ISO 27001:2022 A.6.7 Remote working

Remote working is a practice in which an employee works at a location—usually, but not always, one’s home—that is remote from the actual business facility at which he/she is employed. Under this arrangement, the employee maintains close contact with coworkers and supervisors via various forms of computer, Internet, and communication technology (i.e, electronic mail, telephone, computer disks, etc.). Remote working is an increasingly popular work option in many businesses and industries, and its usage is expected to increase in the future, boosted by new innovations in computer and communication technology. This trend is driven by several factors. The reason for Remote working is that the labor pool of employees with specific talents is shrinking, making employers more willing to make concessions to keep valued employees happy. A smaller labor pool combined with an increasing demand for highly skilled laborers has fueled an employee-driven change in working environments. Scarce, highly skilled workers have begun to demand more flexible work arrangements, especially as they choose to live farther and farther from their employers. The new generations of workers are less willing to sacrifice time with family than their counterparts of previous eras. This desire to spend more time at home and avoid long commutes is touted as a key factor in making telecommuting an attractive benefit. Finally, new technologies have made working from home a viable alternative. With the advent of high-speed modems, fax machines, voice mail, powerful personal computers, electronic mail and the like, workers can now perform their jobs without losing touch with employers and customers.

ADVANTAGES OF REMOTE WORKING

Both employers and employees have found remote working to be a mutually beneficial arrangement in many instances. Proponents cite several positive factors in particular:

1. Happier employees. Teleworking arrangements can help workers realize a general improvement in their personal “quality of life.” They avoid long, stressful commutes, thus gaining more time for pleasurable activities and more flexibility for changeable tasks like a child and eldercare.
2. Increased retention of valued employees. Many businesses lose workers when those employees undergo significant life changes, such as starting a family or relocating to another region or state because of a spouse’s career. Teleworking is one way in which a business may be able to continue to utilize the services of an otherwise unavailable worker. It is also touted as a tool that permits workers to minimize the use of “personal days” in instances where they have to stay home and care for a sick child, etc.
3. Increased employee productivity. Business studies and anecdotal evidence both suggest that employees are often much more productive at home, where “drop-in” interruptions and meetings are not distractions. Instead, the teleworker can focus on the job at hand. Of course, productivity at home is directly related to the employee’s level of self-discipline and abilities.
4. Cost savings. Businesses can often gain significant savings in facilities costs like office space and parking space requirements when staff members telecommute.

Disadvantages of Remote Working

But while telecommuting programs have been highly successful for many businesses of all shapes, sizes, and industry orientations, there are potential pitfalls associated with them. Commonly cited drawbacks include the following:

1. Lack of oversight. Direct supervision of teleworkers is not possible.
2. Diminished productivity. Some people are unable to be productive in at-home work settings, either because of family distractions or their own limited capacity to focus on tasks when more pleasurable activities (bicycling, gardening, watching television, etc.) beckon.
3. Security problems. “The remote access needs of telecommuters and other mobile staff … create a hole in security walls with every connection,” cautioned Kevin McNeely in Providence Business News. “Procedures should be implemented to allow employee access while keeping out unwanted intruders. This includes periodically updated password protection and informing employees concerning the need for remote access security.”
4. Isolation. “The freedom of working alone comes with a price—the burden of solitude,” commented one executive in Association Management. “We all have wished for days where people would just leave us alone, and with remote working, we get our wish—in spades.” Partial teleworking arrangements, in which the employee spends a portion of each week (1-3 days) in the office and the remainder working from home, can sometimes be an effective means of addressing this problem.
5. Erosion of company culture and/or departmental morale. Many businesses include certain employees who have a major positive impact on the prevailing office environment. When these employees enter into telecommuting programs, their absence is often deeply felt by the staff members left behind. In some cases, this departure from the company’s everyday operations can even have a deleterious effect on the operation’s overall culture.
6. Loss of “brainstorming” ability. “Given that much of the value added to the production process in Western economies is at the ‘knowledge’ end of the spectrum, the dispersal of brains could be a problem,” wrote Richard Thomas in Management Today. “The informal bouncing around of ideas is difficult, or even impossible, without the face-to-face contact of a shared workplace.”
7. Perceived damage to career. A common perception among employees of businesses that embrace remote working options is that telecommuters are placed at a disadvantage in terms of career advancement and opportunity. Certainly, some professional avenues—such as supervisor positions—may be shut off to workers who want to continue telecommuting, but employers should make every effort to avoid an “out of sight, out of mind” perspective from taking shape.
8. Legal vulnerability. Some analysts have expressed concern that some employer liability issues regarding telecommuting practices have yet to be completely settled. They cite issues such as employer liability for home-office accidents under common law; applicability of the employer’s insurance coverage when they work at home; and responsibility for equipment located in the home as particular concerns.

A.6.7 Remote working

Control

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Purpose

To ensure the security of information when personnel are working remotely.

ISO 27002 Implementation guidance

Remote working occurs whenever personnel of the organization work from a location outside of the organization’s premises, accessing information whether in hard copy or electronically via ICT equipment. Remote working environments include those referred to as “teleworking”, “telecommuting”, “flexible workplace”, “virtual work environments” and “remote maintenance”.
NOTE: It is possible that not all the recommendations in this guidance can be applied due to local legislation and regulations in different jurisdictions.
Organizations allowing remote working activities should issue a topic-specific policy on remote working that defines the relevant conditions and restrictions. Where deemed applicable, the following matters should be considered:

1. the existing or proposed physical security of the remote working site, taking into account the physical security of the location and the local environment, including the different jurisdictions where personnel are located;
2. rules and security mechanisms for the remote physical environment such as lockable filing cabinets, secure transportation between locations and rules for remote access, clear desk, printing and disposal of information and other associated assets, and information security event reporting;
3. the expected physical remote working environments;
4. the communications security requirements, taking into account the need for remote access to the organization’s systems, the sensitivity of the information to be accessed and passed over the communication link and the sensitivity of the systems and applications;
5. the use of remote access such as virtual desktop access that supports processing and storage of information on privately owned equipment;
6. the threat of unauthorized access to information or resources from other persons at the remote working site (e.g. family and friends);
7. the threat of unauthorized access to information or resources from other persons in public places;
8. the use of home networks and public networks, and requirements or restrictions on the configuration of wireless network services;
9. use of security measures, such as firewalls and protection against malware;
10. secure mechanisms for deploying and initializing systems remotely;
11. secure mechanisms for authentication and enablement of access privileges taking into consideration the vulnerability of single-factor authentication mechanisms where remote access to the organization’s network is allowed.

