An article on DarkReading tells us that Federal Information Security Chiefs don't think that teleworking is a security risk. Sounds like a good poll for next week to me.
When I first saw the headline "Federal Security Officers Say Telecommuting Is Safe"my initial thought was "these are the same guys who regularly get D's and F's on their security reviews and they are telling us what is safe and what isn't safe!" Not sure I really want to listen to them on this. I'm not saying that telecommuting is or isn't safe. A comment such as that can't be made carte blanche. The answer to this is again "It depends". It can be safe provided that the right controls are in place.
If you give a user a laptop with admin privileges, a T-Mobile Hot Spot account and tell him to go work where he wants then I'd have to question the security of your telecommuting program. If done correctly I believe that a user can work remotely from most places and still remain secure.
Here is my list of what needs to happen to make telecommuting as safe as possible. This is assuming the use of a company provided laptop. If we get into using personal systems then things get a little more complicated.
- User has user level access only.
- Laptop runs AV, HIPS, Personal Firewall that can't be disabled by the user.
- When connected to company network a security posture of the laptop is done via NAC. This is true whether it's via VPN connection or direct (wired or wireless) connection on site.
- USB ports and CD/DVD copying is disabled.
- Autorun is turned off for CD/DVD drives.
- Wireless radios are disabled when connected to wired network.
- Bluetooth is disabled
- Use a 3G, EVDO or similar card for access when not on a company approved secure wireless network.
- Train the user on how to be secure and reinforce this on a regular basis.
- Ensure that you have the proper security policies in place to CYA when the user manages to do something that you can't protect against.