Zoom Protection

SDSU Zoom Web/Video Conferencing Security Frequently Asked Questions

Zoom is a foundational tool for video telecollaboration within the California State University system and is supported by the SDSU IT Division.

Zoom Bombing is a tactic employed by Internet trolls to disrupt Zoom meetings that have been posted publicly or otherwise reached a public audience. The trolls join your meeting and disrupt it by taking over the Screen Sharing feature to share explicit images or videos.  User controls enabled in the University’s Zoom communication and training minimizes these risks for SDSU use.

Yes. Zoom has become one of the most popular online conferencing and collaboration platforms.  Zoom usage jumped from 10 million at the beginning of March to over 200 million now, and it is still growing. With its growth in popularity, a greater number of scrutiny has been introduced. Zoom has, however, worked to quickly respond by fixing several of the reported vulnerabilities, and the company issued a 90-days feature freeze to concentrate engineering efforts on security and bug fixing. 


In addition, Zoom offers a number of security options to prevent unwelcome participants from joining your meeting or to limit their ability to share inappropriate content.

To learn more, visit How do I secure my Zoom meeting? If you are using a personal computer you must update the client as the latest clients are available. 

To check the version of the Zoom client installed on your computers or mobile device see the “Viewing the Zoom version number” article.

No, the basic functionality is the same, however, the CSU has a contract with Zoom, which obligates Zoom to protect CSU data beyond what would be found in a free or personal account.  SDSU faculty, staff, and students should use your SDSU Zoom Educational account to help secure FERPA protected communications. More information on Zoom and FERPA can be found at Zoom and FERPA Compliance guide.

 

Zoom offers several settings to protect your Zoom meeting.  These are the recommended security settings*.


Enable Waiting Room: The Waiting Room feature allows the host to control when a participant joins the meeting. As the meeting host, you can admit attendees one by one or hold all attendees in the waiting room and admit them all at once.

Require a password when scheduling new meetings: Meetings and Webinars can require passwords for an added layer of security.

Lock Your Session: The Zoom Host Controls allow the host or co-host to lock the meeting. Once all your attendees have joined, please consider the following security measures:

  1. If the Participants panel is not visible, click Manage Participants at the bottom of the Zoom window.
  2. At the bottom of the Participants panel, click More.
  3. From the list that appears, click Lock Meeting.
  4. Unlock the meeting following the same steps.

When a meeting is locked, no one can join, and you (the host or co-host) will NOT be alerted if anyone tries to join, so do not lock the meeting until everyone has joined.

Restrict screen sharing to host only: To ensure that only the meeting host can screen share, click the up arrow to the right of the Share button at the bottom of the main Zoom window, then select Advanced Sharing Options. In the Advanced Sharing Options window, under Who can share? click Only Host.

*These settings can be configured for individual meetings or changed to become your defaults for all of the future meetings that you schedule.

Additionally, a couple of in-meeting options to control your virtual meeting are also recommended:

  • Disable video: Turn off a student’s video to block distracting content or inappropriate gestures while class is in session.
  • Mute students: Mute/unmute individual students or all of them at once. Mute Upon Entry (in your settings) is also available to keep the clamor at bay when everyone files in.
  • Attendee on-hold: An alternative to removing a user, you can momentarily disable their audio/video connections. Click on the attendee’s video thumbnail and select Start Attendee On-Hold to activate.
For more security best practices, please visit “Best Practices for Securing Your Virtual Classroom

The limits and benefits of the Zoom Pro account vary, and include the following: 

  • No limit to the number of meetings you may host. 
  • Hosting is permitted involving up to 300 people for an unlimited time. 
  • One-to-one video calls are unlimited. 
  • A customized Personal Meeting ID is allowed. 
  • Available for all SDSU faculty, staff, and students with an @sdsu.edu email address.

Yes.  Please follow the steps below to remove any participant from your meeting. 

  1. At the bottom of the Zoom meeting, click the Participants button to open a list of participants.
  2. In the participant list, hover your cursor over the name of the participant you wish to remove, then click the More button that appears to the right.
  3. From the bottom of the menu, select Remove.
  4. A dialog box will open asking you to confirm your choice. Click OK to remove the participant.

Sometimes, you may see a phone number or a participant name that you don’t recognize.  You should stop the meeting and ask the phone participant to identify themselves. If not authorized, remove the participant from the meeting.

 Please follow the steps below to remove any participant from your meeting. 

  1. At the bottom of the Zoom meeting, click the Participants button to open a list of participants.
  2. In the participant list, hover your cursor over the name of the participant you wish to remove, then click the More button that appears to the right.
  3. From the bottom of the menu, select Remove.
  4. A dialog box will open asking you to confirm your choice. Click OK to remove the participant.

The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide encryption and meeting access controls so data in transit cannot be intercepted. 

Zoom Meetings for HIPAA provides an option for health care providers at SDSU and faculty whose course content is clinical and requires this degree of compliance.  You must follow all other HIPAA requirements, including training and audit. 

To use the Zoom Meetings for HIPAA, your SDSUid needs to be connected to the Zoom meetings for the HIPAA account. Your SDSUid can only be connected to one instance of Zoom - either regular Zoom or Zoom Meetings for HIPAA.   

To request a Zoom HIPAA Subaccount, for clinical or health care work, please please submit a request using https://sdsu.service-now.com.

Zoom offers several settings to conduct your meeting in a safe and organized way. 

  1. At the bottom of the Zoom meeting, click the Participants button to open a list of participants.
  2. At the bottom-right corner of the list of participants, click “More” to open a menu.
  3. Toggle the options as desired:
    • Clear Allow Participants to Unmute Themselves to ensure that only hosts can unmute participants
    • Check Put attendee in waiting room upon entry to require that hosts manually admit new participants rather than having them join the meeting automatically. Learn more about the Zoom Waiting Room feature.
    • Check Lock meeting to prevent any additional participants from joining the meeting after this option is selected.

No, Zoom had a feature called “attention tracking” which put a small icon in the list of participants indicating that they had moved out of the app.  As of April 1, 2020, this feature was removed.

Zoom end-to-end encryption is sufficient to meet campus statutory requirements for most instructional, administrative, and research needs.

However, in certain circumstances, when using special connectors,  video calls need to be temporarily unencrypted before establishing the final connection.  For instance, if you enable the company’s cloud-based recording option, sessions have to be briefly decrypted within Zoom’s cloud.

 Zoom has a blog post explaining in detail how Zoom end-to-end encryption works -  “The Facts Around Zoom and Encryption for Meetings/Webinars”. 

Yes, The CSU Chief Information Officer and Chief Information Security Officer noted in their Zoom Message to CSU Campuses: "On balance, as long as campus users have the information they need to use Zoom with appropriate safeguards, we don't believe that it's necessary for the CSU community to be concerned about communicating with Zoom." To read the full message, please visit "CO's Zoom Message to CSU Campuses." (SDSUid login required)