Zoom guidance for staff and students

Last updated 17 February 2021 on behalf of the Chief Information Officer and Head of Information Assurance and Governance.

The University of St Andrews currently supports Microsoft Teams as our video conferencing platform. A number of colleagues have asked whether they can use Zoom as an alternative. Zoom should not be used for University business, unless you have been asked to join a Zoom ‘call’ organised by another organisation that subscribes to Zoom, and no confidential information is being shared.

Risks associated with using Zoom

Personal or ‘free to use’ versions of Zoom present an IT and Information risk; there have been numerous reports of Zoom meetings being ‘hijacked’ or ‘Zoom bombed’ meaning that third parties have been able to take control of meetings – causing disruption and an invasion of privacy. Additionally, vulnerabilities in Zoom have enabled third parties to take control of PCs used for Zoom conferences, and therefore should not be used. Free to use services are unsupported – meaning the University cannot apply patches to fix information security vulnerabilities. Unpatched software and services frequently become the targets of malicious third parties who seek to steal data and information – meaning that the University, our students and staff can be vulnerable to damage and loss. If you are invited to participate in a Zoom meeting, we recommend that you check with the meeting organiser that they are using a subscription Zoom service and not the free version of Zoom.

Use of the free version of Zoom for University business will also expose the University, by breaching our obligations to uphold data protection law. The General Data Protection Regulation (specifically Article 28) requires that before the University makes available third-party tools and services which make use of personal data that a contract, containing specific provisions to protect personal data, is in place between the University and the supplier. No such contract exists for Zoom. The University cannot guarantee that personal data for which it is responsible can be protected when used with Zoom. Using Zoom for University business could be compared to driving a car without a driving licence or insurance.

Participating in non-University Zoom meetings

We do not support or endorse Zoom, however, appreciate that you may be asked to participate in Zoom meetings outside of the University. Please note that you do not need to purchase a Zoom license to participate in meetings. We suggest users show caution around what information they are sharing, who is attending the meeting and any links that are being sent out. Personal or free Zoom meetings are not suitable for information that is classified (by the University Information Classification Policy) as confidential or strictly confidential.

By following the guidance below, the risks can be minimised:

  • Do not use your Personal Meeting ID for the meeting. Instead, use a per meeting ID, exclusive to a single meeting. Zoom’s support pages offers a video walk through on how to generate a random meeting ID for extra security.
  • Share your meeting ID privately. Do not post it to social media pages, where anyone can find the ID using a simple search.
  • Create or join an ‘Invite-Only Meeting (this feature is for Zoom subscription accounts only). This means only those people invited can join the call, and they must sign in using the same email address that the organiser used to invite them. This gives you much more assurance that people are who they say they are.
  • Enable the ‘Waiting Room’ feature so that you can see who is attempting to join the meeting before allowing them access. When participants log into the call, they can see a ‘Waiting Room’ screen and can’t get into the call until the host admits them. You can admit guests all at once, or one at a time. Do not let anyone in that you do not recognise.
  • Disable other options, including the ability for others to ‘Join Before Host’ (it should be disabled by default, but check to be sure). Then disable screen sharing for non-hosts, and the remote-control function. Finally, disable all file transferring, annotations and the autosave feature for chats.
  • Once the meeting begins and everyone is in, lock the meeting to outsiders and assign at least two meeting co-hosts. The co-hosts will be able to help control the situation in case anyone bypasses your efforts and does get into the meeting.
  • Learn how to stop a participants video and remove a participant.
  • Depending on the type of meeting, it might also be useful to mute all participants as a default.

If an external party is hosting a zoom meeting, the following guidance on the Zoom website may be useful for them to minimise the risk.