Stay protected at home and in the office
Get the information you need to secure your network and your personal or state issued computing devices, and protect your department’s information assets.
Stay informed and follow your organization’s information security policies and procedures for information pertaining to your business environment
Information is an asset and, like other business assets, is essential to your agency. Information can exist in many forms. It can be printed or written on paper, stored electronically, sent by post or transmitted using electronic means, shown on monitors, or spoken in conversation. In whatever form the information takes, or means by which it is shared or stored, it should always by appropriately secured. Collecting and maintaining personal information presents increased risk and therefore increased responsibility. Utilize the information on this page to ensure you are conducting business from home or office securely.
Information security is a set of practices designed to keep personal and State data secure from unauthorized access, disclosures, or modifications during the storage or transmission of data, which can be in the form of electronic or print media. Sections 6 – 6.6 and 7.4 of SIMM 5360-A, Telework and Remote Access Security Standard provides more information on maintaining security of information assets used for Telework.
- Protect information assets (paper or electronic) from unauthorized access and use by others, including family members, friends and other visitors.
- Do not store State of California sensitive or confidential information on your personal computer.
- Do not use personal email for business use, and do not use state issued email for personal use.
- Assign a strong passcode to lock/unlock mobile devices.
- Always lock your mobile or computing device before leaving it unattended.
- Ensure websites are encrypted (look for “https” in your web browser address) when working with sensitive data.
- Become familiar with your department’s procedures for reporting a security incident of a lost or stolen mobile or computing device.
- Report security concerns or incidents to management immediately.
- Always comply with your organization’s policies and procedures to protect specific high-risk data elements regulated by HIPAA, IRS, PCI, etc.
- Do not disclose confidential or sensitive data to any unauthorized personnel including friends and family.
- Secure information assets (paper or electronic) by storing only in secured locations (e.g., locked cabinet or drawer, locked rooms in locked buildings), as applicable.
- Store any sensitive or confidential information on encrypted media provided by your agency or department.
- Never download or copy state data without your Supervisor’s authorization, and to an unencrypted portable media device.
- Ensure confidential paper documents are properly disposed of, i.e. shredding.
We suggest using a passphrase, or string of words, to increase the length of your password. The best passphrases are easy for you to remember but, because of length, more difficult to crack. We recommend the following when creating your passphrase:
- Make it easy to remember.
- Make it long enough to be hard to guess, minimum 15 characters.
- Make it hard to guess by intuition, even by someone who knows you well.
- Do not use famous quotations.
- Do not include personal information such as your name or pets’ names.
- Passwords should include at least one number. Passwords with more than one number must be non-repeating or non-consecutive (e.g. 555, 1234).
- Substitute letters with numbers and punctuation marks or symbols.
Remember to use a unique password for each account. It is risky to use the same password for multiple accounts.
As a state government we collect and use in the course of our work an enormous amount of personal data from the people we serve. In many cases, they don’t have a choice to provide it to us or not. As such, we have an equally enormous responsibility for safeguarding confidential and personal data entrusted to our care.
- Only use personal information required to perform specific business function(s).
- Practice effective Information Handling Practices to help safeguard Personal Information.
- If personal information is shared, conduct due diligence and maintain oversight of partners and vendors.
- If someone provides services on your behalf, you are also responsible for how they collect and use your customers’ personal information.
- Know your department’s privacy and security policies to ensure your customer’s trust by doing what you say you will do. Be able to communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.
Stay informed and follow your organization’s information security policies and procedures for information pertaining to your business environment.
- Consider use of additional physical security controls, such as locking the telework device to a stationary object (e.g., desk or chair) with a computer cable lock, where appropriate.
- Ensure confidential paper documents are properly disposed of (i.e. shredding).
- Do not leave information assets unattended in vehicles or other locations where they may be easily stolen.
- Do not write down or share passwords with anyone.
- Turn off unnecessary services like Bluetooth, unused Wi-Fi, etc.
- Protect your home Wi-Fi with a password. Protect your device with password.
- Do not connect to public or untrusted/insecure Wi-Fi connections.
Secure your personal network
Ensure your own information assets are configured to limit network access, including:
- Make sure your firewall is turned on.
- Disable services and features that you are not using.
- Configure information assets so that they do not automatically attempt to join wireless networks they detect.
Teleconference security tips
- Do not share or advertise your meeting link publicly.
- Set a strong password for all teleconference meetings hosted (e.g., $yBerT@k8s!1), and do not reuse passwords.
- Refrain from discussing sensitive topics or sharing documents with confidential and/or sensitive data.
- Lock the meeting once all attendees have joined and be sure to verify and remove any unknown participants who dialed in before you start the meeting.
- Do not use your personal, or other non-state teleconferencing accounts to host work-related meetings.
- Manage screen-sharing options by limiting this ability to only the host, and never allow others to take control of your screen/device.
- Be cautious of what is visible within the camera range and on screen.
- Take notice if a meeting you attend is being recorded and ensure verbal consent by all parties before recording a meeting.
- Refrain from downloading shared files and/or documents onto personal devices.
- Ensure that sensitive and legal communication is conducted through a FedRAMP-compliant teleconferencing tool.
Protect your personal devices while teleworking
Today we use our personal devices to do so many things, from shopping to banking to homework to playing video games to keeping in touch with family and friends through social media. This creates a treasure trove of personal information on our home computers. If your personal devices are not protected, hackers and identity thieves can steal your personal or work information. It’s important to understand that Federal and State laws and policies require that we protect state data. While using your personal devices to telework, you need to adhere to IT policy and ensure that you protect that data.
How to protect your personal devices
Following these rules will help to ensure a that your data and the state’s data remain safe.
- Use anti-virus and anti-spyware software – This software protects your personal devices from viruses and spyware by scanning emails and other incoming downloads or transactions. It is best if you set automatic updates and scans to catch the latest threats. Schedule a thorough scan at least once a week.
- Never work at public places – Never connect to public or untrusted/insecure Wi-Fi connections, such as at a coffee shop, etc.
- Practice safe browsing – Download software and files only from sites that you know and trust. Don’t click on links in pop-up windows or spam email.
- Never disclose confidential and sensitive data – Never disclose confidential or sensitive data to any unauthorized personnel including family and friends.
- Always lock your computer – Lock your personal device when leaving it unattended.
- Keep your operating system and browser updated – Update your operating system and browser regularly. Set them to automatically update.
- Create a strong password and keep it secret – Protect your personal devices from hackers and identity thieves by selecting strong passwords to prevent unauthorized access through password guessing, password cracking software, and other similar techniques. A strong password has at least 8 characters that includes numbers, upper- and lower-case letters and special characters.
- Don’t store sensitive or confidential information on your personal devices – Save all state data on your OneDrive.
- Don’t use personal email for business use – Your DGS business email uses special protections to keep State information safe.
- Always comply with your department or agency policies – Always comply with State policies and procedures to protect data regulated by HIPAA, IRS, PCI, etc.
- Report suspected work related security incidents immediately to your Information Security Office.
Options for running anti-malware/anti-virus
There are a number of options to consider for protecting your personal devices, many of which may be free.
- Microsoft Defender anti-malware is available on Windows 10 computers and tablets. If you are using a Mac, check out security options.
- Many Internet Service Providers (ISP) provide free anti-malware/anti-virus products. Contact your ISP to check for availability.
Consider full-disk encryption for increased privacy of personal and sensitive information.