Telework Exchange - Eliminating Gridlock
Commuting Costs
$74,554,497
112,820,298
 A public-private pertnership focused on eliminating telework gridlock
Telework Savings
$16,862,295
24,849,863
Click here for legend
What is Telework Exchange?
    Press Room

Home

Register

Log In

The Teleworker
    March Issue

Telework News

Online Telework Eligibility Gizmo

Town Hall Meetings
    Previous Events
    Spring 2010
Event Details Schedule Register Sponsors  
Telework Exchange Webcasts

Unlock Gridlock 2010

Tele-Vision Awards

The Great Commuter
Stress Out

Telework Day
    Report Findings


Resource Center
    Success Stories
    Technology
    Research Studies
    Leaders
    Federal Agency Information
    State and Local Information
    Legislative Perspective
    Telework Employment

Commuting Costs Calculator

Telework Savings Calculator

I Scream for Telework

Money Tree Campaign

The Water Cooler

Industry Associates

Affiliates

Submit Feedback

Privacy Policy

Contact Us

Site Map


Copyright 2009
Telework Exchange

Welcome, today is Friday, March 12, 2010
The Telework Exchange Teleworker - September 2008




Ron Ross, senior computer scientist and information security researcher, National Institute of Standards and Technology (NIST)
Telework Security is "Very Doable," Says Federal Expert

Ron Ross believes that there are enough security tools and protective layers available to make teleworking as safe as a traditional office environment, but not just because he happens to be a leading expert on network and infrastructure security. The senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST) also knows from experience. He is an enthusiastic teleworker who works out of his home office several days a week.

"I really do think that we have a sufficient number of controls available that can reduce the risk to a level that is tolerable for even the most nervous manager, and it's important for them to realize that, so they can take advantage of all the good things that teleworking brings to the employee and to the organization," he says.

The key to ensuring that telework has the right security in place is to set up the alternate work site and computing environment in the same way it is done at the headquarters office location. That means addressing information in its three states:
  1. At rest or when it is located in a secondary storage device, such as a hard disk
  2. In transit between the corporate site and the telework venue
  3. In process, when the employee is actually using the information
To address each state, Ross recommends using what NIST terms a "Defense in Depth" strategy. He adds that his agency relies on this strategy in its own telework program and is so effective that Ross feels completely at ease working out of his home office. Components of this approach include the following:
  • Establish and use a Virtual Private Network (VPN) connection between agency headquarters and the telework site, which relies on firewalls, encryption, and tunneling to ensure that information is fully protected while in transit across public networks
  • Equip teleworkers with an authorized government-owned and -issued laptop or workstation so that it can be managed as an agency asset
  • Rely on managed services so routine updates and upgrades on virus templates, security patches, and other optimal configurations can be pushed to the teleworker's computing device automatically by the IT department (or contracted third-party vendor)
  • Equip the laptop with an add-on biometric device, like a fingerprint reader, for secure access by the designated employee only
  • Install a "session lock" on the computer so when the employee leaves his or her desk, the computer would go into sleep mode and the employee upon returning would have to log in using a password and (if applicable) a fingerprint reader to bring the computer back up
  • Use full-disk encryption so if a laptop or hard drive is lost or stolen, the information cannot be accessed and would therefore be useless to an unauthorized user
  • Conduct automatic backups to the agency site over the network so if something happens to the teleworker's remote office or computer, the information would be readily accessible by other agency personnel
  • Rely on personal identifiers, such as passwords and endpoint device authentication, to guard against any unauthorized access to the agency network
Managers who feel jittery at the idea of telework have a legitimate right to be concerned whenever operations are moved outside of the normal boundaries of an enterprise, Ross says. "It's important for them to realize, however, that there are a variety of controls available to them, and that the number and strength of those controls are really at the discretion of the organizations and the managers that are going to allow telework to proceed," he states. "It does always get back to the individual manager's risk tolerance, but I think if they take the time to see what's available, they'll see that telework can be done in a secure manner."

Ross adds that anyone with questions can contact him or another NIST security expert. He also recommends consulting the recently-released NIST Special Publication 800-46, "Security for Telecommuting and Broadband Communications," as well as Special Publication 800-53, "Recommended Security Controls for Federal Information Systems."




September 2008 Articles

Navy Dives Deep into Telework

Telework Security is "Very Doable," Says Federal Expert

COOP and Telework: A View from the Inside

FDIC: Success Personified

Disaster Recovery: Tailor Programs and Practice, Practice, Practice

Teleworkers Benefit from Wireless

IRS Planning Move from Telework Pilot to Program

Let's Talk Telework

Telework News Update

Click here for a printable version of the September 2008 The Teleworker