S 3.21 Training of telecommuters as regards security-related issues

Initiation responsibility: Supervisor, IT Security Officer

Implementation responsibility: Supervisor, IT Security Officer

Telecommuters work exclusively or only periodically outside of the building of the employer and/or customer. This means that different security safeguards apply to telecommuting than to working at the organisation. For this reason, it is necessary to draw up a security concept for the telecommuter workplaces based on the organisation-wide security concept (see S 2.117 Creating a security concept for telecommuting). In addition, corresponding security policies should be drawn up and published for the telecommuters. Based on the security policies for telecommuting, the telecommuters must be instructed regarding the corresponding security safeguards and possibly even trained in how to deal with them. The following aspects in particular must be taken into consideration when instructing the telecommuters:

• Official documents must be stored securely at the telecommuter's workplace, e.g. they should be locked in a cabinet after use.
• Windows and doors to the outside (balconies or patios) must be locked when the telecommuter leaves his/her workplace.
• Structural and security-relevant changes to the IT at the telecommuter's workplace may only be made by the administrators employed at the organisation.
• The telecommuting computer may only be connected to public communication networks using the connections intended for this purpose. PBX and internet access points used privately must be separate from the access points used for official business.
• Only data media purchased by the organisation may be used when using data media to exchange data between the IT systems at the organisation and the PC workstation at the telecommuter's workplace. Data media should only be transported in encrypted form so that no confidential data will be disclosed in the event that they are lost. Official and private IT systems or data media should be clearly separated from each other in order to prevent the spreading of malware, for example.
• Unauthorised access to the telecommuting IT must be prevented using access blocking mechanisms, for example using boot and screen locks. Passwords must be kept secret in general, including those used to access the workstation computer and the communications computer.

Furthermore, the telecommuters must be trained in the handling of the telecommuting computers in such a way that they can correct simple errors (such as replacing a printer cartridge) and/or eliminate simple problems themselves.

Review questions:

• Have the telecommuters been instructed in the security concepts and security policies which apply specifically to telecommuting?