S 2.117 Creating a security concept for telecommuting

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Head of IT, Supervisor, Head of Organisation

Various general conditions must be clarified to enable telecommuting in a secure framework. A security concept for telecommuting should be prepared that states the security objectives, the protection requirements of the information processed while telecommuting, as well as the risks and security safeguards.

When telecommuting, information is processed outside of the protected operating environment. A protection requirements determination must be performed in advance for the corresponding information, business processes, applications, IT systems, communication connections, and rooms (and especially for the telecommuter workplaces) in terms of confidentiality, integrity, and availability. The security objectives, and therefore the security requirements placed on the telecommuters, the telecommuting computers, and the telecommuting workplaces, are then derived from the protection requirements of the data to be processed on the telecommuting workstations.

In addition to an overview of the threat scenario and the organisational, infrastructural, and personnel security safeguards, it may also be useful to implement safeguards for the following areas:

• The handling of data and of resources requiring protection such as documents and storage media, and especially rules regarding the creation of copies, the deletion, and the destruction of data media
• Securing communications (e.g. using encryption or electronic signatures) between the organisation and the telecommuting workplace in order to protect confidential data
• Authentication mechanisms
• Rules and regulations for additional network connections
• Rules for exchanging data
• Data backup

Various laws and regulations also need to be taken into account when designing the telecommuting procedures (see S 2.113 Requirements documents concerning telecommuting).

The requirements, objectives, and safeguards to be implemented for the purpose of security when telecommuting must be documented. The security concept for telecommuting must be co-ordinated and harmonised with the global security concept of the organisation. In addition, the security concept for telecommuting must be updated regularly and adapted to changes in the organisation or in technology.

The security safeguards to be implemented by the telecommuters must be summarised in a telecommuting security policy created specifically for telecommuters.

Review questions:

• Is there a security concept for telecommuting?
• Is the telecommuting security concept up-to-date?
• Are all security requirements and safeguards for telecommuting described in the security concept in sufficient detail?