Guidelines for using Zoom

Microsoft Teams is part of the Nexus Office 365 service and is the University’s approved service for video conferencing. However, there is an increasing interest in Zoom, which the University is keen to respond to.

A third-party security assessment (TPSA) has been completed on the Zoom cloud service and may be acceptable from a security perspective, depending on the classification of subject matter:

Public - the risk is low
Internal - the risk is low
Confidential - not recommended

As with any conferencing facility linked to endpoints outside the University’s control, there is a level of uncertainty about the security of information once delivered to those endpoints. For example, there would be nothing to stop a remote user from recording a conference call using their own screen recording software. There is also a concern that data at rest may be stored outside the UK. As such, there is potentially a risk to University intellectual property if it is partly contained within video conversations (which may be recorded), supporting chat sessions and attached documents.

There are potentially privacy-intrusive features within Zoom where usage should be minimised. Of particular note are the ability to record users and the ability to track users’ attention. While users are notified when recording takes place, this is not user consent and recordings should be minimised to where there is a need for academic/teaching purposes. You should also consider the secure usage and storing of any recordings as well as data subject rights when making any recordings. Generally, calls should not be recorded as there is not a legal basis to do so and owing to imbalances of power, consent cannot be relied on.

Microsoft Teams should be used where possible but if Teams cannot be used and there is a compelling communication need to be met during the Covid-19 lockdown period, Zoom can be used for information classified up to Internal as long as data privacy risks are managed as far as possible.

If departments wish to pursue this course of action, please refer to the University Purchasing Department guidance on the preferred supplier Catering and Events page. This will allow the purchase of Zoom licences on University negotiated terms and provides a cost framework. Please also follow our advice on using Zoom securely.

We will continue to keep under review the tools provided and supported by the University particularly in this period of remote working and will seek to support our academic objectives as efficiently as possible whilst protecting the security and privacy of our people and systems.

If you require additional information, please do not hesitate to contact us at grc@infosec.ox.ac.uk.

Further guidance to reduce the risk of your meeting being distributed (from JISC):

Ensure that Meeting Passwords are required to join and that they are not published in an uncontrolled manner.
Don’t use social media to share conference links as malicious groups can search social media for these meeting ID/links.
Use the “Waiting “Room” feature to have participants wait until the host arrives and vet participants prior to entering the meeting.
Limit screen-sharing ability to the host. Using the host controls at the bottom.
Turn off file transfer: In-meeting file transfer allows people to share files through the in-meeting chat. Toggle this off to keep the chat from getting bombarded with unsolicited pics, GIFs, memes and other content.
Disable private chat: Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat amongst one another. This is really to prevent anyone from getting unwanted messages during the meeting
Allow only signed-in/Registered users to join: If someone tries to join your meeting and isn’t logged into a Zoom account, they will receive the message ‘This meeting is for authorised attendees only’.

Zoom meeting host logging does have IP logging that can record attendees and that IP data can be used to report abuse.