INF.9 Mobile Workplace
Good network coverage and powerful IT devices such as laptops, smartphones, or tablets enable employees to work from almost any location. This means that official tasks are frequently no longer carried out only in the rooms and buildings of the institution...
Description
Introduction
Good network coverage and powerful IT devices such as laptops, smartphones, or tablets enable employees to work from almost any location. This means that official tasks are frequently no longer carried out only in the rooms and buildings of the institution, but at changing workplaces in different environments — for example in hotel rooms, on trains, or at customer sites. The information processed in this way must be appropriately protected.
Mobile working changes, on the one hand, the duration, timing, and distribution of working hours. On the other hand, it increases information security requirements, since in environments with mobile workplaces a secure IT infrastructure cannot be assumed such as is found in an office environment.
Objective
This building block describes security requirements for mobile workplaces. The objective is to create a security situation for such workplaces comparable to an office room.
Scope and Modeling
The building block INF.9 Mobile Workplace is to be applied to all rooms that are frequently used as mobile workplaces.
The building block contains fundamental requirements that must be observed and met when employees work not only within the institution but also frequently at changing workplaces outside it.
The building block primarily maps the organizational, technical, and personnel requirements for fully or partially mobile work. To secure IT systems, storage media, or documents used during mobile working, all relevant building blocks must be separately considered — such as SYS.3.1 Laptops, SYS.3.2 General Smartphones and Tablets, SYS.4.5 Removable Storage Media, NET.3.3 VPN, and SYS.2.1 General Client.
Security requirements for screen workplaces outside institution premises that are permanently established by the institution (telework locations) are not the subject of this building block. These are described in the building block OPS.1.2.4 Telework. Likewise, security requirements for the infrastructure of telework locations are not addressed. This topic is covered in the building block INF.8 Home Workplace.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block INF.9 Mobile Workplace.
Missing or Inadequate Regulations for Mobile Workplaces
If mobile working is not regulated or only inadequately regulated, the institution can suffer financial damage, among other things. If, for example, it is not regulated which information may be transported and processed outside the institution and what protective measures must be observed, confidential information can fall into unauthorized hands. This can then potentially be used against the institution by unauthorized persons.
Impairment Due to Changing Deployment Environment
Since mobile storage media and end devices are used in very different environments, they are exposed to many hazards. These include, for example, harmful environmental influences such as excessively high or low temperatures, dust, or moisture. Transport damage can also occur.
In addition to these influences, the deployment environment with its varying security levels must also be taken into account. Smartphones, tablets, laptops, and similar mobile end devices are not only mobile but can also communicate with other IT systems. Malicious programs could be transmitted or sensitive information copied in the process. Tasks may also become impossible to carry out, appointments with customers may not be kept, or IT systems may be damaged.
Manipulation or Destruction of IT Systems, Accessories, Information, and Software at the Mobile Workplace
IT systems, accessories, information, and software used in a mobile context can in some circumstances be more easily manipulated or destroyed than at the institution. The mobile workplace is often accessible to third parties. The central protective measures of the institution are also absent, such as reception services. If IT systems, accessories, information, or software are manipulated or destroyed, employees at the mobile workplace are often only able to work to a limited extent. Furthermore, destroyed IT components or software solutions may need to be replaced, requiring both financial and time resources.
Delays Due to Temporarily Limited Availability
Employees at mobile workplaces generally do not have fixed working hours and are also harder to reach while traveling. This can significantly delay the flow of information. Even if information is transmitted by email, response times are not necessarily shortened, since it cannot be ensured that mobile employees read emails promptly. The temporarily limited availability has different effects depending on the situation and institution, but can severely restrict the availability of information.
Unsecured Transport of Files and Storage Media
When documents, storage media, or files are transported between the institution and mobile workplaces, this information and data can be lost, or can be stolen, read, or manipulated by unauthorized persons. This can cause significant financial damage to the institution. File and storage media transport can be inadequately secured in various ways:
- If unique originals are transported and no corresponding backup exists, objectives and tasks cannot be achieved as planned if the original is lost.
