Whether it's a normal part of your job or as an alternative if access to campus is temporarily restricted, the ability to work remotely (also known as telecommuting or teleworking) can help keep the University's operations running from afar. Though potentially of great benefit to your department's operations, it's essential that all remote work be performed in a secure computing environment.

There are a few approved remote work methods that can be utilized depending on the classification of the university data being handled and related risks.

Method Required for Faculty/Staff Handling High Risk University Data
Example Audience: University employees handling the most confidential types of university data, including but not limited to social security numbers, credit card data, HIPAA data, protected donor data, export-controlled research data or confidential unclassified information.
More information on the UT Data Classification Standard can be found at:
https://security.utexas.edu/policies/data_classification 

 

The most secure method for working remotely is to plan ahead and issue UT-owned computers for employees to use from home. Work can be performed directly on the UT-issued computer; in fact, it may already be the employee’s primary workstation.
Most often this would be done via a portable laptop, but this could extend to an employee using the workstation they typically use in their office if no other portable option exists and the local leadership for the unit has authorized such usage.

This setup requires:

  • UT-issued and professionally-maintained laptop (or workstation)
    A laptop issued to an employee in advance of working remotely, or a laptop available as needed in an emergency situation, is the best option for working remotely. These laptops should meet all required Minimum Security Standards for the handling of sensitive data and should be maintained departmentally, by qualified IT staff, following best practices for systems management.
  • Cisco AnyConnect Secure Mobility Client
    This free service provided by ITS Networking allows for remote employees to make secure connections to remote workstations, certain file shares, VoIP soft clients, and other on-campus resources. It is available at vpn.utexas.edu. Keep in mind that the UT VPN is split-tunnel; network traffic not destined for campus-based (as opposed to Internet-based) services will not traverse the VPN. Thus, if the services you use on a daily basis are not hosted on-campus (e.g., Workday, UTBox, Canvas, Stache), you may not need to establish a VPN connection.
  • Duo multi-factor authentication
    The use of Duo is required to establish a VPN connection and authenticate to many other UT services. An employee connecting remotely will need a UT EID configured to authenticate with Duo either via the Duo Mobile app, security token, text message, phone call, or one-time use codes. This must be configured prior to connecting from off-campus! Employees should ensure that, if an office telephone is currently used to authenticate via Duo, an additional factor (such as a personal mobile phone or a home phone) is added as an authentication method.  Please see the Duo readiness page for more details: https://security.utexas.edu/MFA-Readiness
  • A broadband Internet connection
Method Required for Faculty/Staff Handling Moderate Risk University Data
Example Audience: University employees handling confidential or controlled types of university data that are not considered High Risk (above), including but not limited to comprehensive student records (e.g., the entire student cohort for a department), HR information, unpublished research data, internal memos and email.
More information on the UT Data Classification Standard can be found at:
https://security.utexas.edu/policies/data_classification 

 

If a department is unable or unwilling to issue UT-owned equipment to employees to facilitate remote work, an employee's personal computer may be used to connect remotely to a workstation residing on campus.
The department may also make use of university sanctioned Virtual Desktop Infrastructure (VDI) made available for such purposes.

For reasons of both security and policy, University work must not be performed directly on an employee's non-UT-owned equipment. Such equipment should be used only to connect to a remote computer, on which all work is performed.

This setup requires:

  • Personal (non-UT-owned) computer
    An employee's personal computer can be used as a mechanism to connect to a remote workstation residing on campus. Personal computers should be maintained in a secure fashion (with regards to passwords, malware and virus protection, etc.) and should be, to the extent possible, up to date with the latest operating system and security updates.
  • Cisco AnyConnect Secure Mobility Client
    This free service provided by ITS Networking allows for remote employees to make secure connections to remote workstations, certain file shares, VoIP soft clients, and other on-campus resources. It is available at vpn.utexas.edu.
  • Windows: Remote Desktop Protocol
    For remotely connecting to campus-based systems running Windows, the Remote Desktop Protocol (RDP) can be used. Connections can be made to campus Windows workstations from personal devices running Windows, Mac, iOS, or Android operating systems; see How to use Remote Desktop for details. Campus workstations should have their firewalls configured to allow RDP only from the network ranges used by the campus VPN service.
  • Macintosh: Apple Remote Desktop, or Virtual Network Computing over Secure Shell
    For remotely connecting to campus-based systems running macOS, Apple Remote Desktop (ARD) can be used. ARD runs Virtual Network Computing (VNC) using AES 128-bit encryption. If ARD is unavailable, macOS's built-in VNC server (called Screen Sharing) can be used; however, as it is unencrypted, it must be tunneled over the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.
  • Linux: Virtual Network Computing and/or Secure Shell
    For remotely connecting to campus-based systems running a distribution of Linux with a graphical user interface, VNC can be used; however, as it is unencrypted, it must be tunneled over an SSH connection. For distributions without a graphical user interface, SSH can be used directly. Campus workstations should have their firewalls configured to allow SSH only from the network ranges used by the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.
  • Duo multi-factor authentication
    The use of Duo is required to establish a VPN connection and authenticate to many other UT services. An employee connecting remotely will need a UT EID configured to authenticate with Duo either via the Duo Mobile app, security token, text message, phone call, or one-time use codes. This must be configured prior to connecting from off-campus! Employees should ensure that, if an office telephone is currently used to authenticate via Duo, an additional factor (such as a personal mobile phone or a home phone) is added as an authentication method.
  • A broadband Internet connection
Method Required for Faculty/Staff Handling Low Risk University Data
Example Audience: University employees handling controlled or published types of university data that are not considered High or Moderate Risk (above), including but not limited to narrowly focused student records, research data, information that is otherwise considered public.
In exigent situations, this includes lecturers or faculty members interacting with students via learning management platforms (e.g., Canvas), developing course materials, etc.
More information on the UT Data Classification Standard can be found at:
https://security.utexas.edu/policies/data_classification 

 

The use of personal computing devices for handling sensitive University data is generally restricted by policy. Departments unable to support the methods above may request a security exception for their entire department (or select systems) from the Information Security Office to seek approval for remote work configurations that do not conform to these guidelines. 

Departments should ensure that their end users are able to comply with these general computing guidelines in protecting personal computing devices and that they are aware of related risks. The department head must also be aware of and approve of accepting the residual risks associated with such use cases (e.g., confidential data potentially residing on an potentially insecure and unencrypted personal computers).  The department should also ensure that all associated system hard-drives are securely wiped or disposed of by the end-user before the devices are donated, etc., so as not to unnecessarily expose unexpected confidential university data that might have been copied to or cached on the device.

Relevant University Policies

All remote work should comply with existing University policies and state laws including, but not limited to:

Whether working on campus or remotely, all use of UT Austin technology resources must comply with the Information Resources Use & Security Policy and the Acceptable Use & Security Policy Agreement for employees.

Additional resources

Information Technology Services (ITS) has additional information on Working During Campus Closures.

Questions

Please contact us at security@utexas.edu with any questions about securely performing remote work.