Skip navigation

New guidance on data security for teleworkers

10 March 2009

Telecommuting has become a way of life as more companies let employees work from home to do jobs that might otherwise be done on corporate premises. As a result, business continuity managers are adapting security policies to encompass home PCs. You should ensure that your organisation is using the most current good practice guidance. The US National Institute of Standards and Technology has updated its guide on maintaining data security while teleworking. This revised guide offers advice for protecting the wide variety of private and mobile devices from threats that have appeared since the first edition was published in August 2002.

The guide has been written in broad language in order to be helpful to any group that engages in telework. Formally titled Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, it is available here.

Karen Scarfone of NIST's Computer Security Division points out that everything has changed over the past few years with many websites planting malware and spyware onto computers; although most remote access networks contain these threats they aren't secured against them. The main difference is that it is now assumed that the external environment contains hostile threats, i.e. organisations should expect trouble and plan for it.

Here are some basic recommendations from the new guide:

  • Equip at-home employees with dedicated PCs to be used for work only. If this isn't possible then a viable alternative might be installing a separate hard drive on a home computer with security controls that restrict access to all but the teleworker.
  • Ensure you have good IT support for homeworkers - you may need to employ 3rd party technical services for distant locations. Don't worry, your productivity savings will more than pay for this.
  • Consider adding a desktop firewall to all remote PCs
  • Have policies and procedures for accounting for any electronic media holding sensitive data. Data owners should delegate handling of their data to a custodian in charge of controlling access, keeping logs and records of all employees who use the data with time stamps of when they're accessing it. The custodian needs to ensure that all sensitive data taken outside a facility is checked out, signed out and accounted for. Policies for non-compliance should be clear and strict with disciplinary action, including termination, in serious cases.
  • Encrypt any sensitive data, like customer information, that is taken off the premises on any type of storage device or media.
  • If possible never store sensitive data on laptops. If there's an unavoidable business reason for transporting sensitive data on a laptop, it should be hardened and secured, and have an encryption tool like SafeBoot. Best practise is to never put the data onto the laptop, instead keep it in the data centre, hermetically sealed and safely behind your corporate firewalls. Allow remote access but only by VPN and try to keep the data from being stored on the laptop.

Image source: http://free-stockphotos.com/

Want to comment? Post a message on the Talking Business Continuity Forum.

You'll find free BCM resources and links to publications in Useful Business Continuity Management resources. There are links to Business Continuity training courses and advice on getting certified to BS 25999, the internationally recognised standard for Business Continuity Management.

Email Newsletter

Subscribe to our newsletter Subscribe to our newsletter to receive the latest Business Continuity Management news and information.

Training courses

View our BCM training courses View our Business Continuity training courses offered worldwide. These cover every aspect of BS 25999, the world's first British standard for BCM.
Feedback Form