INF.8 Home Workplace
Teleworkers, freelancers, or self-employed persons typically work from home workplaces. In contrast to the workplace in the office, these employees use a workplace in their own property...
Description
Introduction
Teleworkers, freelancers, or self-employed persons typically work from home workplaces. In contrast to the workplace in the office, these employees use a workplace in their own property. It must be ensured that the professional environment is sufficiently separated from the private environment. If employees use home workplaces on a permanent basis, various legal requirements must also be met — for example, workplaces must comply with occupational health and ergonomic requirements.
At a home workplace, the same level of infrastructural security cannot be assumed as is found in the office rooms of an institution. For example, the workplace is often accessible to visitors or family members. Measures must therefore be taken to achieve a level of security comparable to an office room.
Objective
This building block demonstrates how the infrastructure of a home workplace can be set up and operated securely. The core objective of this building block is to protect the institution’s information at the home workplace.
Scope and Modeling
The building block INF.8 Home Workplace is to be applied to all rooms used as telework locations.
The building block contains fundamental requirements that must be observed and met in order to counter threats to a home workplace. However, only specific requirements for the infrastructure of a fixed workplace accessible by third parties are defined. Security requirements for IT systems used — such as clients and multifunction devices — and in particular for the technical aspects of telework, such as communication connections, are not the subject of this building block. These are described in the building block OPS.1.2.4 Telework and in the respective system-specific building blocks.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.8 Home Workplace.
Missing or Inadequate Regulations for the Home Workplace
Since a home workplace is located outside the institution, employees there are largely on their own. As a result, missing or inadequate regulations for the home workplace environment can lead to IT problems with longer downtime. If IT problems cannot be resolved via remote administration, for example, an IT Operations person from the institution must first travel to the home workplace to resolve the problems there. If the handling of internal and confidential information at the home workplace is not traceable, employees could store such information incorrectly. If it cannot be prevented that information is spied on or modified, the confidentiality and integrity of the information can be at risk.
Unauthorized Access to Sensitive Rooms at the Home Workplace
Rooms at a home workplace in which sensitive information is stored and further processed, or in which sensitive devices are stored or operated, become sensitive rooms in consequence. If unauthorized persons can enter these rooms unattended, the confidentiality, integrity, and availability of this data and information is significantly at risk.
Examples:
- A home office is located in a separate study, but it is not consistently locked. When small children were briefly unsupervised, they played in the unlocked study. Important documents were used as drawing paper in the process.
- While a person at their home workplace was absorbed in project work, an unexpected visitor arrived. While the person was making coffee in the kitchen, the visitor wanted to quickly look something up on the internet on the unlocked client and accidentally infected it with malware in the process.
Impairment of IT Use Due to Unfavorable Working Conditions at the Home Workplace
A home workplace that is not set up according to ergonomic principles, or an unfavorable working environment, can mean that uninterrupted work is not possible. The IT used may also not be able to be operated optimally or at all. Unfavorable factors include noise, disturbances from family members, and poor lighting or ventilation. This restricts workflows and employees’ potential. Errors can also creep into work. Furthermore, the protection of data integrity can be reduced.
Unsecured Transport of Files and Storage Media
When documents, storage media, or files are transported between the institution and the home workplace, this data and information can be lost. Unauthorized third parties could also steal, read, or manipulate it. File and storage media transport can be inadequately secured in various ways:
- If unique originals are transported and no corresponding backup exists, objectives and tasks cannot be achieved as planned if the original is lost.
- If unencrypted storage media falls into the wrong hands, this can lead to a severe loss of confidentiality.
- If adequate access protection is not in place while in transit, files or storage media can be copied or manipulated unnoticed.
Inappropriate Disposal of Storage Media and Documents
If it is not possible at the home workplace to dispose of storage media and documents in an appropriate manner, they may simply be thrown in the household waste. Valuable information can, however, be extracted from this, which can be deliberately misused for extortion or industrial espionage. The consequences range from loss of knowledge to an existential threat to the institution — for example, if important contracts do not materialize or business partnerships fail as a result.
Manipulation or Destruction of IT, Accessories, Information, and Software at the Home Workplace
IT devices, accessories, information, and software used at the home workplace can in some circumstances be more easily manipulated or destroyed than at the institution. The home workplace is often accessible to household members and visitors. The central protective measures of the institution are also absent, for example reception services. If IT devices, accessories, information, or software are manipulated or destroyed, employees at the home workplace are often only able to work to a limited extent. Furthermore, destroyed IT components, information, and software solutions may need to be replaced, requiring both financial and time resources.
Increased Risk of Theft at the Home Workplace
The home workplace is usually not as well secured as the workplace in a company or a government agency. Due to elaborate precautions such as security doors or a reception service, the risk of unauthorized persons entering the building is far lower there than at a private residence. During a burglary, objects that can be sold quickly and easily are usually stolen first. Official IT equipment can also be stolen in this process. The information on the stolen official IT systems, however, often has a higher value than the IT systems themselves. Third parties could attempt to achieve a higher gain through extortion or passing the data to competitors than through selling the hardware.
Requirements
The following are the specific requirements of the building block INF.8 Home Workplace. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Employees |
| Additional responsibilities | None |
Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
INF.8.A1 Securing Official Documents at the Home Workplace (B)
Official documents and storage media MUST be stored at the home workplace in such a way that no unauthorized persons can access them. Sufficient lockable containers (e.g., lockable pedestals or cabinets) MUST therefore be available. All employees MUST leave their workplaces tidy and ensure that no confidential information is freely accessible.
INF.8.A2 Transport of Work Materials to the Home Workplace (B)
It MUST be regulated which storage media and documents may be processed at the home workplace and which may be transported back and forth between the institution and the home workplace. In general, storage media and other documents MUST be transported securely. These regulations MUST be made known to employees in an appropriate manner.
INF.8.A3 Protection Against Unauthorized Access at the Home Workplace (B)
Employees MUST be informed of which regulations and measures must be observed for intrusion and access protection. For instance, they MUST be reminded to close windows and lock doors when the home workplace is unoccupied.
It MUST be ensured that unauthorized persons cannot at any time enter the home workplace and access official IT and documents. These measures MUST be reviewed at reasonable intervals, but at minimum when domestic circumstances change.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
INF.8.A4 Appropriate Setup of the Home Workplace (S)
The home workplace SHOULD be separated from the private areas of the dwelling by an appropriate room layout. The home workplace SHOULD be furnished with office furniture that meets ergonomic requirements.
Likewise, the home workplace SHOULD be protected against break-ins by appropriate technical security measures. The protective measures SHOULD be adapted to the local conditions and the applicable protection needs.
INF.8.A5 Disposal of Confidential Information at the Home Workplace (S)
Confidential information SHOULD be disposed of securely. A specific security policy SHOULD therefore regulate how sensitive material is to be disposed of. The disposal options required for this SHOULD be available.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.
INF.8.A6 Handling Official Documents with Elevated Protection Needs at the Home Workplace (H)
When processing information with elevated protection needs, consideration SHOULD be given to dispensing with a home workplace entirely. Otherwise, the home workplace SHOULD be protected by enhanced, high-quality technical security measures.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for the physical security and environmental security of buildings and rooms in standard ISO/IEC 27001:2013, Annex A.11.
The German Institute for Standardization provides requirements for the physical security of buildings and rooms in its standard “DIN EN 1627:2011-09.”
The National Institute of Standards and Technology (NIST) has published NIST Special Publication 800-53 on “Assessing Security and Privacy Controls for Federal Information Systems and Organizations” as part of its Special Publications series, and provides requirements for the physical security and environmental security of buildings in Appendix F-PS.