The guidelines and measures to be considered should include:

1. the provision of suitable equipment and storage furniture for the remote working activities, where the use of privately-owned equipment that is not under the control of the organization is not allowed;
2. a definition of the work permitted, the classification of information that can be held and the internal systems and services that the remote worker is authorized to access;
3. the provision of training for those working remotely and those providing support. This should include how to conduct business in a secure manner while working remotely;
4. the provision of suitable communication equipment, including methods for securing remote access, such as requirements on device screen locks and inactivity timers; the enabling of device location tracking; installation of remote wipe capabilities;
5. physical security;
6. rules and guidance on family and visitor access to equipment and information;
7. the provision of hardware and software support and maintenance;
8. the provision of insurance;
9. the procedures for backup and business continuity;
10. audit and security monitoring;
11. revocation of authority and access rights and the return of equipment when the remote working activities are terminated.

Establishing Remote working

Allowing employees to work away from the office, i.e., outside of the physical premises of the organization know as “Remote working”) is becoming a common practice in the way to do business today. The ability to work remotely is seen as both a source of incentive for an employee’s productivity and cost savings for organizations, not to mention the possibility for the organization to reach the right professional it wants in any part of the world. But, this scenario of information outside the direct control of the organization also poses significant risks to information security that should be handled properly. The characteristics of teleworking is

• The worker is outside of the organizations environment.
• Information and communication technologies are used to stay linked to the office.

Considering this, we can have these possible scenarios for teleworking:

• People are working from home or from a place that neither is their home or the organization (e.g., coffee shops, hotels, planes, etc.).
• People are using fixed or mobile devices (e.g., PCs, notebooks, tablets, smartphones, etc.).
• People are using public or private communication networks (e.g., Internet and Extranet).

Knowing these scenarios is critical to identify the most probable situations that can put your information at risk. From the scenarios previously presented, an information security risk assessment  could raise the following risks:

• An employee’s family or friends can use the device accessing the organization’s systems and see sensitive information.
• Hard copy material used at the remote worksite can be lost or stolen.
• The device itself can be lost or stolen.
• A device lost or stolen can be used to gain unauthorized access to the organization’s systems.
• Information can be intercepted during transmission between the organization and the device.
• An outdated device can be compromised and used to invade the organization’s systems.
• Information could be copied and extracted from the organization’s environment without anyone knowing. The communication channel can be intercepted and used to invade the organization’s environment.

It’s important to note that, although all devices are at risk of being lost or stolen, the nature of mobile devices (e.g., size, portability, and value) increases this risk. An organization can establish the rules for the implementation of safeguards to protect information accessed, processed, or stored outside the organization, such as:

• who may work remotely (e.g., IT staff, sellers, managers on travel, etc.)
• which services are available for teleworkers (e.g., development environment, invoicing systems, etc.)
• which information can be accessed by remote working (e.g., performance dashboards, list of customers, etc.)
• which access controls shall be applied before access to information and resources is granted (e.g., password, two-factor authentication, use of VPN on communication channels, etc.)
• how devices and remote sites should be configured, protected, and used (e.g., devices with cryptography, no use of shared rooms to work, information backup, etc.)

Additionally, by implementing an information security awareness, education, and training program based on control A.7.2.2, an organization can structure its efforts to enhance the secure behavior of its remote workers by instructing them to take safety precautions related to opening emails, setting strong passwords on their devices, and making clear that information compromise related to a lack of caution could result in disciplinary proceedings and even legal action. No matter in what industry you work, at some point your organization, or at least part of it, will start relying on remote working. The connectivity provided by information and communication technologies not only allows employees to work from anywhere, increasing productivity and improving response time, but also enables organizations to count on trained professionals from anywhere in the world. But, by exposing your infrastructure, systems, and information in this way, an organization needs to take precautions for the high risks involved, and with the help of the requirements of ISO 27001 for information security risk management, and the security controls of its Annex A, this task can become less complex and allow you to take full advantage of teleworking with the least risk.

Implementing a Remote working program

Identify a Remote working Coordinator
If you plan to implement Remote working with 10 or more employees, it is recommended to identify one employee as the Remote working coordinator. This person should manage the overall Remote working program to help improve the quality and effectiveness of your organization’s program. The Remote working coordinator, typically an individual in human resources, is responsible for organizing Remote working schedules, arranging proper equipment for each remote worker, tracking program progress and promoting the benefits of Remote working among employees.

Establish a Remote working Committee
The first action for the Remote working coordinator is to establish a planning committee composed of representatives from human resources, legal, information technology and management. This group can help establish program goals, objectives, written policies and procedures and develop an implementation plan and schedule with milestones. The Remote working committee should be responsible for determining the three most important elements of your company’s program: policy, training and evaluation.

Create a Remote working Policy
Good communication is the essential element of a successful Remote working program and all employees should know the program’s guidelines and expectations. The Remote working policy should define program parameters, including which positions are best suited for Remote working. Additionally, the policy should include necessary forms or documentation, including a Remote working contract/agreement. Below is an outline of the most important elements for a Remote working plan:

• General policy statement with program definitions
• Program Goals and objectives
• Explanation of the process for program participation
• Review of program benefits
• Identification of positions or aspects of positions appropriate or not appropriate for a Remote working arrangement
• Review of time, pay and attendance issues
• Sample agreement to be completed by the employee and supervisor
• Checklist of technology and equipment needs

Train Employees and Managers
Since Remote working typically involves a cultural change within the organization, each employee and manager should receive training on the Remote working policy, procedures and techniques for managing remote workers. Discuss work schedules, communication methods, required technology, success strategies and proper organization to ensure all employees are fully aware of what is expected of them when working remotely.

Determining Who Should Remote working
One of the major challenges for supervisors is determining who is a candidate for Remote working. This can be a difficult task, as managers may experience employees who want to Remote working, but are not the best candidate to do so. Managers also may be concerned that if one person is allowed to Remote working, all employees will want to Remote working.

