S 2.113 Requirements documents concerning telecommuting

Initiation responsibility: Top Management, Head of Personnel

Implementation responsibility: Personnel Department, Supervisor

Various issues relating to labour regulations and occupational safety laws need to be taken into account when designing the telecommuting framework. For this reason, contentious points should be clarified in employment agreements or in separate agreements between the telecommuter and employer as a supplement to the employment contract. These agreements should clarify or regulate the following points, for example: "Confirmation of voluntary participation in telecommuting", "Overtime work and reimbursement", "Expenses for travel between the organisation and the home", "Expenses for electricity and heating, for example", "Liability (in case of theft or damage to the IT, but also in case of an occupational injury or occupational illness)", and "Termination of telecommuting".

The security safeguards that need to be implemented for telecommuting relating to the handling of information and of the information and communication technology also need to be documented in a security policy for telecommuting.

The following aspects should be considered in the regulations for telecommuting, for example:

• Working hours: The number of working hours spent performing tasks in the organisation and at the home workplace must be regulated. It is also necessary to specify fixed times during which it is possible to reach the telecommuter at the home workplace.
• Reaction times: Specifications should be made as regards the intervals at which information (e.g. e-mail) is to be checked, and the time taken to respond to such information.
• Handling confidential information: When telecommuting, information is edited in analogue form, for example on paper, as well as in digital form. Regardless of which form the information is available in, it needs to be protected against unauthorised access and other security risks. For this reason, the entire life cycle of business-critical information must be adequately protected.
• Work resources: Specifications should be made as regards work resources which may and may not be used by telecommuters (e.g. software which has not been approved). For example, an email connection may be provided, but the use of other Internet services can be prohibited. Furthermore, it is also possible to prohibit the use of data media such as CDs, DVDs, or USB sticks when the workplace of the telecommuter does not require the use of these media.
• Data backup: Telecommuters must be instructed to perform regular backups of the data stored locally. Furthermore, telecommuters should agree to store one generation of data backups at the organisation in order to support the availability of the data.
• Synchronisation of data: Data that will be processed in the organisation as well as at telecommuter workplaces must be synchronised accordingly. The synchronisation procedure must be planned carefully to avoid conflicts and losses of data in cases where two different users change or delete the same record in the mirrored databases. It is recommended to use suitable software for this purpose.
• Data privacy: Telecommuters must be instructed to follow the relevant data protection regulations and informed of the safeguards that must be taken when processing personal data at the home workplace.
• Data communication: It must be specified which data is allowed to be transmitted over which routes, which data is not allowed to be transmitted electronically, and which data may only be transmitted in encrypted form. Similarly, it is necessary to specify which documents may be transported between the organisation and the home workplace and how these documents need to be protected during transport.
• Transportation of documents and data media: The type and manner in which documents and data media are transported between a home workplace and the organisation must be regulated. Confidential data stored on digital data media should only be transported in encrypted form.

• Reporting routines: Telecommuters must be instructed to immediately inform a particular department at the institution on the occurrence of events relevant to IT security. This party must be specified in advance.
• Rights to access a home workstation: Telecommuters can agree to grant the organisation the right to access their home workstation (after logging in, if necessary) for monitoring purposes and to ensure the availability of files and data in case a substitute needs to replace the telecommuter.
• Substitution arrangements: A substitute should be appointed for every telecommuter. The substitute must be informed of all ongoing activities so that he or she can take over quickly when needed. This means telecommuters always need to carefully document the results of their work. It may also make sense to have the telecommuter and his/her substitute meet occasionally or even regularly. Furthermore, it must be specified how the substitute will access the data in the documents stored on the telecommuter's computer or workstation when the need for a substitute for the telecommuter arises unexpectedly. The substitution procedure in case of such an event should be tested and the results evaluated by the telecommuter and his or her substitute.

The rules and regulations must be handed out to every telecommuter. The corresponding instruction sheets must be updated regularly.

Review questions:

• Have all aspects relevant to telecommuting been regulated?
• Have all security safeguards relevant to telecommuting been documented in a security policy for telecommuting?
• Have all telecommuters been required to follow the security policy for telecommuting?
• Were the telecommuters given the regulations and the security policy for telecommuting or a corresponding instruction sheet explaining which security safeguards need to be implemented?
• Have substitutes been named for all telecommuters?
• Have the substitution procedures been tested?