A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, "phishing" alerts, commentary regarding staffing levels. etc. etc.
September 16, 2009 at 1:54 pm #80768
From the telework Exchange Newsletter
Deploying the Safe Laptop
An Interview with the USPTO
The United States Patent and Trademark Office (USPTO) has one of the longest-running and most successful telework programs in the Federal government, with more than 80 percent of its 5,913 eligible positions participating on a regular basis. What's more, approximately 2,053 of its patent examining employees and trademark examining attorneys are true at-home employees, spending four days a week working remotely.
That level of success, however, is fully contingent on a well-devised and well-executed security program. Danette Campbell, the USPTO's senior advisor for telework, and Rod Turk, director of the Office of Organizational Policy and Governance within the Office of the Chief Information Officer, have worked together to put in place strong telework security policies, training requirements, and security and privacy practices that effectively safeguard laptops and agency data and maintain executive support of the program.
The emphasis on ensuring secure connections between remote workers and USPTO office locations has enabled the agency to fully reap the more tangible benefits of telework. These include a 10 percent improvement in workforce productivity, the ability to increase the workforce without increasing real estate costs, and cost savings of more than $11 million to date.
Campbell and Turk recently discussed their security philosophy and program details with The Teleworker.
Q: Is there such a thing as a safe laptop, and what does it need to have in terms of key technologies?
A: USPTO has to move massive patent application and trademark agreement documents back and forth online continuously, which means that it must be able to do so in a very secure, error-free environment. As a result, USPTO has spent a good deal of time devising ways to encrypt all the data on which people work in an online environment. It has also gone to great lengths to make certain no critical data are stored permanently on USPTO-issued employee laptops. So information is stored on a USPTO server – not on the laptop itself.
Agencies should configure the remote laptops to mitigate the risks of them being used in a manner that comprises an agency's mission. This includes:
* Encryption Industry-standard strong encryption of the hard drive
* Login – Unique, single-user, pre-boot authentication through the hard drive encryption software and then laptop operating system, with a "strong" password that users are required to change on a regular basis
* User Permissions – Users are not set up with local administrative rights
* Software Firewall – Pre-configured firewall software that allows any network traffic that is required to conduct work and remote support, while blocking unsolicited network traffic
* Anti-Virus – Automated and regular definition updates and pre-configured virus scanning
* Spyware – Spyware, adware, Trojan horse, and hijacker detection software pre-configured with automated definition updates
* Operating System Updates –Automated/scheduled updates to the operating system for security and critical patch-related updates
* One Master Baseline – All laptops are configured with one master baseline and are maintained and supported through remote assistance and remote management software
Q: What are the most important security points that USPTO includes in all teleworker training programs?
A: The USPTO provides extensive training: all teleworkers receive non-IT and IT training before they are deployed to work from home. The IT training teaches the employee how to work from home using their equipment properly. USPTO teleworkers are trained on and receive associated documentation describing the IT policies that must be followed when working remotely. These policies also are published on the USPTO intranet Web site. The IT policies require the following responsibilities and agreements:
* Teleworkers must understand that they are required to take all necessary steps to safeguard government equipment from loss or theft
* Absolutely NO data, of any kind, is to be stored on a teleworker's local laptop hard drive
* Teleworkers do not have permission, nor the ability, to load additional software on their telework laptop
* Teleworkers are responsible for maintaining the confidentiality of applicant files and agency work products in accordance with their business area requirements
* Teleworkers are not permitted to use their laptops in any location or under any circumstance where non-agency personnel may be able to view restricted information, such as a hotel lobby, airport, or coffee shop
In addition, unless on leave from the office, all employees are responsible for connecting their Enterprise Remote Access (ERA) laptops to the USPTO's virtual private network (VPN) at least once per week (meaning every seven days) for a minimum of fifteen minutes. This action may be taken during core business hours, at night, or on weekends. Ensuring that all ERA laptops make this connection weekly permits the USPTO to perform routine asset verification and provides an opportunity for any critical software updates (or "pushes") to occur.
Q: Summing up: What is the best laptop security advice you can offer to other telework program coordinators?
A: Consider the risks associated with having a dispersed, at-home workforce and ensure that extensive telework training is in effect for teleworkers and managers. In addition, managers and teleworkers alike should receive education and be knowledgeable regarding their agency's information technology policies. The best laptop security advice, though, is to put in place the very specific security policies mentioned earlier. They will enable you to create an environment that ensures a secure connection.
Copyright 2009 Telework Exchange
You must be logged in to reply to this topic.