All telecommuting computers are equipped with electronic communications facilities. From the point of view of IT security, guidelines concerning the use of these communications facilities need to be prepared. The use of these facilities for private purposes should generally be prohibited.
At least the following issues should be clarified:
Monitoring of data flow:
Which services may be used for data transmission?
Which services must be barred explicitly from use?
Which information may be sent to which persons?
Which written correspondence may take place via E-mail?
If the telecommuting computer possesses a fax modem, or if a fax machine is available at the telecommuting workstation, clarification is required as to which information may be transferred to whom via fax.
Which information must be approved by the institution before it can be transmitted electronically?
Information acquisition:
Which electronic services (database queries, electronic searches) may be made use of from telecommuting computers? For example, query patterns can serve as a basis for inferring corporate strategy.
Which budget is available for electronic services?
IT security measures:
Which data require which type of encryption?
Which data should be deleted after successful transmission. This might apply to person- related data, for example.
Which data should be backed up on the telecommuting computer even after it has been transmitted successfully?
Are data scanned for viruses before dispatch or after receipt?
Which data transmissions should be registered in a log? If automatic logging is not possible, a clarification is required as to whether and to what extent manual logging must be performed.
Internet usage:
Is the usage of Internet services prohibited in general?
Which type of data may be downloaded from the Internet? Data downloaded from extraneous servers might harbour the threat of computer viruses.
Which options may be activated in the Internet browser?
Which security mechanisms of the Internet browser should be activated?
Is approval by the institution required if a telecommuter intends to exchange information via news groups? Anonymous usage might be required in certain cases.
Guidelines concerning signatures:
Do guidelines concerning signatures for communications exist?
Do the digital signatures in use conform with legal regulations?
Are other authentication processes used for written correspondence?
Additional controls:
Are telecommuters aware of regulations concerning the use of communications facilities?
Do telecommuters provide their signature to acknowledge instructions concerning the use of communications facilities?