Employee Suitability
A good starting point is to review all positions and employees within your organization and determine which have the most potential as teleworkers. The best way to determine who is best suited for a Remote working situation is to determine certain criteria to be eligible for Remote working, and then evaluate each employee’s working style against these criteria. Those employees who are highly focused, self-sufficient, flexible, have great organization skills and enjoy the solitude of working at home may be the most adaptable to remote working. The decision process to grant employees the option to Remote working could be facilitated by completing a “screening” form that both managers and employees can review and complete together. This process can help the employee understand why he or she may not be a suitable candidate for Remote working. This form should allow a manager to rate an employee on characteristics that lead to success in Remote working.

Job Suitability
In addition to determining if an employee possesses the right skills to handle a Remote working arrangement, managers also need to consider the position or job this person has within the organization. Initially, a particular position may not appear to be compatible with a Remote working arrangement; however, if the position is broken down into individual tasks, you may be able to identify tasks that could be accomplished in a Remote working setting. Remote working is feasible for:

• Work that requires thinking and writing, such as data analysis, reviewing grants or cases, and writing regulations, decisions, or reports;
• Telephone-intensive tasks, such as setting up a conference, obtaining information, and contacting customers; and Computer-oriented tasks, such as programming, data entry, and word processing.

Positions that are not suitable for teleworking typically require:

• The employee’s physical presence on the job at all times;
• Extensive face-to-face contact with their supervisor, other employees, clients, or the public;
• Access to material that cannot be moved from the main office; and

Security issues that prevent the work from being accomplished at an alternative worksite. Managers should consider each position thoroughly and determine whether there is potential to create a Remote working opportunity. As an alternative, the employee may be able to Remote working one day a week, or half a day for two days a week.

Breaking the Cultural Barriers
A Remote working program challenges management traditions, as it fundamentally changes how a manager should think about supervising employees. With teleworkers, managers should evaluate an employee’s performance by results, not by physical presence. However, this type of management style brings forth issues of employee trust and empowerment – two key elements of a strong working relationship. Positions that are not suitable for teleworking typically require:also creates the challenge of keeping workers, whether they are teleworking or not, working as a team to achieve one common goal. Before implementing Positions that are not suitable for teleworking typically require: and to help break down any cultural or procedural barriers, managers may need to initiate the following practices to maximize your  effectiveness at supervising teleworkers:  

Maintain a sense of control even when people are out of sight. Develop increased levels of trust and use trust as a purposeful tool. Use technology for staying in touch with Remote workers. Rethink and redesign the way certain jobs are performed. Plan further in advance for meetings and other team activities. Focus objectives and expectations on short-term, project-based goals. Adopt location-independent ways of measuring performance and results. Transition teamwork toward more electronic-based collaboration

Trust your remote workers at all times and demonstrate this trust by assigning challenging projects once the employee delivers a strong performance

• Include remote works in surveys and evaluations
• Manager must try teleworking yourself when they have the opportunity. It will help increase personal effectiveness and improve understanding of the pros and cons of teleworking
• Consider remote worker’s point of view in all situations. Understand the time frames involved in completing tasks and the resources required to complete them
• Involve remote workers when setting work goals and objectives
• Delegate assignments fairly among teleworkers and non-teleworkers
• Include remote workers in day-to-day activities. Be aware of your remote workers’ attitudes and involvement to ensure they don’t feel isolated from the main office
• Encourage informal communication within your team to keep remote workers and co-workers in touch and up-to-date. Consider establishing a “virtual water cooler” via a shared e-mail folder or organizational Intranet
• Communicate on a regular basis with all technology methods, including phone, e-mail, instant messaging and online meetings
• Be flexible and open to increasing the frequency of remote working if it is working well for the employee
• Keep an open mind about remote working. Be flexible with the program’s policies and procedures in case they need to be adjusted for any reason

Choosing the Right Remote working Tools
Before launching a remote work program, an organization should determine a teleworker’s technology needs in order to be just as sufficient working remotely as he or she would be in the main office. There are several technology options to help implement Remote work, some of which you are already familiar with and others you may need to research further before making the right decision. The inherent  technology needs for a teleworker include the following:

• Computer
• Internet connectivity (high-speed broadband is best)
• E-mail program
• Telephone
• Fax machine
• Collaboration software

 

In looking at these necessities, few allow for quality interaction between an employer and remote worker, and they do not address the “myths” or concerns that managers have when considering remote work. Management’s highest concern is the fear of having less control over employees who work from home, and not being able to reach a teleworker when you need them. Both of these concerns, among others, can be addressed with a collaboration software program.

Consider Collaboration
By equipping each remote worker and office worker with high-speed Internet, a Web camera, headset and collaboration software, managers can get in touch with Remote workers at all times—and in return, teleworkers can contact managers, employees, vendors and clients. An effective and useful tool, a collaboration program should include such features as real-time video, telephone quality audio and presence detection systems to allow better interaction between the main office and teleworkers. With a collaboration program, the following can be accomplished:  

• Remote workers can better replicate an in-person meeting and easily contribute to the discussion when joining meetings at the main office via the Internet.Managers can see and hear
• Remote working employees during online meetings to avoid a fear of loss in productivity.
• Management and Remote workers can see who is available online for a meeting or quick discussion via instant messaging with presence detection and status indicators. This will help alleviate the ‘out of sight, out of mind’ concern with managing a remote workforce, as the manager will quickly be able to determine which of their workers are online, offline, in meetings, away from their computer, or do not wish to be disturbed.

Additionally, a collaboration tool should have more in-depth interactive components of its system to help the teleworker further engage in activities occurring at the main office. Such components include instant messaging, joint editing, white boarding, live view, chat and secure file sharing/storing. By harnessing these features, the following can occur:

• Confidential documents are stored in the application’s secure file cabinets for sharing, rather than the teleworker’s computer
• Teleworkers can instantaneously communicate with the main office
• Multiple employees are able to view, discuss and edit documents simultaneously
• Employees are able to take notes during meetings for all participants to view

  Using a combination of communication methods, such as online meetings, e-mail, fax and phone, will provide a comprehensive Remote Working program.

Select a Collaboration Tool
After establishing specific policies, procedures and measurement methods for your Remote working program, you should next select the right technology. The most interactive and secure method for communications with teleworkers is a collaboration software program that is designed specifically for your industry and company structure. The following questions can help you select a collaboration tool that best meets your organization’s teleworking needs:

1. Does the collaboration solution offer everything a teleworker needs to work effectively from home, such as real-time document editing, audio, video, instant messaging, etc.?
2. Are all the necessary services integrated into one package or would we need to consider other alternatives (and expenses) such as conference calls for the audio?
3. Will the solution maintain total privacy and confidentiality of video, audio and data?
4. Does the system use a high level of encryption methods, such as the Advanced Encryption Standard (AES)?
5. How does the provider protect the data and where is it stored?
6. Does the system operate through firewalls? This is critical when it is important to communicate with external audiences.
7. Is security included in the overall price of the solution, or is it an add-on cost?
8. Is education and training about how and when to use the service readily available and/or customized for the teleworker?
9. What type of support will be available to the teleworker? Is the support included, or must you pay for telephone calls to client services?
10. What are the contractual arrangements? Does the provider offer one price for multiple participants, sometimes called “seats”?

The organization find the best solutions for Remote working , but also find ways to save costs on implementing the program. To minimize technology expenses, look for a collaboration program that allows you to purchase “seats,” which means you can purchase licenses for a group of participants rather than having to pay for each minute you are online using the program for a meeting.

Ensuring Security at Home
Oftentimes, organizations overlook the potential security risks when allowing an employee to work from home. While your office may have security measures in place, your employee’s home may not. The Computer Security Institute, a San Francisco-based association of information security, recently conducted its 10th annual “Computer Crime and Security Survey.” According to the survey, large corporations and government agencies acknowledged more than $130 million of financial losses due to computer breaches. Therefore, it is imperative to consider technology tools that provide stringent security standards to ensure your company’s information is not compromised from a teleworker’s computer.

Protect E-mail Systems
E-mail can still be an effective, easy and paperless way to communicate, but organizations need to understand the threats to security when relying solely on e-mail for communications. For remote working purposes, your e-mail system should be fully encrypted to avoid security breaches. Additionally, it is helpful to have a junk e-mail folder and virus detection to protect your systems against any potential e-mail viruses. Highly confidential information, such as financials, salary data, strategic plans or budgets, should not be transmitted via unprotected e-mail methods. Opt instead for an encrypted method of sharing and storing sensitive information.

Secure Online Meetings
A collaboration software program provides organizations with a cost-effective method for transferring important files over a secure channel. While most products have security as an add on, others build strong security specifics within the tool to provide better protection. All components of a collaboration tool – including audio, video, data and files – should be protected with the strongest levels of encryption. Some of the security factors you should look for include:

• Lock-tight password protection
• Comprehensive encryption system using Advanced Encryption Standard (AES) Public key encryption
• Encrypted file storage

Stay in Control
Perhaps the most effective way to protect sensitive files is by having the control in your hands. Any form of communication, and specifically a collaboration tool, should provide you with the control to grant employees access to certain information. A collaboration product should let you designate which of your employees has access and to what files, and it should handle details surrounding need-to-know and right-to-know permissions.

Secure Networks and Applications
Lastly, you should consider ways to secure both the network you are transmitting information with and the application being used to communicate. This is especially important for teleworkers who use a wireless network, as the security implications with a Wi-Fi network are still being discovered and the vulnerabilities are endless. Acting as two security layers, if your network is breached and you have a secure application, the hacker can only get access to encrypted files, which prevents the hacker from reaching any confidential information.

Launching the Program
Initially, managers will feel somewhat overwhelmed with the changes and challenges in launching a Remote working program. However, if you approach this in a gradual fashion, giving time to work through new issues, success is highly achievable. When initiating a Remote working arrangement, managers need to help employees adapt to this culture change in the beginning stages of implementation. Share information about the program as it is developed, and ensure that employees receive training on the organization’s Remote working policies, procedures and any new technologies that need to be utilized on a daily basis. Once all employees are given an opportunity to review the Remote working program and decide if they would like to participate or not, then you should move into launching the program.

Maintain Balance
Once a Remote working program is underway, it is important to emphasize equality between remote workers and office workers. Be sure to communicate frequently with employees in the main office and those who are working remotely to maintain a cohesive team. While managers can maintain communications with conference calls and e-mails, if your organization has a collaboration program, you can also touch base via instant messaging and online meetings. Managers could host regular staff meetings via online, which allows the teleworker to stay involved and included without having to commute to the office. This is especially important if the organization has employees working in another city, state or even overseas, as it would be very costly to transport them to the main office for each staff meeting. Additionally, an online meeting allows the teleworker to not only hear other participants in the meeting but also see everyone in the meeting, allowing for more quality interaction with managers and employees.

Set Expectations
Before beginning a Remote working program, managers should clearly define expectations from an employee’s performance before he or she begins working remotely. Focus on results, such as accomplishments, products, or services provided to measure their performance since it will be difficult to observe activities, behaviours or demonstrated competencies. Performance plans also should include standards that are measurable, observable and at least verifiable. Whether an employee works at the main office or at home, they should know what they are supposed to do, and how well they are supposed to do it, in order to ensure successful performance.

Monitor Performance
Monitoring performance includes measuring performance and providing feedback. In a Remote working situation, measuring the results of employees’ efforts rather than their activities can be more efficient and effective. Quantity, quality, timeliness, and cost-effectiveness are four general measures that should be considered at all times for all employees, whether they work from home or in the office. After establishing performance measures, communicate where an employee stands on performance frequently. Since remote workers are not in the office to receive quick, informal feedback, make a conscious effort to send an instant message to remote workers so they know they are doing a good job. During the first few months of implementing the program, managers may experience a few glitches here and there, but once you find solutions for any minor problems, the organization will soon experience benefits such as decreased sick leave from employees, a reduction in workers’ compensation cases and an overall improvement in employee morale and productivity.

Evaluate the Program
In order to measure the success of the Remote working program, the Remote working committee should develop an evaluation plan before implementation. This plan should be based on quantifiable program goals and objectives to measure and compare results. When evaluating the organization’s Remote working program, it is recommended to first analyze the key issues that affect the organization, such as productivity, operating costs, employee morale, recruitment and retention. While you also can evaluate external issues impacted by Remote working, such as traffic flow, air pollution, and mass transit use, these factors are usually evaluated through a community effort by a consortium of interested organizations. There are several measurement strategies managers might want to include in the evaluation plan. For example, compare remote workers and office workers on selected measures at one point in time. Also, conduct pre- and post-measurements on the remote workers alone, analyzing performance before and after they begin working remotely. To evaluate productivity, develop various levels of performance to measure each employee. Identify quantifiable tasks and determine which can be accomplished in an office setting and which can take place via Remote working. For example, it may take an employee two weeks to write the office newsletter when working in the office, but only one week in the Remote working setting because of fewer interruptions. To measure operating costs, you should measure sick leave taken, workers’ compensation costs, office space needs, and/or transit subsidy expenses before and after the Remote working program begins. In addition to these measures on individual employees, anecdotal data may also be helpful. In evaluating the costs of Remote working, allow sufficient time for implementation before studying costs. In the initial months of Remote working, there are typically increased costs for logistical support; however additional noteworthy cost savings are normally realized after a sufficient period of time. To evaluate morale, recruitment and retention, managers can utilize focus groups, questionnaires and surveys with employees. For example, ask employees to rate their degree of satisfaction with their working conditions, productivity and Remote working situation. In addition to looking at overall morale and retention, it is important to measure specific aspects of satisfaction with Remote working. Similar to measuring costs, it is important to take enough time to evaluate satisfaction with the program, and it may take asking the same questions at several points in time, such as three months, six months, etc. One approach is to develop a small survey asking employees how they believe Remote working will benefit them before implementation. After six months, ask them to look at the initial survey and identify if they did or did not experience these benefits.

Security Issues for Remote working

Remote working is the use of telecommunications to create an “office” away from the established (physical) office. The telecommuting office could be in an employee’s house, a hotel room or conference centre, any site an employee travels to, or a telecommuting center. The telecommuter’s office may or may not have the full computer functionality of the established office. For example, an employee on travel may read the email. On the other side of the spectrum, an employee’s house may be equipped with ISDN and the employee may have full computer capability at high speeds.. Teleworking is becoming accepted as the way to do business. However, opening up corporate systems to dial-in and other forms of access presents three significant security risks.

1. The first risk is that intruders will be able to access corporate systems without having to be on site. Hackers armed with war dialers, electronic eavesdroppers at conference sites, or shoulder surfers watching employees enter IDs and passwords are all very real threats in today’s environment. In addition to intruders whose goal may be mischief, hacking is attractive to people trying to steal or misuse corporate information. Electronic access to records is often more anonymous than trying to bribe employees or gain physical access.
2. The second risk of telecommuting, closely related to the first, is that corporate information can be read, and potentially modified, while it is in transit.
3. Telecommuting also presents organizations with more pedestrian risks. These include the risk of losing corporate information and resources when they are outside the protective shell of the organization.

Security Issues for Protecting Internal Systems
In planning for the security of remote working, the first step is to examine what type of access is needed. What systems and data do employees need? What is the sensitivity of these systems and data? Do they need system administrator privileges? Do they need to share files with other employees? Is the data confidential? From a security perspective, the critical determinations are:  

• What would happen if an intruder gained the same access as the employee?
• What would happen if an intruder were able to use the employee’s account, but gain more access than authorized for that user?

If the answer to either of these questions is “uh-oh,” then security is important.

Firewalls/Secure Gateways
A secure gateway, often called a firewall, blocks or filters access between two networks, often between a private network and a larger more public network such as the Internet or public switched network (i.e., the phone system). For telecommuting, the trick is to decide what to make available to telecommuting employees using public networks, what degree to ensure that only authorized users can get to the internal network, and how to ensure that the secure gateway works properly. If possible, it can be more secure to put all the resources needed by telecommuting employees outside of a secure gateway. However, this is only possible if employees do not need access to corporate databases. For example, employees may only need to send reports in or access public databases, such as product/sales information or government forms. However, most telecommuting employees will need more access. For traveling employees, this may be limited to needing email. There are many firewall implementations that use an email proxy to allow access to the files on a protected system without having to directly access that system. Once again, many telecommuting employees will need more access. They need access to internal resources. The employees may need to use a variety of resources such as LAN applications, mainframe applications, run client software, use TCP/IP services. A secure gateway, or series of gateways, can be used to divide internal resources based on the access needs of telecommuters. For example, computers with high-risk organizational data (such as proprietary business plans) may be separated by the router from systems with a lower level of risk.
A series of routers can be used to further restrict access to the highest-risk systems. For some situations, current firewall technology can be used to give virtual access by using proxies. In addition, the current firewall can use IP filtering to permit access to only certain types of resources. However, for many organizations, the primary security function of the secure gateway is to provide robust authentication of users. Secure gateways may also provide additional auditing and session monitoring. The gateway can perform an intrusion detection function. For example, the secure gateway could monitor a session for keystrokes which may indicate someone trying to exceed access.

Robust Authentication
For most organizations, robust authentication should be required if access is given to internal systems. However, many organization should require robust authentication even for the email if it is relied on to discuss business decisions (i.e., if the organization would care if someone else read your email). Robust authentication can increase security in two significant ways: 1) It can require the user to possess a token in addition to a password or PIN and 2) it can provide one-time passwords. Tokens when used with PINs provide significantly more security than passwords. For a hacker or other would-be impersonator to pretend to be someone else, the impersonator must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination (especially since most user IDs are common knowledge).
Robust authentication can also create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type in a password is not a threat with one-time passwords because each time a user is authenticated to the computer, a different “password” is used. (A hacker could learn the one-time password through electronic monitoring, but it would be of no value.)
Most commercial robust authentication systems use smart tokens. The user provides a PIN which unlocks the token and then uses the token to create a one-time password. However, it is possible to use software-only one-time password schemes. (Tokens which do not provide for one-time passwords, such as ATM cards, are less common for telecommuting because they require hardware at the remote site and, without physical security, are vulnerable to electronic monitoring.)
Telecommuting employees who directly access internal systems should be robustly authenticated and should be routed to specific computer systems. The combination of routing and robust authentication can greatly increase security and reduce the costs associated with robust authentication by limiting it to employees with the greatest access.

Port Protection Devices
A port protection device (PPD) is fitted to a communications port of a host computer and authorizes access to the port itself, prior to and independent of the computer’s own access control functions. A PPD can be a separate device in the communications stream, or it may be incorporated into a communications device (e.g., a modem). PPDs typically require a separate authenticator, such as a password, in order to access the communications port. One of the most common PPDs is the dial-back modem. A typical dial-back modem sequence follows: a user calls the dial-back modem and enters a password. The modem hangs upon the user and performs a table lookup for the password provided. If the password is found, the modem places a return call to the user (at a previously specified number) to initiate the session. The return call itself also helps to protect against the use of lost or compromised accounts. This is, however, not always the case. Malicious hackers can use such advance functions as call forwarding to reroute calls.

Security Issues for Data Transfer
In addition to intruders possibly gaining access to internal systems, it is also possible to eavesdrop on an entire session. Eavesdropping is not technically difficult if there is physical access to cable or wire used for communication or logical access to switching equipment. If a telecommuting employee will be transferring data for which someone would go to the trouble of eavesdropping to get, then encryption may be necessary. Another scenario when eavesdropping is more likely is if an employee is at a large conference or other location where an eavesdropper may set up equipment in hopes of hearing something useful. Some conferences offer equipment to attendees to use to check email, transfer files, etc. This is useful to attendees since they do not need to provide laptops; however, this could be a target for electronic eavesdropping. Software- or hardware-based encryption provides strong protection against electronic eavesdropping. However, it is more expensive (in initial and operating costs) than robust authentication. It is most useful if highly confidential data needs to be transmitted or if even moderately confidential data will be transmitted in a high-threat area. It is, however, unlikely that employees will always know when they are in a high threat area. It is incumbent on management to train employees.

Security Issues for Telecommuting from Home
Many employees telecommute from home, which raises an additional set of issues. Some of these concerns relate to whether employees are using their own computers or using computers supplied to them by the organization.

Home Data Storage Integrity and Confidentiality
Other members of the employee’s household may wish to use the computer used for telecommuting. Children, spouses, or other household members may inadvertently corrupt files, introduce viruses or snoop. Organizations can take several approaches:

• Employee accountability. Some organizations may choose not to have specific rules forbidding household members from using PCs, but hold the employee responsible for the integrity and confidentiality of the data. Obviously, this is not a good choice if the data is highly confidential.
• Removable hard drives. If corporate data is stored on a removable hard drive (or floppy), then the risk is greatly reduced.
• Data encryption. Corporate data can be kept encrypted on the hard disk. This will protect its confidentiality and will detect changes to files.
• Dedicated use. If an organization requires this, it should recognize that it is difficult to enforce.

Home System Availability
In addition to the possibility of a home computer breaking or being stolen, it may not be compatible with office configurations. For example, a home computer may use a different operating system. This may complicate set up, software support, troubleshooting, or repair. It is in the best interest of the organization to ensure that policy covers all these situations.

Security Issues for Telecommuting Centers
Telecommuting centres, normally located in outlying suburbs, are another choice for organizations. From a security perspective, hey may offer hardware for encryption, removable hard drives, and increased availability. However, by concentrating telecommuters, they may make themselves a more attractive target for eavesdropping. At a minimum, organizations should require robust authentication from telecommuting centres. If communications encryption is supported by the centre, the netizen should be aware that data may not be encrypted while it is inside the centre. The encryption may occur at a modem pool.

Remote working – the threats

With the increased freedom afforded us by teleworking there also comes increased information risk. The risk may be considered in two layers – the risk at the remote PC and the risk at the corporate network.

1. Exposure of remote PC on the net
The Remote worker’s PC cannot be protected by the company at all times. When not connected to the office network, the teleworker’s PC will be used for Web surfing, new software will be installed, old software reconfigured, e-mail attachments opened and Internet files downloaded. Hence, the system build is clearly not compliant with the corporate standard, which raises questions on the effectiveness of any security software running on the remote PC, and the risk of virus infection is increased. There is also the risk of physical access to corporate information stored on the remote PC. A corporate PC is situated within the office premises, where it is generally protected by multiple layers of building access controls, 24 hour on-site security personnel and surveillance equipment (for larger companies, at least.) On the other hand, the remote PC is likely to have only one layer of physical access control (ie., the front door) and is unlikely to have 24-hour on-site protection or surveillance. The risk of the PC and/or the information it contains being stolen or otherwise exposed is hence increased. All of this activity is generally restricted by the company security policy but this cannot be enforced on a private PC. Hence, when the user next logs in to the office, the damage may already have been done – information may already have been accessed directly from the remote PC, and/or a compromised/infected PC becomes part of the office network.

