IT Baseline Protection Manual - Chapter 9.3 Telecommuting
9.3 Telecommuting
Description
In general, telecommuting comprises activities which are
performed from a remote location for an employer or
client with the help of communications links to that
employer or client.
There are different types of telecommuting, such as
working at satellite offices, neighbourhood offices, mobile
telecommuting, and working at one's own residence. In the
last case, a distinction is made between exclusive
telecommuting and alternate telecommuting, i.e. working
exclusively at home, or partly at home and partly at an institution.
This chapter deals with the types of telecommuting performed partly or exclusively at home. It is
assumed that the home workstation and institution are linked by means of a telecommunications line
allowing an exchange of data and, if required, access to data at the institution.
The measures recommended in this chapter fall under four different categories:
Organisation of telecommuting
Remote computer used by the telecommuter
Communications link between the remote computer and institution
Computer at the institution used for communication with the remote computer
The safeguards recommended in this chapter concentrate on additional security requirements for IT
systems used for telecommuting. In particular, security requirements are formulated for the technical
components of telecommuting (remote computers, communications links and communications
computers); these requirements must be met by appropriately configured IT systems. The related
modules in Chapter 5 and the safeguards for the home working-place mentioned in Chapter 4.5
also need to be considered for the IT systems used.
Threat Scenario
The following typical threats are assumed as regards IT baseline protection of telecommuting:
T 5.71 Loss of confidentiality of classified information
Recommended Countermeasures (S)
For the implementation of IT baseline protection, selection of the required packages of safeguards
("modules") as described in chapters 2.3 and 2.4, is recommended.
A sufficiently reliable form of telecommuting is only achieved if IT security measures from several
areas are allowed to overlap and complement each other. If any one of these areas is neglected, secure
telecommuting can no longer be ensured. The individual areas and essential measures are:
Infrastructural reliability of the remote workstation: Measures to be implemented at the remote
workstation are described in Chapter 4.5 titled "Working Place at Home".
Organisation of telecommuting: Secure telecommuting requires organisational regulations and
measures for governing staff activities. These are listed in the following under the general headings
"Organisation" and "Personnel". Particular attention needs to be paid to the obligations and
assignments of telecommuters, and rules concerning the usage of communications facilities. They are
described in the following measures:
S 2.113Requirements documents concerning telecommuting
S 3.21Training and further education of telecommuters as regards security-related issues
Security of the telecommuting workstations: The remote computer must be configured so as to allow
secure use even in an unsecure operational environment. In particular, only one authorised person
should be able to use the remote computer in the online and offline states. The related measures are
summarised under the general headings "Hardware/software" and "Contingency measures".
In particular, the security requirements in S 4.63Security requirements for remote computers should
be observed.
Secure communications between telecommuting workstations and an institution: As
communications take place via public networks, special security requirements concerning the
exchange of data between telecommuting workstations and an institution need to be observed. These
are described in S 5.51Security-related requirements for communications links between
telecommuting workstations and the institution. For the linkage of a remote computer via the public
network, refer to Chapter 8.4 titled "LAN integration of an IT system via ISDN".
Protection of communications computers at institutions: To a certain extent, these computers
constitute a publicly accessible interface via which telecommuters can make use of information
technology and data at the institution. As misuse by unauthorised parties needs to be prevented here,
special security requirements described in S 5.52Security requirements for communications
computers must be met.
The package of measures for the area of telecommuting is listed in the following: