|
The push for telework is growing across the federal government. Telework is an arrangement allowing flexibility in the places where employees may perform their jobs. Other names for telework include telecommuting, flexiwork or flexiplace. The idea of telework has been around since the early 1970s. Federal initiatives began in 1990. The most significant legislation was passed in 1990, which requires each executive branch agency to establish a telework policy. Some agencies have established remote work centers located closer to where employees live, but the majority of telework happens at home or while traveling. Popularity for telework is high among employees because it eliminates the need to commute and enables work-life balance. Employers are also tapping benefits such as increased productivity and reduced overhead. Another byproduct is cutting traffic congestion and pollution.
Accountability requirements for telework were passed in 2004 for six agencies and may spread across the entire federal government. The specter of associated budget reduction for inadequate telework implementations is accelerating adoption of remote work.
Implementation of telework in a federal agency or organization ultimately requires involvement of the information technology staff. IT is integral to telework because so much of what employees do requires the use of computers and other devices that tie back into central data and applications. Strong security policy, procedures and technology are major requirements - especially for protecting the remote systems used for telework and the sensitive information stored on those devices. This Guide provides federal IT managers with an overview of securing telework. It presents an overview of agency statutory requirements for establishing a telework policy and program. The Guide describes typical technologies used for telework and security applications for protecting those systems and information. The last part summarizes Pointsec solutions for securing telework, their certifications for federal purchasing, and web links to federal resources on telework.
Requirements for Federal Telework
The statutory framework for telework requires executive branch agencies of the federal government to take specified actions for telework, provides tools for supporting telework, and designates leadership roles to the Office of Personnel Management and the General Services Administration. Their Interagency Telework web site (www.telework.gov) provides guidance for employees who think they might like to telework or are already doing so, for managers who supervise teleworkers, and for agency coordinators.
FISMA directs the National Institute of Standards and Technology (NIST) to develop standards and guidelines for information security, and to stipulate use of off-the-shelf commercially developed IT products whenever possible (Sec. 303). Key NIST directives for securing telework are described below.
In addition to fulfilling statutory requirements, implementing telework makes good business sense. At AT&T Corp., for example, 30% of management works outside a traditional office and another 41% are regular teleworkers. About 90% of salaried employees do some telework. AT&T says productivity is up 12.5%, partly because teleworkers gain an hour of productivity each day by eliminating commute time. Telework helps the company to save $150 million annually through more productivity, lower overhead, enhanced retention and recruitment.
Security Technologies for Telework
Telework employs endpoint equipment used by remote and mobile workers, such as laptop PCs, hand held devices, email, and smart telephones. Many teleworkers bring work home on portable storage devices, such as USB drives, writable CDs, and external hard drives. Telework also requires security for devices used in a permanent setting, such as a satellite office or in a home office.
The objectives for IT security as defined by NIST in Federal Information Processing Standards (FIPS) 199 are:
- Confidentiality. Prevent unauthorized disclosure of information.
- Integrity. Prevent unauthorized modification or destruction of information.
- Availability. Prevent disruption of access to or use of information or an information system.
For telework, these objectives translate to three areas of concern: protecting the network, protecting data on mobile endpoints, and protecting data transmitted to or from teleworkers.
Federal Telework
Protecting the Network. The first goal is to prevent penetration or contamination of the agency network caused by a security lapse in telework endpoint equipment. Few devices come with a firewall, intrusion prevention, antivirus, virtual private network and other security applications. Without protection technology, telework endpoints are easily compromised and can serve as a gateway for hackers into the agency network.
|
