Most of the problems related to telecommuting can be solved by thinking through the ramifications of telecommuting before you put a program in place and establishing clear policies to address them. These include compensation policies, conflict of interest policies, policies that address liability issues, and a broad range of security policies, which can be broken down into several categories.
With these criteria in mind, you can develop a good set of policies governing telecommuters before you send them out “into the wild.” This article will focus entirely on the security issues related to workers who access the network via remote access methods, including the physical security problems related to portable computers. Once you’ve covered these security concerns in your policy, you’ll be well on your way to supporting telecommuters in a secure and capable manner.
Policies governing telecommuting jobs and tasks
A successful telecommuting program requires evaluation of individual workers’ personal fitness for telecommuting and a determination of which jobs and tasks can be effectively performed offsite. Your policy should contain guidelines for determining which employees will be allowed to telecommute, based on these criteria. Issues include the process for a request to telecommute, at what level in the organization the request must be approved, minimum number of days per week or month that telecommuting employees must come in to the office, specific tasks that must be performed on-site, and so forth.
Physical security of computers and peripherals
Physical security is one of the first issues that must be addressed when workers’ computers are located off-site. Your comprehensive telecommuting policy should address equipment issues in detail. One question to ask is whether the company will provide computers and peripherals or whether work will be done using the employee’s equipment. For the best security, the company will have more control if it owns the equipment.
Portable computers are most vulnerable to physical risks, but your policy should also cover the security of desktop machines, which can also be stolen (or damaged). There are a number of products available to protect both notebooks and desktops, including:
- Security cables that can be used to “tie down” the computer to a desk or other heavy object.
- Alarm systems with motion detectors that will sound if someone tries to move the computer/case.
- Locking plates for systems that will remain in one primary location.
- Software solutions that will cause stolen portable computers to “call home” when connected to the Internet and GPS devices that will allow you to track the computer’s location.
- Startup security options that will prevent booting into the operating system unless a pass phrase is entered or unless a specific floppy disk is in the drive (this can be done with Microsoft’s Syskey utility).
In addition to mandating use of specific security products that have been tested and found to be appropriate, your policies should include “common sense” guidelines for traveling with a portable computer, such as:
- Never leave the computer unattended, even briefly, in any public place. Don’t leave the computer in your hotel room, or if you must, secure it to an immovable piece of furniture with a cable lock.
- Select a case that doesn’t scream “computer inside!” such as a regular briefcase outfitted internally for your portable computer. Avoid cases with the computer manufacturer’s name, etc.
- Use tamper-resistant tags or directly engrave identifying information on the computer case.
Employee responsibility for the physical security of the equipment should be spelled out clearly in the policy. For example, if the laptop is lost or damaged, will the company’s insurance cover it or will the employee have to reimburse the company? If the latter situation occurs, what are the terms of repayment and how is it deducted from the employee’s paycheck? All of these questions should be considered before the situation arises.
Physical security policies should address not just computers but also peripherals, such as external disk drives, removable media, and related devices.
Use of wireless equipment is also an important security issue. If an employee sets up a home network (for example, to communicate between a notebook and desktop computer), information sent over the wireless network may be vulnerable to interception by anyone in the vicinity who has the proper equipment (“war drivers” or neighbors). Your policy might prohibit wireless use altogether or mandate wireless security measures (such as WEP encryption and changing of default administrative passwords and SSIDs on the access point).
Software and network security
Your telecommuter policy should address general software and network security issues. If the equipment belongs to the company, the policy can specify exactly what software can be installed and prohibit any unauthorized software, which will cut down on the risks associated with downloaded programs. If workers use their own equipment, this is a trickier issue. It is important to educate employees about the risks of viruses and other “malware” and how sloppy security practices can affect the entire company network to which they connect.
Policies should address such issues as:
- Mandating that an antivirus program be used and that its definition files be updated regularly.
- Mandating that a firewall be used when the employee connects to the Internet.
- Establishing policies regarding the opening of e-mail attachments, the use of HTML e-mail, and so on, perhaps mandating use of an e-mail proxy to allow employees to check mail without directly connecting to the company LAN.
- Mandating that only particular e-mail client programs, Web browsers, and other application programs be used and specifying how their security settings should be configured.
It is also important that the policy specify the procedure employees should follow if they detect a security problem. To whom does the telecommuter report a suspected virus or apparent unauthorized access? How will software patches and updates be applied? Will the employee be responsible for this, will that person bring the computer in at scheduled times for updates, will a technician be sent to the worker’s location, or will this be done by technicians via a remote control session? All this should be specified in the policy.
An “appropriate use” policy should also be established for workers using company equipment offsite. Can the employee send and receive personal (nonbusiness-related) e-mail or use the system to surf the Web during nonwork time? The policy should specifically address accessing pornographic sites and downloading “warez” (illegally distributed copyrighted material). Also, since content filtering is a controversial issue if your organization elects to use it, you should spell out in the policy that content is monitored and the scope of the monitoring.
