Wednesday, September 7, 2011

Do You Have Security Policies for Your Telecommuters?

This summer the Office of Management and Budget (“OMB”) issued a memorandum to the heads of executive departments and agencies in the federal government about implementing security guidelines relating to the Telework Enhancement Act of 2010. It is a good reminder that, while there are lots of benefits to allowing employees to telecommute, employers need to be cognizant of protecting their systems and data from the risks associated with telecommuting.  It is also a good starting place for thinking about what should be in your policies and procedures.

In December of 2009, President Obama signed the Telework Enhancement Act of 2010 (the ‘Act”).  The Act was implemented to improve telework in the federal government.  In the memorandum, the OMB recognizes the multiple benefits of telework (such things as resource savings, improved sustainability, and supporting the continuity of operations).  Nonetheless, the OMB notes that if telework is not properly implemented it may introduce new information vulnerabilities to the systems and networks. 

So what does the OMB recommend?  The OMB indicates that, at a minimum, federal agencies must address the following issues in their policies:
  1. controlling access to agency information and information systems;
  2. protecting agency information (including personally identifiable information) and information systems;
  3. limiting the introduction of vulnerabilities;
  4. protecting information systems not under the control of the agency that are used for teleworking;
  5. safeguarding wireless and other telecommunication capabilities that are used for teleworking; and
  6. preventing inappropriate use of official time or resources that violated the Standards of Ethical Conduct for Employees of the Executive branch by viewing, downloading, or exchanging pornography, including child pornography.
Do you have policies in place that take these guidelines into consideration?   If not, perhaps you should consider adding some policies.  If so, it may be time to talk with your IT adviser and make sure your policies are sufficient.

No comments:

Post a Comment