A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
Telework and NIST
August 10, 2009 at 3:13 pm #77459
Earlier this summer, the National Institute of Standards and Technology updated its recommendations for securing Telework by federal employees.
According to NIST Special Publication 800-46 (Revision 1), Guide to Enterprise Telework and Remote Access Security, authored by Karen Scarfone, Paul Hoffman and Murugiah Souppaya, the nature of Telework and technologies that permit remote access to protect resources from external networks, generally places these systems at higher risk than similar technologies only accessed from inside the organization.
It also increases the risk to internal resources made available to Teleworkers through remote access.
This explains, for example, why the latest CDW-G survey on federal Telework trends showed a decline in the actual number of federal employees eligible to participate in Telework initiatives. Of the 273 federal IT professionals surveyed, nearly 60% reported they could Telework if their office was closed due to a storm or other disaster, down significantly from the prior year, when 75% could Telework. (See more about the survey in the feature titled, Technological Trends That Aid the Advancement of COOP, in this report.)
Major security concerns include, according to the report, a lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks and the availability of internal resources to external hosts.
The following list presents some of the key recommendations from NIST officials on how to secure Telework for access by workers who must function from remote locations:
*A Telework security policy should define which forms of remote access the organization permits, which Telework devices are permitted, the type of access each type of Teleworker is granted and how user account provisioning should be handled.
*Each organization should make its own risk-based decisions about what levels of remote access should be permitted, from which types of Telework client devices.
*Organizations should periodically reassess policies for Telework and consider changing which types of client devices are permitted and what levels of access are permissible.
*Organizations should document the security aspects of the Telework and remote access solution design in their system security plan.
*Before putting a remote access solution into production, an organization should implement and test a prototype, evaluating it for connectivity, traffic protection, authentication, management, logging, performance, implementation security and interference with applications.
*Organizations should regularly perform operational processes to maintain Telework and remote access security, such as deploying updates, verifying clock synchronization, reconfiguring access control features, and detecting and documenting anomalies within the remote access infrastructure.
*Organizations should also perform periodic assessments to confirm remote access policies, processes and procedures are being properly followed.
*Before disposing of a Telework client device or remote access server, the organization should remove any sensitive data.
The full NIST report can be found at: http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf
You must be logged in to reply to this topic.