S 2.241 Procedure for carrying out a teleworkstation requirements analysis

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

Before setting up a teleworkstation, it is advisable to conduct an analysis of requirements. The aim of this requirements analysis is to identify all the possible application scenarios and then to determine the hardware and software components required for connection to the home-based workstation. This will highlight any special requirements for particular systems and/or software (see module S 4.4 VPN or module S 4.5 LAN connection of an IT system via ISDN for more information).

The results of such a requirements analysis must be documented and co-ordinated with the persons responsible for IT.

The following questions must be answered, among others, in the framework of this requirements analysis:

• What is the maximum confidentiality requirement of the data that is allowed to be processed in the framework of telecommuting on the teleworkstation, meaning outside the "protective walls" of the government agency or company?
• For what purpose is access to the organisation used (to query information, to submit information, to use programs)?
• How high is the volume of data traffic between the home-based workstation and the organisation?
• Does the telecommuter need access to the intranet of the organisation? If so, is access required to the entire intranet, meaning to all data and services available there, or is access only needed to certain parts of the intranet?
• Will telecommuters be allowed to use the Internet? If so, will the telecommuters access the Internet over their own access points or will access be obtained through the organisation's intranet?

Depending on the confidentiality requirements of the data, it may be necessary to specify the use of certain transmission routes between the organisation and the teleworkstation. It may make sense in this case to prohibit the use of certain transmission routes or specify minimum requirements for their use. For example, an organisation could specify that paper documents containing confidential information are only allowed to be transported directly from the organisation to the telecommuter's workplace in locked transport containers. Similarly, different encryption methods for data transmissions could be specified for the various levels of confidentiality.

Similar considerations should be made when the information to be processed in the framework of telecommuting needs special protection against manipulation.

Review questions:

• Was a requirements analysis performed for the teleworkstation?
• Were the requirements placed on the telecommuter workplace co-ordinated with the persons responsible for IT (administrators and other technical personnel)?
• Were the protection requirements of the information processed in the framework of telecommuting determined and documented?