Restrictions on Telework Client Devices and Remote Access Levels

Each organization should make its own risk-based decisions about what levels of remote access should be permitted from which types of devices. Factors that organizations should consider when setting telework security policy for this include the following:

Some telework involves access to sensitive information or resources, while other telework does not.

Organizations may have more restrictive requirements for telework involving sensitive information, such as permitting only organization-controlled telework devices to be used.

Meeting many of an organization's security requirements can typically be ensured only if the organization controls the configuration of the telework devices.

For personally owned devices, some requirements can be verified by automated security health checks conducted by the remote access server on devices attempting to connect, but other requirements cannot be verified by the organization by automated means.

Making users aware of their responsibilities can help to improve security on personally owned telework devices, but will not result in the same degree of security policy compliance as mandatory security controls enforced on organization-controlled telework devices.

Even the most conscientious users may fail to properly maintain the security of their personally owned devices at all times because of the technical complexity or effort involved or their lack of awareness of new threats.

Costs associated with telework devices will vary based on policy decisions. The primary direct cost is issuing telework devices and client software to teleworkers.

There are also indirect costs in maintaining telework devices and in providing technical support for teleworkers.

Another consideration related to cost is telework frequency and duration; an organization might justify purchasing telework devices for individuals who telework regularly (e.g., one day per week from home, frequent business travel), but not purchasing telework devices for individuals who telework only occasionally for short durations, such as quickly checking email from home a few evenings a month.

Risks will generally be higher for devices used in a variety of locations than in just a home environment. Also, in some cases the organization can determine the teleworker's location (i.e., identify whether the device is on an authorized home network), in which case policies could be enforced based on location.

Certain types of devices may be needed for particular telework needs, such as running specialized programs locally.

Also, if an organization has a single type of remote access server, and that server can only allow connections through a custom client that is installed on the telework device, then only the types of devices that can support the client are allowed.

Organizations may need to comply with telework-related requirements from mandates and other sources, such as a Federal department issuing policy requirements to its member agencies. An example of a possible requirement is restrictions on performing telework in certain foreign countries.

Computer Security - Cryptography
Development of a Cryptographic Module
Cryptographic Module Guidance
Cryptography - Security Levels
Cryptographic Module Finite State Model
Cryptographic Modules - Design
Configuration Management
Conditional Self-Tests
Pre-Operational Self-Test
SSP Zeroization
SSP Entry and Output
Environmental Failure Testing Procedures
Single-Chip Cryptographic Modules
Multiple-Chip Standalone and Embeded Cryptographic Modules
Cryptographic Module Specification
Software and Services
Operator Authentication & Logical Interfaces
Cryptography - Acronyms