surveillance and telecommunication equipment and services produced by any companies added to this list by the Secretary of Defense.
- For questions about these Guidelines, contact the Director of Information Security.
Guideline Title: Information Security Telework Guidelines
Approver: Vice President of Information and Instructional Technology
Contact Information: Richard Kralevich; firstname.lastname@example.org; 410-777-2195
Approval Date: November 17, 2022
Effective Date: December 13, 2022
Applies to: All employees while Teleworking
Related Policies: N/A
Related Procedures: N/A
Relevant Laws: Md. Code, St. Pers. & Pens., § 2-308