Best Practices for Zoom Security
Below are recommended steps to take to protect your Zoom Meeting from intruders or disruptions. In general, do not post Zoom invitations or links within any documents that are public-facing. Google Meet is also an acceptable OUSD-approved video conferencing option that has received recent security updates.
All of the following steps are basically layers of security that will help protect your meeting. Not all of the steps will necessarily be best for your situation, but try to implement them whenever feasible. If there is a heightened risk of Zoom bombing for your class or school, follow all of the recommended steps below, especially requiring authentication.
When you are setting up the meeting:
[These settings are accessed on the Zoom website at ousd.zoom.us]
1. Avoid using your Personal Meeting ID (PMI)
Using your Personal Meeting ID to set up meetings repeatedly increases the risk of someone finding the link to bomb your Zoom meeting. In addition, meetings created with your PMI will not create usage reports to track users afterwards.
Instead, generate new random Meeting IDs. Under Meetings > Schedule a Meeting > Meeting ID select Generate Automatically. This creates a new Meeting ID that has not been posted or shared before.
2. Select "Require authentication to join" > "Only OUSD users signed into Zoom"
- Under Meetings > Schedule a Meeting > Meeting Options check Only authenticated users can join. You should also see an option Only OUSD users signed into Zoom. Make sure this option is selected.
By choosing this option, you are requiring that users be signed into a OUSD user Zoom account in order to join your meeting. Choosing this option also ensures that after the meeting you will have access to a report of all meeting participants and their email addresses.
You can add an authentication exception to allow a specific user to join the meeting. Each guest that is invited via an authentication exception will receive a unique link permitting them access to the meeting. This link will grant them access to the secure meeting or webinar.
If you do not use an authentication requirement, your meeting will be more vulnerable to Zoom bombing, and you may have no way to track an intruder after the meeting.
When you start the meeting, but before participants join:
1. Open Security options
- In the Zoom Meeting, click on Security
2. Manage Security settings
Make sure that "Enable Waiting Room" is checked.
Under "Allow participants to:"
Leave "Share Screen" unchecked (optional but recommended for meetings with students).
Leave "Chat" unchecked (optional but recommended for meetings with students). If you do enable chat for students, it is recommended that you disable private chat: click on "Chat" and click on the settings in the chat window to choose chat settings.
Leave "Rename Themselves" unchecked.
3. Know how to remove a participant
Familiarize yourself with the procedure to remove a participant quickly if necessary. There are three clicks necessary.
Click on "Participants" at the bottom of the the Zoom window.
Click on "More" next to the name of the participant you want to remove.
Click on "Remove".
If there is behavior that is extreme and potentially harmful to students, end the meeting immediately, instead of taking the time to identify and remove an individual participant. Do not attempt to restart the meeting with the same Zoom link.
Student Expectations for Zoom Meetings
Meeting Expectations. Students should be provided with distance learning meeting expectations, which may include the following:
Do not share login information, meeting links, or passwords with others.
School and classroom rules apply to the distance learning instruction environment.
It is recommended that students review the District Technology Acceptable/Responsible Use Policy regarding expectations for behavior while conducting themselves online and on District devices.
Dress appropriately for distance learning instruction sessions.
Do not conduct audio or video recordings or take screen shots of virtual class meetings or activities unless you have received prior permission to do so from a teacher or authorized District official.
To the extent possible, participate from a quiet and neutral location that will be free of distractions.
Students who use inappropriate language, share inappropriate images, or in any way behave inappropriately on a video conference may be subject to appropriate discipline.
Once the meeting is over, be sure to close out of the meeting platform entirely. Make sure that your camera is covered and that your microphone is off to avoid inadvertent transmission following the meeting.
Teacher Guidelines for Hosting Zoom Meetings
Meeting Background. When engaging in virtual classroom meetings, to the extent possible, maintain a neutral and appropriate background that is free from distractions.
