UPDATE 25/09/20:

Following upgrades to Zoom's security provisions, Autism Anglia has now authorised the use of Zoom for meetings, webinars and training from all our sites, subject to the following rules for our staff teams:

• If you host or join a meeting that requires a zoom account, it must be created using your Autism Anglia email address
• Every meeting you create or join must have a password.  A password is generated automatically when creating a meeting.  It is ok to use that one, or you can create your own.  You must not disable the password requirement for any meeting.  If you are sent a meeting invite that does not include a password, you must not join the meeting unless a password is added
• Every meeting you create or join must have a waiting room – this means that everyone joining a meeting has to be admitted by the host
• If you are hosting a meeting that includes people from outside Autism Anglia, everyone must sign in with a registered account.  This is an option when creating the meeting and nobody may join unless they have signed in with a zoom account.  This provides a measure of security when you may not visually recognise everyone who should be in the meeting
• If you are hosting a meeting, once everyone has joined, the meeting should be locked to prevent any further access

Dan McCullagh
IT Manager

07/04/20:

With more people working from home than ever before, Zoom has been widely adopted over the last month, with over 200 million daily users in March alone.  Many organisations and training/educational establishments are now using it as their main communication tool.

Much has been spoken about recently in the news and papers of the vulnerabilities surrounding Zoom, the online video conferencing platform (Guardian Article).  Whilst the video and sound quality it provides is excellent, particularly when compared to other providers such as Skype, it does have significant security concerns.

Therefore, our position on these tools is that unless there is an overarching reason why we can't use it, Autism Anglia will always use Skype for Business for online audio and video communication.  When there is no alternative and Zoom has to be used, Autism Anglia will follow the protocol below for every contact, to protect the people involved, including personal data:

• Autism Anglia's Zoom accounts will be created using Autism Anglia email addresses
• Autism Anglia Staff and Volunteers will not connect to Zoom meetings while connected to any of our internal computer networks, including those in Head Office and Doucecroft, in order to minimise the effect of any potential hack
• All Zoom conversations must be password protected - this protects against most of the threats inherent to Zoom
• Zoom's in-conversation instant messaging (text chat) is not used at all and it should be disabled if at all possible.  Hackers use this to share links which include your username and password for Windows, i.e. your work network login details
• Use new meeting ID's for each conversation - don't rely on your 'personal' meeting ID
• Setup a 'waiting room' so the meeting host joins before any attendees
• Don't publish meeting ID's anywhere, including social media.  Use private conversations (direct messages, email, phone etc.) to share the ID
• Once everyone has joined a meeting, the host should lock it to prevent anyone else joining

Dan McCullagh

IT Manager