Information Security Standard - Web Conferencing

Web Conferencing

Objective - Web conferencing tools have become a regular part of University business. This standard defines best practices for using web conferencing and virtual collaboration tools at TWU. 

Primary Audience - TWU Faculty and Staff

Related TWU Policies or Regulatory Requirements

Non-compliance - Failure to follow these standards and best practices may result in a breach of confidentiality and privacy of meeting participants and/or potential data exposure or loss.

Owner (Status) - TWU Information Security (Revised - 07/2022)

 

Standard Definition

Many TWU faculty and staff utilize web conferencing solutions for department meetings, courses, research, and general collaboration. The following standard details the tools and best practices recommended by IT Solutions so that staff and faculty can conduct University business with secure and convenient access to web conferencing tools.

 

IT Solutions Recommended Web Conferencing Platforms

Zoom

Zoom is a solution for video conferencing, online meetings, screen share, and chat. TWU currently offers Zoom for Education licenses to faculty and staff. To get started with Zoom, see TWU’s Zoom support collection or contact the TWU Service Desk.

  • Zoom is FERPA compliant. See Zoom’s FERPA statement here: https://zoom.us/docs/doc/FERPA%20Guide.pdf
  • The University’s current Zoom for Education licenses are not HIPAA compliant. Faculty and staff may procure their own HIPAA-compliant licenses via Zoom, or departments may choose to use Google Meet via TWU. Please see the Google Meet section below for more information.
Google Meet

Formerly known as Google Hangouts, Google Meet is a web conferencing solution supported by TWU IT Solutions. To get started with Google Meet, see the Google Meet - Get Started support guide or contact the TWU Service Desk.

  • When possible, require attendees to authenticate for access and have settings that allow hosts to manage internal and external participants.
  • TWU utilizes G Suite for Education which supports FERPA compliance. See Google’s FERPA statement here: https://cloud.google.com/security/compliance/ferpa.
  • To ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), TWU has entered into a Business Associate Agreement (BAA) with Google, which covers Google Meet (see Google’s HIPAA statement). It is recommended that meetings that may contain or transmit Protected Health Information (PHI) be hosted via Google Meet. Users that need to communicate or share PHI or identifiable health-related data may be subject to HIPAA and should follow HIPAA and TWU policies accordingly. 
  • Please note the recording via Google Meet is no longer available due to licensing changes.

RingCentral Video

RingCentral Video is RingCentral's video conferencing solution. It is a standard feature of TWU's RingCentral platform and is currently available in the RingCentral App to Denton, Dallas and Houston faculty and staff. For more information on RingCentral, see TWU's RingCentral website or contact the TWU Service Desk.

  • TWU employees may collaborate and invite external participants to RingCentral Video calls.
  • RingCentral Video is FERPA compliant. 
  • TWU's RingCentral platform is HIPAA compliant. TWU has a Business Associate Agreement (BAA) with RingCentral, which covers the use of RingCentral Video (see RingCentral's HIPAA statement here: https://support.ringcentral.com/article/RingCentral-HIPAA-Compliance.html).

 

In general, for all Web Conferencing platforms

Protect Meetings

Virtual collaboration tools offer many features which can support open collaboration or narrow communication based on how the tool is configured. Below are general configuration recommendations to support security and reduce the chance of meeting disruption (i.e. “Zoom bombing”).

  • Schedule meetings that require a password to join. Distribute passwords separately via email to attendees.
  • Lock meetings once all participants have joined. This will prevent unauthorized users from gaining entry while the meeting is in session.
  • After locking the meeting, review the list of participants and expel any unknown participants before sharing content.
  • Expel disruptive individuals from meetings.
  • Disable the “allow removed participants to rejoin” feature (if supported by your system) so expelled attendees cannot reenter the meeting.
  • Disable participants’ ability to record the meeting.
  • Disable participant screen or file sharing. This will prevent your meeting from being disrupted by others and allowing the sharing of inappropriate or potentially malicious content.
  • Disable the chat feature prior to the start of the meeting.
  • Put all attendees in mute mode and suspend privileges for participants to unmute themselves until needed.
  • Consider not publishing the link on public websites, calendars or social media; rather, email the link to the desired attendees.
  • For public and other open meetings, such as board meetings, consider scheduling a webinar and requiring attendee registration.
  • Avoid posting photos or screenshots of your meetings. This could provide threat actors with the associated meeting ID and information on who is attending your meetings.

