Stay protected at home and in the office

Information security is a set of practices designed to keep personal and State data secure from unauthorized access, disclosures, or modifications during the storage or transmission of data, which can be in the form of electronic or print media. Sections 6 – 6.6 and 7.4 of SIMM 5360-A, Telework and Remote Access Security Standard provides more information on maintaining security of information assets used for Telework.

• Protect information assets (paper or electronic) from unauthorized access and use by others, including family members, friends and other visitors.
• Do not store State of California sensitive or confidential information on your personal computer.
• Do not use personal email for business use, and do not use state issued email for personal use.
• Assign a strong passcode to lock/unlock mobile devices.
• Always lock your mobile or computing device before leaving it unattended.
• Ensure websites are encrypted (look for “https” in your web browser address) when working with sensitive data.
• Become familiar with your department’s procedures for reporting a security incident of a lost or stolen mobile or computing device.
• Report security concerns or incidents to management immediately.
• Always comply with your organization’s policies and procedures to protect specific high-risk data elements regulated by HIPAA, IRS, PCI, etc.
• Do not disclose confidential or sensitive data to any unauthorized personnel including friends and family.
• Secure information assets (paper or electronic) by storing only in secured locations (e.g., locked cabinet or drawer, locked rooms in locked buildings), as applicable.
• Store any sensitive or confidential information on encrypted media provided by your agency or department.
• Never download or copy state data without your Supervisor’s authorization, and to an unencrypted portable media device.
• Ensure confidential paper documents are properly disposed of, i.e. shredding.

We suggest using a passphrase, or string of words, to increase the length of your password.  The best passphrases are easy for you to remember but, because of length, more difficult to crack.  We recommend the following when creating your passphrase:

• Make it easy to remember.
• Make it long enough to be hard to guess, minimum 15 characters.
• Make it hard to guess by intuition, even by someone who knows you well.
• Do not use famous quotations.
• Do not include personal information such as your name or pets’ names.
• Passwords should include at least one number. Passwords with more than one number must be non-repeating or non-consecutive (e.g. 555, 1234).
• Substitute letters with numbers and punctuation marks or symbols.
• Examples:
  • 1LikeChilid0gs89
  • Th3D0g1sSl33p1ngS0undly
  • D0n’tputh0tsauce1ncoff33!
  • FriendlyMeanderingPeanutSauce

Remember to use a unique password for each account. It is risky to use the same password for multiple accounts.

As a state government we collect and use in the course of our work an enormous amount of personal data from the people we serve. In many cases, they don’t have a choice to provide it to us or not. As such, we have an equally enormous responsibility for safeguarding confidential and personal data entrusted to our care.

• Only use personal information required to perform specific business function(s).
• Practice effective Information Handling Practices to help safeguard Personal Information.
• If personal information is shared, conduct due diligence and maintain oversight of partners and vendors.
• If someone provides services on your behalf, you are also responsible for how they collect and use your customers’ personal information.
• Know your department’s privacy and security policies to ensure your customer’s trust by doing what you say you will do. Be able to communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.

Stay informed and follow your organization’s information security policies and procedures for information pertaining to your business environment.

• Consider use of additional physical security controls, such as locking the telework device to a stationary object (e.g., desk or chair) with a computer cable lock, where appropriate.
• Ensure confidential paper documents are properly disposed of (i.e. shredding).
• Do not leave information assets unattended in vehicles or other locations where they may be easily stolen.
• Do not write down or share passwords with anyone.

• Turn off unnecessary services like Bluetooth, unused Wi-Fi, etc.
• Protect your home Wi-Fi with a password. Protect your device with password.
• Do not connect to public or untrusted/insecure Wi-Fi connections.

Ensure your own information assets are configured to limit network access, including:

• Make sure your firewall is turned on.
• Disable services and features that you are not using.
• Configure information assets so that they do not automatically attempt to join wireless networks they detect.

• Do not share or advertise your meeting link publicly.
• Set a strong password for all teleconference meetings hosted (e.g., $yBerT@k8s!1), and do not reuse passwords.
• Refrain from discussing sensitive topics or sharing documents with confidential and/or sensitive data.
• Lock the meeting once all attendees have joined and be sure to verify and remove any unknown participants who dialed in before you start the meeting.
• Do not use your personal, or other non-state teleconferencing accounts to host work-related meetings.
• Manage screen-sharing options by limiting this ability to only the host, and never allow others to take control of your screen/device.
• Be cautious of what is visible within the camera range and on screen.
• Take notice if a meeting you attend is being recorded and ensure verbal consent by all parties before recording a meeting.
• Refrain from downloading shared files and/or documents onto personal devices.
• Ensure that sensitive and legal communication is conducted through a FedRAMP-compliant teleconferencing tool.