S 2.116 Regulated use of telecommuting communication capabilities

Initiation responsibility: IT Security Officer

Implementation responsibility: Telecommuter, Administrator

A variety of communication methods such as a telephone, fax, and Internet connection are usually needed for the purpose of telecommuting, but it will also be necessary to send and receive mail and transport files and data media. For this reason, a telecommuting computer must provide a variety of electronic communication options.

The manner in which the communication capabilities available may be used must be regulated. It is even necessary to consider how mail will be exchanged as well as how files and data media will be transported between the organisation and the telecommuting workplaces. In general, clear rules should be specified regarding the private use of the communication capabilities. The rules for the use of the communication capabilities when telecommuting must be specified in writing, for example in the security policy for telecommuting (see S 2.113 Requirements documents concerning telecommuting). The telecommuters must be given copies of these rules and regulations.

At least the following issues should be clarified:

• Monitoring of data flow
  
  The exchange of information between the telecommuting workplace and the organisation must be controlled so that the security of the information is guaranteed.
• • Which services may be used for exchange of information and data transmission?
  • Which information may be sent to which persons?
  • Which services must be barred explicitly from use?
  • What written correspondence may take place via e-mail? Are signatures required for communication?
  • Which authentication methods are used for written correspondence and data exchange?
  • Are digital signatures used?
• Access authorisations
  
  If access to the IT of the organisation is required for telecommuting (for example to a server), then it must be specified in advance which objects (such as data or IT) a telecommuter actually needs to perform his or her tasks. See S 2.7 Granting of (system/network) access authorisations and S 2.8 Granting of (application/data) access authorisations for information on granting site access and data access rights.
• Have the required rights (such as read and write permissions) been assigned to these objects? Telecommuters should not be able to access any objects they do not need to perform their tasks.
• Security safeguards when exchanging information
  
  The information exchanged when telecommuting must be adequately protected. Confidential information must be transported securely.
• • Which shipping method (e.g. a courier service) should be used for which data media? Which type of transport security is adequate (e.g. envelopes with security chains)?
  • Which encryption methods should be used for which data? Data should always be encrypted during transmission and when stored on data media, if possible, so that a loss of data during transport will only threaten the data's availability and not its confidentiality.
  • Are backup copies made of all data to be transmitted that was only created or compiled for the purpose of the data transmission? If the data medium is lost or damaged during transfer, then the data can be sent again quickly and easily when backup copies of the data collected are available.
  • Which data needs to be deleted after successful transmission? This can apply to personal data, for example.
  • Which data can continue to be stored on the telecommuting computer even after successful transmission?
  • The data should be scanned for computer viruses before it is sent and when it is received.
  • Which data transmissions need to be logged? If it is not possible to record the data transmissions automatically in a log, then it is necessary to specify if (and if so, with what level of detail) a handwritten record of the transmission needs to be made.
• Internet use
  
  Rules must be specified stating whether or not Internet services are allowed to be used on the telecommuting computers. It must also be clarified in this context if the telecommuting computers can be used privately.
• • Is the use of Internet services generally prohibited?
  • Which Internet services may be used?
  • Is downloading data from the Internet allowed? There is a risk that data downloaded from third-party servers could contain malware.
  • Which general conditions and technical security safeguards must be taken into account when using the Internet? Which security mechanisms should be enabled in the browser, for example?
  • Are telecommuters allowed to exchange information on Internet platforms, in newsgroups, blogs, or similar points of exchange? Do they need to use a pseudonym for this purpose?
• Information acquisition
  
  A variety of services for obtaining information can be used from a telecommuting workplace. Such services include database queries, search engines, documentation systems, and research service providers. Since the providers of such services sometimes charge for their use, the budget allocated by the organisation for this purpose must be taken into account.
• • Which services for obtaining information may be used from a telecommuter workplace?
  • Queries should be sent over an encrypted connection if possible so that it is not possible to deduce any internal information (such as the business strategy) based on the type of queries issued.
  • Is the bandwidth of the communication connection on the telecommuting computer adequate for online research and database queries?

Review questions:

• Are clear rules specified regarding which communication capabilities may be used under which general conditions for the purpose of telecommuting?
• Is it guaranteed that information exchanged while telecommuting is adequately protected?
• Are there rules regarding the professional and private use of Internet services when telecommuting?