Protect Your Own and Other Individuals’ Privacy
If you are in an online conferencing session with real-time audio, real-time video and/or recording, consider the best practices below for protecting your own privacy and the privacy of those around you.
  • Remote activation of user cameras and/or microphones is prohibited unless there is explicit indication of use, such as signals to local users when cameras and/or microphones are activated.
  • Find a private space with a neutral background that does not include any identifying or sensitive information about yourself or other individuals.
  • Utilize any features offered by a recording or online conferencing solution to blur your background or replace your actual background with a static image.
  • Mute your device and/or switch off your camera if there is no added value or expectation from your organizer or other invitees to appear on-screen or be heard.
  • Make sure others in your surroundings do not appear on-screen and cannot be heard.
  • Follow the guidance that appears below for the appropriate use of recording features.
Recording Virtual Meetings
  • Web conferencing solutions can record both audio and video. It is best practice to inform meeting participants that they are being recorded prior to recording a meeting.
  • Recordings should be protected and transmitted over a secure, encrypted connection (like HTTPS) and stored in a secure location.
  • Prior to recording a session, consider the following:
    • How is the data stored and protected? Are recordings saved to the application’s cloud or onto local storage, such as your computer?
      • If you choose to utilize cloud storage from the web conferencing solution, ensure that storage is secure and password protected. 
      • Local storage should be limited to approved TWU assets only. University data created and/or stored on personal computers, other devices and/or non-University databases should be transferred to University information resources as soon as feasible. In the event that personal devices are used, the device(s) should be encrypted and maintain the same patch/configuration standards as TWU assets.
      • All electronic devices including personal computers, smart phones or other devices used to access, create or store University information resources, including email, must be password protected in accordance with University requirements, and passwords must be changed whenever there is suspicion that the password has been compromised.
      • University data created or stored on users’ personal computers, smart phones or other devices, or in databases that are not part of University’s information resources, are subject to public information requests, subpoenas, court orders, litigation holds, discovery requests and other requirements applicable to the University.
      • Any personally owned computing devices on which confidential University data is stored or created must be encrypted.
    • Should the meeting be recorded?
      • It is recommended to maintain consistent in-person and remote practices. When engaging in remote learning or business activities, ensure that in-person and remote practices are consistent. Specifically, individuals and departments/units should not record any activities while remote if those same activities would not be recorded while in-person.
    • Is the participant aware of the recording?
      • Before a recording or online conferencing session begins, organizers should inform anyone who will appear on-screen and/or be heard of:
        • The intended subject matter including any sensitive discussion topics;
        • The anticipated audience (ex. staff in a TWU department, classmates in a lecture, etc.);
        • The types of anticipated interactions (ex. classroom discussions involving students, etc.), if any;
        • Whether the organizer will record individuals who appear on-screen and/or are audible;
        • Whether the invitees are permitted to record the session and/or individuals who appear on-screen and/or are audible;
        • How recordings will be used (ex. on-demand videos of an instructor’s past lectures, research data, etc.), where the recording will be available (ex. only through Canvas in connection with a specific course), and the duration it will be available for viewing (ex. until the end of the course term);
        • Whether any third-parties beyond the anticipated audience (ex. the recording or online conferencing provider, etc.) will have access to, record, or otherwise retain any content; and
        • Other relevant details that could influence an individual’s decision to appear on-screen and/or be heard.
    • Does the recording contain Personal Identifiable Information (PII)?
      • Recordings that are personally identifiable to students (e.g., have a student’s image or audio question) are educational records and subject to FERPA protections. Access to such recordings may need to be limited to the instructor and students who are enrolled in the specific class. For more information, see the FERPA’s FAQs on Photos and Videos under FERPA guide.
      • For research purposes, it is recommended that the audio or video recording be de-identified prior to electronic transmission and storage. It is more secure to transmit de-identified data.
    • Does the recording contain Protected Health Information (PHI)? 
      • Recordings containing PHI may be subject to HIPAA and should follow HIPAA and TWU policies accordingly.
      • For research purposes, it is recommended that the audio or video recording be de-identified prior to electronic transmission and storage. It is more secure to transmit de-identified data.

 

Sharing and Distributing Recorded Meetings

Recordings saved to the Zoom, Google or RingCentral clouds may be shared via the web conferencing tools’ default sharing tools. Permissions may be granted in both solutions, and sharing should be limited to only those that need the data.

Locally saved recordings may be uploaded to approved TWU storage (such as Google Drive) and shared. For research purposes, it is recommended that audio or video recordings be de-identified prior to electronic transmission and storage. It is more secure to transmit and store de-identified data.

In all cases, recordings should be protected and transmitted over a secure, encrypted connection (like HTTPS). Users should not share passwords or similar information to web conferencing platforms, or any other system or service.

Details

Article ID: 122858
Created
Thu 12/17/20 8:34 AM
Modified
Mon 7/11/22 11:36 AM

Related Articles (3)

TWU offers many options for collaborating with colleagues.  To ensure a successful meeting / class session, consider these best practices before, during, and after the meeting.
TWU offers many options to collaborate within and outside the campus community. Each tool offers different options.
Hacking efforts around videoconferencing services have grown as a direct result of the growth of work-at-home and school-at-home policies in the wake of the Covid-19 pandemic.