Information Security in Zoom
General information security advice in Zoom
To use AAU's Zoom in a secure way (to ensure that you protect sensitive and confidential information appropriately), you should be aware of the following:
- Only use AAU's own instance of Zoom, which you can access via AAU's Single Sign-On solution (WAYF). You can find this at aaudk.zoom.us.
- You should use a meeting password when creating AAU Zoom meetings. AAU Zoom generates a random password, which is different each time. Only share the password with the participants you want to be able to join the meeting. If you need to share the meeting password on public or semi-public channels such as Facebook or Twitter, you should use the Waiting Room functionality to ensure that only valid participants are allowed into the meeting.
- If you have installed Zoom yourself, always make sure you are using the latest version of the client software. This applies to PC, Mac and mobile etc. If you are employed at AAU and have installed Zoom from Software Centre, this will be handled by ITS.
- You should not change settings in AAU Zoom unless you have a specific need to do so and are aware of the consequences of the change. ITS has set up default settings on the AAU instance that address significant security risks when using Zoom.
- If you have changed a setting, it will have a "Modify Reset" label in your AAU Zoom account (see image below).
- To return to the default value of this setting, simply press "Reset" and the setting will return to the default setting.
Secure use of AAU Zoom for conversations containing confidential and sensitive information
If AAU Zoom is used for conversations containing confidential and/or sensitive information, special precautions must be taken. The precautions must ensure that unauthorised persons are not able to see or listen in on the conversation.
The following must be done when AAU Zoom is used for conversations containing confidential and/or sensitive information:
- The meeting must be set up with a password.
To the extent that information about the meeting is saved in a calendar at AAU, the password must not be visible to anyone other than the invitees (use the private flag at the meeting and make sure that the contents of your calendar are not shared with unauthorised persons). If in doubt, do not save the password in the meeting invitation. - The meeting should be set up with a "Waiting Room" and only the right participants should be let in.
- During the meeting, the "Waiting Room" and the list of participants must be continuously monitored to ensure that only the right people attend.
The measures taken will be similar to comparable meetings in the physical world, where conversations with confidential and/or sensitive content are also held under stricter consideration.
AAU Zoom may be used to organise conversations containing all types of data. However, you must be aware of what is allowed to be recorded via AAU Zoom.
Recording meetings in Zoom
Recording meetings should always be done with great care. In terms of compliance with the General Data Protection Regulation (GDPR), it should always be considered whether it is possible to collect the desired information in a way that minimises the possibility of information being compromised. For example, it could be sufficient to make a written record of the video meeting.
As a rule of thumb, meetings should not be recorded unless a video recording of the meeting would have been established for a similar physical meeting.
You can record the meeting in two different ways:
- With regular recording, the recording will be made on the machine that initiated it. The recording (data file) must be stored securely. By default, the recording is saved in your "Documents" folder in OneDrive - this is not authorised for confidential and sensitive information. You can change this setting yourself. Read more about approved storage solutions here.
- When recording to the cloud, the recording will be stored in the Panopto system. Read more about Panopto here.
ATTENTION! If you need to record conversations that contain confidential or sensitive data, this must be done locally to your computer, where you must ensure that the recording is properly stored. See a list of approved storage solutions here.