Recording Notification. If you are planning to record the Zoom meeting for any reason, notify participants prior to starting the recording.
Participant Check. Begin a meeting by double checking that only authorized participants have joined the meeting. If there is a participant that you do not recognize or that is not authorized to participate, remove the participant from the meeting.
Reiterate Meeting Expectations. Open the meeting by providing a brief reminder of meeting expectations.
Supervising Students. While engaging in virtual classroom meetings, teachers and classroom aides are required to supervise students and may refer students for disciplinary action as necessary when students engage in misconduct. [Note: The District may want to implement a protocol for staff to follow in the event a teacher witnesses a student in distress; i.e. dismiss the virtual class session while keeping the distressed student on the line and contacting 911 or District mental health assessment team.]
Mandatory Reporting Obligations. While engaging in virtual classroom meetings, teachers should be reminded that they are mandated reporters of suspected abuse and neglect, including while communicating with students during distance learning instruction. If teachers or other mandated reporters have questions regarding mandated reporting obligations, they should consult with a supervisor for guidance and additional resources.
Locking a Meeting. Consider locking a meeting after all participants have joined. This feature can prevent unauthorized outsiders from joining the meeting.
Avoid Sharing Personally Identifiable Information from Student Education Records. Just as you would in a physical classroom setting, avoid sharing personally identifiable information from student educational records, such as grades, during the meeting. (Student participation alone in distance learning instruction does not typically involve sharing student education records.) Such information is protected from disclosure without parent or guardian consent under the Family Educational Rights and Privacy Act (“FERPA”).
Reminders Before Ending the Meeting. Before ending the meeting, instruct all participants that, after the meeting ends, each participant should close out of the platform entirely and double check to make sure that cameras and microphones are disabled.
Storing Recordings. If you recorded a meeting, be sure to safely store the recording in accordance with District guidelines and requirements. If you have questions about how to securely store a meeting recording and/or securely upload the recording to District storage accounts, contact the Information Technology Department.
Unexpected Host Disconnection. If you are the host and you are unexpectedly disconnected due to lost of internet connection or another technical isssue, a random participant will be assigned as the host. Prepare students for this possibility and let them know that if you do not return to the meeting within 5 minutes, the class should disconnect.
Handling/Reporting a Problem
Teacher - Either (a) identify and remove the participant, or (b) close the meeting.
Teacher - Notify principal and file incident report.
Principal - Depending on severity of incident, send a message to families re: what occurred (based on template)
Principal - Depending on severity of incident, notify IT, Legal and the Oakland Police Department.
Principal/Teacher - Depending on severity of incident, if "bomber" was a student, take appropriate disciplinary action
How Students/Families Join Zoom Meetings
NOTE: It is not at all necessary to use Clever to join Zoom meetings. The Zoom icon has been removed from Clever to avoid confusion.
Students and families just need a dependable Zoom link with an embedded password. This means that families can just click on the link and join the meeting -- no password required. You can tell if the Zoom link has an embedded password if it is kind of long and has “pwd” in the link. Example is below:
Teachers can create a Zoom link with an embedded password by scheduling the meeting at zoom.us, or with Google Calendar. Then they just share that link through Google Classroom, or in an email to families. Make sure not to post Zoom links on public documents or websites.
To set up a Zoom meeting, go to the Zoom website, or create an event in your Google Calendar and under conferencing options, select Zoom meeting. If creating a meeting through your calendar, you must then go to the Zoom website to make recommended changes to the meeting security settings.
It is essential that OUSD users take proper safety precautions when using Zoom. Please do not post Zoom invitations publicly, and always enable the waiting room if students are participating. Please see below and follow the step-by-step instructions for setting up a secure Zoom meeting.
Below are recommended steps to take to protect your Zoom Meeting from unwanted interruptions or disruptions. In general, do not post Zoom invitations or links within any documents that are public-facing. Google Meet is also an acceptable OUSD-approved video conferencing option that has received recent security updates.