2.Exposure of corporate resources on the internet
Consider the nature of the access required by a Remote worker. The aim is to allow them to work from home as effectively as they might in the office. Hence, they need access to the data available in the office environment. This may require mapping network drives to the remote PC, access to confidential databases, intranet web servers, or corporate applications. Ordinarily, these services would never be made available outside the corporate network. In fact, the teleworker’s remote PC effectively becomes part of the corporate network but it sits outside the traditional network perimeter and information defenses. Hence, by extending the network to the Remote worker’s home via the Internet, the risk of these services being exposed on the Internet is increased. The exposure may be direct or indirect – direct to the Internet by presenting service interfaces at the corporate network perimeter and transmission of corporate information over public lines, or indirect by use of the remote PC to bridge between the Internet and the corporate network. Direct exposure can be mitigated by strong identification, authentication and authorization at the corporate firewall or DMZ and the use of encryption technology to protect data integrity and confidentiality. (Typically, a virtual private network [VPN] is employed to provide aspects of all of the above.) Indirect exposure can be mitigated by protecting the remote PC by deploying standard security measures on the PC but, as discussed above, the security status of the remote PC cannot be guaranteed and hence the corporate network must be protected against a compromised remote PC.
Let us look at the following example. The typical home broadband connection will connect the teleworker to both the Internet and the corporate network. Hence, the possibility exists for a hacker to access corporate resources via the remote PC. Malicious IRC Bots, commonly known as Zombies, are a particularly dangerous example of how a hacker might create such a bridge. Zombies have modified Trojan horse viruses which act as IRC (Internet Relay Chat) agents. The machine is typically infected by opening a file posted to a chat room or via an e-mail attachment. Once the infected PC is booted, the Zombie will attempt to “phone home” to an IRC server, announcing its availability to the hacker who distributed it. It will provide details of the IP address and port on which it can be contacted. The hacker can then contact the Zombie via the IRC channel and tell it to launch denial of service attacks on any given IP address. With hundreds or possibly thousands of these Zombies available to a hacker, massive distributed DoS attacks are possible. It is worth noting that broadband, always-on connections are particularly sought after by the Zombie hacker community and hence are more likely to be targeted for further investigation if the machine becomes infected. The hacker will often use the Zombie to download the Sub7 Server Trojan. Once installed, Sub7 will also attempt to connect to the Internet and post its connection details to an IRC server or via e-mail. If successful, the hacker now has access to watch everything that is happening on the infected PC and can even take control of the machine, run applications, download and upload files, restart Windows, and so on. The complete list of Sub7’s functionality is impressive but frightening – just about anything is possible. Obviously, if a telecommuter’s PC was to be infected by such a Zombie, the hacker may have direct access to the corporate network every time the user logs in. Even if the PC is default configured to prevent simultaneous Internet and corporate access  the power of Sub7 could allow the hacker to reconfigure or to install software to workaround that protection. Sub7 is also capable of logging keystrokes even while the hacker is not connected to the compromised PC. The keystroke log can then be downloaded at the hacker’s leisure. Hence, the teleworker’s activity could be monitored even if the hacker is locked out of the system while it is connected to the corporate network.

Mitigating the threats

As demonstrated there are some very real security issues to be considered around teleworking. These issues are wide-ranging – the accidental introduction of viruses to the office environment; increased exposure to Internet attacks; even acting as a backdoor into the heart of the corporate network. To protect against these issues, security must be taken seriously by the teleworker and his or her company. The remote PC must be protected against the Internet and the corporate network should be protected from the remote PC. This final section discusses the vital areas which must be tackled in protecting the teleworker and the company.

Security Policy

• who may work remotely – identify the roles/jobs which may be considered for teleworking
• services available to Remote workers – the types of network and application services which may be provided to Remote workers
• information restrictions – are there classified information types which should not be made available to Remote workers?
• Identification/authentication/authorisation – how should teleworkers be identified, authenticated and authorised before accessing corporate resources
• Equipment and software specifications – are there any specific equipment or software products which must be deployed on the teleworker’s PC? (eg., firewall or encryption software)
• Integrity and confidentiality – consider how the connection to the remote PC should be protected (ie., VPN) and how data on the machine should be protected
• Maintenance guidelines – how should the Remote worker’s PC configuration be protected, updated and monitored?
• User guidelines – clarify the user’s role in protecting corporate resources – eg., appropriate use of resources; the should not modify security configurations; use of anti-virus software; storage of corporate data on local drives; use of encryption tools
• User education – ensure that users understand the possible information risks associated with Remote working, how those risks are addressed, and the user’s role in minimizing the risks
• User Education
  User education is essential. Users must understand that teleworking does entail genuine security risks and that they have a role to play in protecting corporate resources from attack, damage or loss. It is also to their own benefit that they understand the risks to their own PC and private data of their behaviour while accessing the web in their own time, and how to mitigate those risks.
• Protect the remote PC
  The remote PC must be protected from the Internet and corporate information stored locally should be protected from prying eyes. (Note, however, that ideally corporate information should not be stored on the teleworker’s own PC – this should be considered in the security policy.

Firewalls
The corporate perimeter defenses need to be extended to bring the remote PC within the perimeter – ie., firewall software should be installed on the remote PC. However, there are several issues around the effectiveness of the firewall. The firewall software must be properly maintained – this means software patches must be implemented as appropriate and the firewall must be correctly configured. Bear in mind that the remote PC probably belongs to the user and hence he or she has full administrator access to the machine – the system configuration may change regularly which could leave the firewall disabled. Hence, you should consider implementing an automated audit process when the user logs into the corporate network. This audit should check that the software is operational, correctly configured and that patches have been applied. If necessary, patches should be applied before allowing the user to continue. There is also the question of the choice of firewall product. There are certain home firewall products that are effective in blocking uninvited inbound traffic. However, there are also products that will allow most or all outbound connections, opening the PC up to the Zombie attack discussed earlier, for example. Hence the firewall product should preferably be capable of monitoring and blocking all network traffic from applications that have not been specifically authorized to access the network/Internet. The user’s education should include an understanding of the role played by the firewall and how important it is that the firewall is running correctly. The user should be encouraged to have the firewall running whenever they are connected to the Internet, even when not connected to the corporate network. This will help to protect the user’s own files and ultimately protects corporate resources. A home firewall is an essential precaution on the remote PC. However, designing a standard configuration which is maximally effective for every home PC is essentially impossible. The manual configuration could be considered but this could prove time-consuming and expensive if it is to be handled by qualified personnel, while most end users do not have the experience to handle this unaided. Hence, it should not be assumed that the remote firewall is fireproof. Multiple layers of security will be required – strength in depth is the key.

Virus protection
Anti-virus software is an essential measure on any web user’s PC, whether or not they remote working. As per the firewall, the anti-virus product must be properly maintained – the software must be patched as and when necessary, the virus definition files must be regularly updated, and the software must be configured correctly. It should be configured for automatic scanning of e-mails and files opened. Entire system scans should be performed at regular intervals. Again, it is possible that the software could be disabled as a result of user action. Hence, consider performing an automatic audit of the virus software at login, ensuring that the software is running, that definition files are up to date and that patches have been applied. If possible, check the time of the last system scan. New definition files or patches should be applied and the last system scan should be confirmed as recent before the user is allowed to continue. The user’s education should include an understanding of the importance of the antivirus software and the correct operation of the product. Teach good practice in the handling of downloads and attachments. The user should be encouraged to keep the product operational at all times, whether connected to the Internet or not.  However, it is always possible that a virus will be missed by the software and the remote PC will be infected anyway, spreading to the corporate network at the next login. To counter this possibility, consider running anti-virus software in the DMZ back at the office.

