9.3 Telecommuting

Description

In general, telecommuting comprises activities which are performed from a remote location for an employer or client with the help of communications links to that employer or client.

There are different types of telecommuting, such as working at satellite offices, neighbourhood offices, mobile telecommuting, and working at one's own residence. In the last case, a distinction is made between exclusive telecommuting and alternate telecommuting, i.e. working exclusively at home, or partly at home and partly at an institution.

This chapter deals with the types of telecommuting performed partly or exclusively at home. It is assumed that the home workstation and institution are linked by means of a telecommunications line allowing an exchange of data and, if required, access to data at the institution.

The measures recommended in this chapter fall under four different categories:

• Organisation of telecommuting
• Remote computer used by the telecommuter
• Communications link between the remote computer and institution
• Computer at the institution used for communication with the remote computer

The safeguards recommended in this chapter concentrate on additional security requirements for IT systems used for telecommuting. In particular, security requirements are formulated for the technical components of telecommuting (remote computers, communications links and communications computers); these requirements must be met by appropriately configured IT systems. The related modules in Chapter 5 and the safeguards for the home working-place mentioned in Chapter 4.5 also need to be considered for the IT systems used.

Threat Scenario

The following typical threats are assumed as regards IT baseline protection of telecommuting:

Force Majeure:

• T 1.1 Loss of personnel

Organisational Shortcomings:

• T 2.1 Lack of, or insufficient, rules
• T 2.2 Insufficient knowledge of requirements documents
• T 2.4 Insufficient monitoring of IT security measures
• T 2.5 Lack of, or inadequate, maintenance
• T 2.7 Unauthorised use of rights (on the workstations at home and at the institution)
• T 2.8 Uncontrolled use of resources
• T 2.22 Lack of evaluation of auditing data
• T 2.24 Loss of confidentiality of sensitive data of the network to be protected
• T 2.49 Lack of, or inadequate, training of teleworkers
• T 2.50 Delays caused by a temporarily restricted availability of teleworkers
• T 2.51 Poor integration of teleworkers into the information flow
• T 2.52 Longer response times in the event of an IT system breakdown
• T 2.53 Inadequate regulations concerning substitution of teleworkers

Human Failure:

• T 3.1 Loss of data confidentiality/integrity as a result of IT user error
• T 3.3 Non-compliance with IT security measures
• T 3.9 Improper IT system administration
• T 3.13 Transfer of incorrect or undesired data records
• T 3.16 Incorrect administration of site and data access rights
• T 3.30 Unauthorised private use of telecommuting workstations

Technical Failure:

• T 4.13 Loss of stored data

Deliberate Acts:

• T 5.1 Manipulation/destruction of IT equipment or accessories
• T 5.2 Manipulation of data or software
• T 5.7 Interception of lines
• T 5.8 Manipulation of lines
• T 5.9 Unauthorised use of IT systems
• T 5.10 Abuse of remote maintenance ports
• T 5.18 Systematic trying-out of passwords (on the workstations at home and at the institution)
• T 5.19 Abuse of user rights
• T 5.20 Misuse of administrator rights
• T 5.21 Trojan Horses
• T 5.23 Computer viruses
• T 5.24 Replay of messages
• T 5.25 Masquerade
• T 5.43 Macro viruses
• T 5.71 Loss of confidentiality of classified information

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

A sufficiently reliable form of telecommuting is only achieved if IT security measures from several areas are allowed to overlap and complement each other. If any one of these areas is neglected, secure telecommuting can no longer be ensured. The individual areas and essential measures are:

• Infrastructural reliability of the remote workstation: Measures to be implemented at the remote workstation are described in Chapter 4.5 titled "Working Place at Home".
• Organisation of telecommuting: Secure telecommuting requires organisational regulations and measures for governing staff activities. These are listed in the following under the general headings "Organisation" and "Personnel". Particular attention needs to be paid to the obligations and assignments of telecommuters, and rules concerning the usage of communications facilities. They are described in the following measures:

• S 2.113 Requirements documents concerning telecommuting
• S 2.116 Regulated use of communications facilities
• S 2.117 Regulation of access by telecommuters
• S 3.21 Training and further education of telecommuters as regards security-related issues

• Security of the telecommuting workstations: The remote computer must be configured so as to allow secure use even in an unsecure operational environment. In particular, only one authorised person should be able to use the remote computer in the online and offline states. The related measures are summarised under the general headings "Hardware/software" and "Contingency measures". In particular, the security requirements in S 4.63 Security requirements for remote computers should be observed.
• Secure communications between telecommuting workstations and an institution: As communications take place via public networks, special security requirements concerning the exchange of data between telecommuting workstations and an institution need to be observed. These are described in S 5.51 Security-related requirements for communications links between telecommuting workstations and the institution. For the linkage of a remote computer via the public network, refer to Chapter 8.4 titled "LAN integration of an IT system via ISDN".
• Protection of communications computers at institutions: To a certain extent, these computers constitute a publicly accessible interface via which telecommuters can make use of information technology and data at the institution. As misuse by unauthorised parties needs to be prevented here, special security requirements described in S 5.52 Security requirements for communications computers must be met.

The package of measures for the area of telecommuting is listed in the following:

Organisation:

• S 2.9 (2) Ban on using non-approved software
• S 2.22 (2) Escrow of passwords
• S 2.23 (3) Issue of PC Use guidelines (optional)
• S 2.64 (2) Checking the log files (on the workstations at home and the institution)
• S 2.113 (2) Requirements documents concerning telecommuting
• S 2.114 (2) Flow of information between the telecommuter and the institution
• S 2.115 (2) Care and maintenance of workstations for telecommuting
• S 2.116 (1) Regulated use of communications facilities
• S 2.117 (1) Regulation of access by telecommuters

Personnel:

• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures
• S 3.21 (1) Training and further education of telecommuters as regards security-related issues
• S 3.22 (2) Regulations concerning substitution of telecommuters

Hardware/Software:

• S 4.3 (2) Periodic runs of a virus detection program
• S 4.30 (2) Utilisation of the security functions offered in application programs
• S 4.33 (1) Use of a virus scanning program when exchanging of data media and data transmission
• S 4.44 (2) Checking of incoming data for macro viruses
• S 4.63 (1) Security-related requirements for telecommuting computers

Communications:

• S 5.51 (1) Security-related requirements for communications links between telecommuting workstations and the institution
• S 5.52 (1) Security-related requirements for communications computers

Contingency Planning:

• S 6.13 (2) Development of a data backup plan
• S 6.22 (2) Sporadic checks of the restorability of backups
• S 6.23 (2) Procedure in case of computer virus infection
• S 6.32 (1) Regular data backup
• S 6.38 (2) Back-up copies of transferred data
• S 6.47 (2) Storage of backup copies as part of telecommuting