One security option is to have remote access users connect to a terminal server. In this case, the work itself is done on the server; the user’s computer only provides the interface. Windows Terminal Services allows you control over each user’s sessions, and you can set profiles and security restrictions on users’ terminal accounts. Note that you’ll need a client license for each user; however, system requirements for the client computers are very low.
Next, your policy should address employee responsibility and accountability when it comes to protecting the integrity of company data on an offsite computer. What level of security is required for specific types of data? How can that level of security be attained? Examples of policy issues include:
- Is the employee allowed to store company data on floppy disks, memory sticks, and other removable media?
- Is the employee required to use data encryption for data stored on the disk? If so, what encryption scheme should be used (Windows EFS or a particular third-party encryption package)?
- If the employee uses personal equipment, what about other family members who share the computer? You’ll need to address the requirement for a secure operating system and separate user accounts.
An important issue is the choice of operating systems and file systems. Windows 9x, which many people have on their home computers, doesn’t provide file-level access permissions or include built-in encryption support. NT-based operating systems such as Windows 2000 and XP are more secure, but the NTFS file system must be used to take advantage of all the security features. Your policy should specify that a secure OS and file system be used for telecommuting work.
Password and access policies
Your telecommuter policy should address password and access policies in the same way that your onsite security policies do. Requirements for secure passwords (password length and complexity, avoidance of dictionary words and commonly used or easily guessed passwords, etc.), requirements to change passwords on a regular basis, and prohibitions on divulging passwords or writing them down should all be covered.
Access permissions and user rights should be considered when employees telecommute. You may want to assign a lower level of access to an employee when connecting from home or on the road, as opposed to the rights and permissions that employee has when connecting at the office. A good rule of thumb is to grant only the level of access that’s needed to get the job done.
Dial-in and VPN policies
Your company may allow users to connect remotely either directly over a dialup connection, from the user’s modem to the server’s modem, or over the Internet through a virtual private network (VPN). You may want your policy to specify which method is preferred, and you’ll need to address common security issues with each method, including:
- Dial-in policies: Because your remote access server may have a limited number of modems in its modem bank, you can use account restriction policies to restrict the hours during which specific individuals can dial in to the company network, and limit the amount of time they can be connected. Your policy might also specify callback security policies, which require that remote users dial in from a particular phone number (which is then associated with the user account). When the user connects to the server and authenticates, the server will hang up and call the user back at the preprogrammed number. This ensures that someone who discovers the credentials of a legitimate user can’t access the network unless calling from the legitimate user’s location.
- VPN policies: Your VPN policies should address the tunneling protocols to be used or which protocols are preferred (for example, L2TP instead of PPTP). You can also limit those connected via a VPN to using only approved application protocols and prohibiting certain protocols (such as FTP, Telnet, IRC, and so on). The policy may also state ordered preferences for the VPN servers to which employees are allowed to connect, connection times, etc. Your policy should also address “split tunneling” (multiple simultaneous network connections).
Regardless of the remote access method, the policy should address the responsibility of the employee to ensure that others do not use the dial-in or VPN account. You will probably want to prohibit use of non-GSM cellular and wireless phones to connect to the company network because their signals can be intercepted.
GSM digital wireless phones may be considered secure enough for a connection to the network. Your policy should be specific in this regard.
Authentication servers, such as RADIUS or TACACS+, can be implemented to provide more secure remote access authentication.
Policies governing high-sensitivity work
Your organization should have an overall information sensitivity policy that includes guidelines for determining the sensitivity level of different types of information. This should be referenced in your telecommuter policy, and any deviations from the general policy that apply to offsite workers should be noted.
When a telecommuter’s job duties involve working with highly sensitive data (such as confidential client information, financial and personnel information, trade secrets, and so on), policies should dictate extra security measures, such as:
- Strong data encryption (specifying encryption algorithms, key lengths, and so forth)
- IP security (IPSec) when sending sensitive data across the network
- Smart card or biometric authentication, or the use of one-time passwords for remote access connections
- Special instructions for disposal of data (overwriting or physical destruction of disks, return of media to company premises)
- Requirements for digital signatures to validate the identity of the sender of documents
As more companies and employees take advantage of the benefits of telecommuting, security presents new challenges because offsite computers are inherently less controlled and thus more vulnerable to security breaches that can impact the company’s network. A good set of telecommuter security policies can go a long way toward closing these security gaps and making offsite work a safe alternative.
While not a complete list, the above policies should help you develop sound telecommuting guidelines. Do you have any telecommuting policy ideas you would like to add to this list? Feel free to contribute what you think an IT manager should consider before implementing a telecommuting policy by clicking on the Discussion button below.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.