Data protection
If corporate data will be stored on the remote PC, then it should be protected by encryption software. There are packages that will encrypt disk partitions or individual files as required. If the data will be stored on removable media then not only should it be encrypted but it should also be removed from the PC and locked away when not in use. Also, bear in mind that information security does not only refer to protection from deliberate attack or theft. Information can be lost due to hardware or media failures and hence backups should be kept. Since the typical home PC is unlikely to have an automated backup network-attached, the teleworker should be careful to make backups as required. Also, information security is about availability. Information stored on the remote PC is not likely to be available from the office. For these reasons, it is preferable that corporate information should be stored on the corporate network and not at home.

Protect corporate resources from the Internet
If the remote PC is compromised by a hacker and/or infected by a virus, then the corporate network is at risk. Alternatively, the link between the remote PC and the office could be compromised directly. Hence, precautions should be taken to control the PC’s access to corporate resources and to monitor the contents of the traffic.

Identify, authenticate and authorize remote connections
It is vital that only authorized personnel are able to access corporate resources remotely. All attempts to connect to corporate services should be captured within the DMZ until the source of the connection has been identified and authenticated. Strong authentication technology should be employed. At the least, this should be strong passwords – ie., of appropriate length, not easily guessed, and containing non-alphanumeric characters. These requirements should be enforced automatically. Given that Trojans such as Sub7 can provide a hacker with your userID and password, you should also require that passwords are changed frequently. One-time password technologies make it almost impossible for the hacker to steal a usable password, and hence these technologies are far preferable. Typical one-time password technologies involve the use of a password combined with a passcode. The passcode is generated using an electronic token and is based on a hash generated from the current time or from a randomly generated challenge provided by the corporate authentication server. Since the hacker does not have access to the token he or she cannot reply with the correct passcode and hence cannot be authenticated. Once identified and authenticated the user should be permitted access only to services and resources for which they have been authorized. This is particularly important in order to protect against the possibility of a hacker compromising the remote PC and posing as the authenticated user. Ideally, each individual service/resource request will be authorized separately, rather than simply allowing access to an area of the corporate network. It is only if the user’s access rights are understood at this level of detail that the inappropriate behavior of a hacker might be effectively identified.

Protect the remote link
The remote link should be protected against surveillance and interference by the use of VPN tunnel technology. VPN creates a secure link (known as a tunnel) between the remote host and corporate DMZ. Data confidentiality is protected by encrypting the payload of the TCP/IP packets in transit. Data integrity is ensured by including a hash of the payload in the header. Source and target IP addresses on the private networks are also protected. Since no unauthorised party can read or interfere with the payload, we effectively have a secure tunnel through the public network. The use of VPN’s is becoming very popular as a solution for secure teleworking communications. However, it should be remembered that the VPN only protects the data in transit and is not an entire solution in its own right. It is essential to protect against unauthorized VPN connections to the corporate network and to monitor/authorise remote behaviour via the VPN connection in case it has been hijacked. The configuration of the VPN client on the remote PC is also essential. In particular, the risk of bridging between the Internet and the corporate network can be minimized by configuring the VPN to disable access to the Internet while connected to the corporate network. In this mode, while VPN is active, the PC’s default route is to the VPN server at the office and the Internet is not visible. Similarly, communications services on the PC are not made available on the Internet.

Protect corporate resources from the remote PC

Monitor traffic and behavior
VPN technology is a powerful tool to ensure the gritty and confidentiality of data on the remote link. However, if the user’s PC is compromised, then the VPN tunnel allows the cracker, posing as the authenticated user, direct access to the corporate information network, and may actually be effective in disguising the cracker’s behavior. Hence, it is important that the VPN is terminated within a DMZ. The external firewall, facing the Internet, will authenticate and authorise the connection to the telecommuter’s machine. However, data packets are encrypted within the VPN and hence the cracker’s activities are disguised at this firewall. Beyond the end of the VPN, network-based IDS should be deployed before the internal firewall in order to monitor the user’s activity. This should watch for unusual or inappropriate behaviour, such as network activity outwith the user’s typical working hours, uploading or downloading of large amounts of data, or the use of network scanning tools. The use of SSL to access the corporate intranet over VPN should also be considered carefully. Since SSL is encrypted “end-to-end”, it may be used to hide a cracker’s activity. Hence, the use of web proxies should be considered. The proxy should be located within the DMZ, and the IDS should monitor the intranet traffic. lso, the teleworker’s network traffic should be scanned for viruses within the DMZ. This will help to protect the office network from any virus which may have slipped past the scanners on the remote PC.

Restrict remote service functionality at source
In some cases, there is no better protection than to prevent access to a service or resource altogether. For example, some corporate databases or internal applications may be considered too sensitive to risk any form of external access. Any such application or information should be carefully segregated from the remote access systems by appropriate use of access control and authorization systems, network firewalls and IDS. Some degree of control over the movement of data to and from the corporate network can also be provided by thin client technology such as Citrix WinFrame/Meta Frame or Microsoft Windows Terminal Server. Thin client technology allows the remote PC to act as an interactive “window” onto the corporate network, without providing direct access to the network. For example, applications such as word processors, spreadsheets, databases, and so on, can be run on the corporate server while making their user interface (text or GUI) available on the remote PC. The teleworker can see and interact with the application but all processing is performed on the office server, and the data files remain on the corporate network. In this way, the teleworker can access information and even create/update information without having access to download large amounts of data or upload malware. (Note that the thin client server must be configured correctly to ensure that files cannot be downloaded to the remote PC or uploaded to the server. Thin client servers generally provide the capacity for file transfer if required.) The protection provided is limited – files can be updated or contents entirely deleted, while macro viruses could be cut and pasted into a document. However, it does limit the damage that can be done in a given time.

Refuse remote access if necessary
Bear in mind that it may be necessary to completely refuse remote access. This may a blanket ban across the entire firm. Or simply a restriction on the job roles which may request remote access – eg., individuals handling cash transfers cannot use remote access, and so on. The key to making this decision, as ever, is to weigh the benefits of remote access against the perceived risks and impact.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.