ISO 27001 makes a distinction between mobile computing and teleworking that at first may seem like semantics. However, it is important to appreciate the difference between the two categorisations, as it effects how organisations should implement their security controls in their teleworking policy.
The risk assessment can be carried out
by the teleworker using a teleworking health, safety and security form to highlight any exceptions
to the minimum requirements.
In ISO 27001, "mobile computing" refers to someone who is regularly on the move: a classic example being a salesperson on the road using portable computing and communication devices like laptops, smartphones and PDAs, from places such as motorway service stations and various hotel rooms. "Teleworking" is defined as an extension of mobile working but refers to someone who may well use similar devices and be outside of the main network perimeter, but who works from a fixed location, such as teleworking from home, with fixed communications to the network.
Policies and procedures for mobile computing and teleworkers will overlap in several areas, such as malware protection and data handling. But, while the protection of devices and the data they contain is the main emphasis for securing mobile devices, it’s only one aspect of the controls necessary for teleworking. This article will concentrate on the policies needed to ensure the locations used by teleworkers are secure and align with your main security policy requirements.
Creating your teleworking policy
Employees mostly conduct teleworking activities from their homes, which typically do not have the same physical security of the organisation’s regular offices, making additional controls and policies necessary to cover physical security, access control and backups. Any proposed location to be used for teleworking must be assessed prior to authorisation so the necessary physical security improvements and the network and connectivity infrastructure required can be addressed, and the teleworker doesn’t breach the organisation’s access control policy.
To ensure the costs of the risk assessment don’t outweigh any benefits, the risk assessment can be carried out by the teleworker using a teleworking health, safety and security form to highlight any exceptions to the minimum requirements. (Random physical checks can be used to ensure compliance.) You can search on the Internet to find teleworking security policies of other organizations to use as a starting point. Below are some of the checks that need to be included:
- Are exit doors secured by a mortise deadlock or security bolts?
- Are accessible windows secured by key-operated window locks?
- Is a smoke alarm fitted?
- Is there a clear exit route and an emergency escape plan?
- Are computers connected to the mains via an anti-surge extension?
- Are cables secure in all plugs, and walkways clear of trip hazards such as trailing cables?
- Can laptops and confidential files be locked away when not in use?
- Does the work area meet clear desk and screen policy rules?
- Can printed sensitive information be securely shredded?
- Are wastepaper baskets regularly emptied?
As teleworkers will be using their computers for long periods of time, it’s important they have a comfortable work environment. Health checks should include the following questions:
- Is the desk large enough to enable the employee to work in comfort and to rest his or her wrists in front of the keyboard?
- Is there a document holder that can be adjusted for height, tilt and position?
- Does the chair allow the employee to adopt a comfortable working posture?
- Is there adequate lighting?
- Is the ventilation at the workstation sufficient without causing uncomfortable draughts?
- Is a first aid kit available?
Some teleworker locations will require more work to bring up to an acceptable level than others, particularly as location affects the type and level of threats. Some may even be deemed unsuitable, particularly if physical security risks can’t be adequately mitigated. Teleworkers should complete a log of the equipment they will be using, including any model and serial numbers, in case of theft. They should be given a notification and reporting procedure to follow in the event of equipment or data being lost or stolen, while your finance department should decide how the equipment is to be insured.
It’s vital to have clear procedures regarding how connections to the corporate network can be made. Strong authentication should be a requirement as this will stop children logging on to see what mum or dad do! It is also good practice to add machine and location authentication to control which machines can access the network and from where. Automatic updates pushed to mobile devices and network access control restrictions can ensure unpatched machines don’t get further than an isolated area of the network where they can be brought in line with policy. Unlike machines on a fixed network where enforcing a “no data on drive C” policy is relatively uncomplicated, mobile devices usually do have data stored on their C or local drive. This means backups to network storage should occur when a device logs onto the network.
Once all the prerequisites for a teleworking location have been set up, it can be authorised. However, before teleworkers are allowed to start work, they should complete any necessary training and sign a user agreement that sets out all their obligations and responsibilities as a teleworker. Training must cover data handling and protection along with awareness of all relevant statutory and regularity requirements that affect the organisation. Teleworkers should be given technical support contact details, a call-in procedure with their manager, a procedure for reporting any accidents, incidents or work-related illnesses, as well as a handbook covering standard staff rights and obligations.
Mobile and teleworking policies both have a lot in common; employees certainly shouldn’t be distracted by any distinction made between being a mobile worker or teleworker. The goal you’re trying to achieve in both instances is off-site security equivalent to that provided for on-site assets.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.