It is important to consider the security implications of the Zoom meetings you set up. It’s especially important to properly secure your meeting if there is any discussion of sensitive data. Please see our Data Classification Standard for more information. Also, we have additional information such as Zoom Do’s and Don’ts, and our CSUCI Zoom FAQ.

How do I prevent Zoom bombing?

CSUCI already has some extra security controls in place to help keep you secure. But here are a few additional settings you can make use of to further help you prevent Zoom Bombing.

  1. Keep Meeting URLs Private - Don’t share them anywhere that’s accessible to the public. Just keep it to the group of people you’re sure you want to be there.
  2. Keep Meeting Passwords On - These are on by default, so all you have to do is put in a password when prompted and leave them on.
  3. Lock your meetings - When a meeting is locked, no one can join. To enable, click on Security Icon, and select “Lock Meeting”.
  4. Use a waiting room - A waiting room puts each of your meeting attendees into an individual space where you can verify they are who they say they are. You then have the option to release all people from the waiting rooms, or individually allow them in.

Security Tips for Zoom

Know Who's in Your Meeting

An important consideration for securing Zoom sessions is to make sure that we pay attention to who the participants in our meetings are. If, despite these precautions, someone shows up in your meeting that you don't recognize, you should take it seriously. It's possible that these incidents may constitute a Zoom Bombing attempt to disrupt the class/meeting.

Disable Participants from Renaming Themselves

Hosts can now disable the ability for participants to rename themselves in any meeting. This setting is available in the Web portal. Visit zoom.us-> sign in using SSO -> Settings -> Meeting -> In Meeting (Basic) and toggle off “Allow participants to rename themselves”.

Disable Participants use of Annotation Feature

Hosts can now disable the ability for participants to annotate the presentation or screen in any meeting. This setting is available in the Web portal. Visit zoom.us-> sign in using SSO -> Settings -> Meeting -> In Meeting (Basic) and toggle off “Annotation”.

Consent for Recording

If you plan on recording a meeting, you must ensure you have the consent of every participant. If a participant does not give permission, they must leave the meeting or the recording must be canceled.

Meeting Passwords

Zoom automatically generates a 6 digit password for each new meeting created, and these passwords are embedded in the invitation URLs. Therefore you shouldn’t  share a Zoom invitation email without permission from the meeting host. If an invite is forwarded to an external party, they can join the meeting even if the meeting is password protected. 

Use a waiting room to welcome attendees

A waiting room puts each of your meeting attendees into an individual space where they can test their microphones and cameras. When you start your meeting or class, you have the option to release all people from the waiting rooms, or individually welcome them. Individually welcoming attendees is a great way to handle “roll call” for your class.

Screen Sharing is Off by Default

Zoom has changed their Screen Sharing functions to be turned off by default. If you would like others to be able to share their screen, simply enable it under the Security icon on your session screen.

Scheduling Zoom Meetings Using your Exchange/Outlook or Google Calendar

If you add a Zoom meeting to your calendar or create a Zoom meeting in your calendar using the Zoom Plug-in, the calendar entry may include the Zoom meeting password. Depending on your settings, this may expose the password to anyone who views your calendar. Try making the calendar entry private or only sharing it with indented recipients.

Remove a Participant from a Zoom Meeting or Webinar

f you have already begun a session and find an unwanted attendee has joined, click on the Security Icon at the bottom of the Zoom session window and select “Remove Participant”.

Lock Your Session

The In-Meeting Security settings allow the host or co-host to lock the meeting once all your attendees have joined. When a meeting is locked, no one can join, and you (the host or co-host) will NOT be alerted if anyone tries to join, so it's best not to lock the meeting until everyone has joined.

Just click the Security Icon at the bottom of the Zoom session window and select “Lock Meeting”. You can unlock the meeting following the same steps.

Post-Meeting Security

If a meeting is recorded, the recording can be set to be stored either in Zoom’s cloud storage, or located on the host’s local machine. When possible, use Zoom’s cloud storage. If you must record to a local machine, please be aware of the content from the meeting and refrain from posting sensitive meetings to public sites. If the meeting contains Level 1 or Level 2 data, the recording needs to be treated accordingly. Please see our Data Classification Standard for more information.

Zoom for Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted. You can find a full list of controls enabled for Zoom for Healthcare in the HIPAA Compliance Guide.

To use Zoom for Healthcare, you need to be associated with an CSUCI organization which has been assigned Zoom for Healthcare licenses by our administrators. If you work in a healthcare environment in association with CSUCI, it is likely your group has already transitioned over to this environment. However, if you feel your team or organization needs to be using Zoom for Healthcare and aren’t currently, please submit a request by sending an email to infosec@csuci.edu.

Additional Zoom Security Guidance and Articles

Zoom Meeting Do's and Don'ts

Zoom CEO Eric Yuan Security Blog post (Zoom, 4/8/20)

Telework Cybersecurity (NIST, 3/19/20)

Preventing Eavesdropping and Protecting Privacy On Virtual Meetings (NIST, 3/17/20)

Navigating the Conference Call Security Highway (NIST, 3/17/20)

 

 

Back to Top ↑
©