As official legislation specifically concerning telecommuting does not yet exist, certain issues need to be clarified through wage settlements, corporate resolutions, or individual agreements - as supplements to work contracts - between telecommuters and employers. This should include a clarification and settlement of a voluntary participation in telecommuting, overtime and surcharges, expenses for travelling between home and the institution, electricity and heating costs, liability (in the case of theft or damage to IT equipment, as well as work-related accidents and illnesses) and the duration of telecommuting terms.
Furthermore, the following issues should be clarified from the point of view of IT security:
Work periods: The allocation of working times to activities at the institution and at the home workstation needs to be regulated, in addition to the specification of fixed periods during which telecommuters should remain accessible at their home workstation.
Reaction times: Specifications should be made as regards the intervals at which information (e.g. e-mail) is to be fetched, and the time taken to respond to such information.
Work resources: Specifications can be made as regards work resources which may and may not be used by telecommuters (e.g. software which has not been approved). For example, an e-mail link can be maintained while prohibiting the use of other Internet services. Furthermore, the use of diskettes (danger of computer viruses) can be prohibited if this is not required by the home workstation.
Data backup: Telecommuters must be instructed to regularly perform data backups. In addition, one generation of each backup should be kept at the institution to improve availability.
IT security measures: Telecommuters must be instructed to observe and implement the security measures required for telecommuting. These IT security measures must be specified in writing to the telecommuters.
Privacy protection: Telecommuters must be instructed to observe regulations applying to privacy protection as well as the processing of person related data at the home workstation.
Data communications: Specifications must be made as to which data are to be transmitted using which means. This includes a stipulation of the data which are to be transmitted in encrypted form, or not at all.
Transport of folders: Specifications must be made as to the nature and safeguarding of the transport of folders between the home workstation and the institution.
Reporting routines: Telecommuters must be instructed to immediately inform a particular department at the institution on the occurrence of events relevant to IT security.
Rights to access a home workstation: Rights to access a home working place (with prior notice, if required) can be assigned for the purpose of monitoring and ensuring the availability of files and data if a telecommuter needs to be replaced by stand-in.
Additional controls:
Are telecommuters aware of the scope of their responsibilities?
Have telecommuters received written information concerning the scope of their responsibilities?
Have telecommuters received written instructions on observing IT security measures? When were these instructions last updated?