- If unencrypted storage media falls into the wrong hands, this can lead to a severe loss of confidentiality.
- If adequate access protection is not in place while in transit, files or storage media can be copied or manipulated unnoticed.
Inappropriate Disposal of Storage Media and Documents
If it is not possible at the mobile workplace to dispose of storage media and documents in an appropriate manner, they usually end up in the household waste. Even in locations where mobile work is done, employees frequently throw drafts and other seemingly useless documents directly in the nearest wastepaper basket, or simply leave them behind — in the hotel or on the train. However, if storage media or documents are not disposed of appropriately, third parties can extract valuable information that can be deliberately misused for extortion or industrial espionage. The consequences range from loss of knowledge to an existential threat to the institution — for example, if important contracts do not materialize or partnerships fail as a result.
Loss of Confidentiality of Sensitive Information
At the mobile workplace, third parties can more easily access confidential information stored on hard drives, removable storage media, or paper — especially when acting professionally. They can also eavesdrop on communication connections. However, if information is read or disclosed without authorization, this has serious consequences for the entire institution. Among other things, the loss of confidentiality can cause the institution to violate laws or create competitive disadvantages and financial damage.
Theft or Loss of Storage Media or Documents
The mobile workplace is not as well secured as the workplace in a company or government agency. Official IT systems and documents can therefore more easily be stolen — for example during a train journey, from a hotel room, or from external conference rooms.
In addition, mobile IT systems or IT components can be lost. Alongside the purely material damage caused by the direct loss of the mobile IT system, further financial damage can arise — for example if sensitive data such as emails, meeting notes, addresses, or other documents are disclosed. The institution’s reputation could also be damaged.
Requirements
The following are the specific requirements of the building block INF.9 Mobile Workplace. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled where meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Information Security Officer (ISO) |
| Additional responsibilities | Employees, IT Operations, Central Administration, HR Department |
Exactly one role should be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a specific requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not imply anything about the number of persons filling these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
INF.9.A1 Appropriate Selection and Use of a Mobile Workplace (B) [IT Operations]
The institution MUST prescribe to its employees how mobile workplaces should be appropriately selected and used. Properties that are desirable for a mobile workplace MUST be defined. Exclusion criteria that argue against a mobile workplace MUST also be defined. At minimum, the following MUST be regulated:
- under which workplace conditions sensitive information may be processed,
- how employees at the mobile workplace protect themselves against unwanted viewing by third parties,
- whether a permanent network and power supply must be available, and
- which workplace environments are completely prohibited.
INF.9.A2 Regulations for Mobile Workplaces (B) [HR Department]
For all work while traveling, it MUST be regulated which information may be transported and processed outside the institution. It MUST also be regulated what protective measures must be taken in this regard. It MUST also be clarified under what framework conditions employees may access internal information of their institution using mobile IT systems.
The taking of IT components and storage media MUST be clearly regulated. Thus it MUST be specified which IT systems and storage media may be taken along, who may take them, and what fundamental security requirements must be observed. It MUST also be logged when and by whom which mobile end devices were used off-site.
Users of mobile end devices MUST be made aware of the value of mobile IT systems and the value of the information stored thereon. They MUST be briefed on the specific threats and measures relevant to the IT systems they use. They MUST also be informed about what kind of information may be processed on mobile IT systems. All users MUST be made aware of the applicable regulations they must comply with. They MUST be trained accordingly.
INF.9.A3 Access and Entry Protection (B) [Central Administration, Employees]
Employees MUST be informed of which regulations and measures must be observed for intrusion and access protection at the mobile workplace. When the mobile workplace is unoccupied, windows and doors MUST be locked. If this is not possible — for example on a train — employees MUST store all documents and IT systems in a safe location or keep them with them when absent. It MUST be ensured that unauthorized persons cannot at any time access official IT and documents. If the workplace is left only briefly, the IT systems in use MUST be locked so that they can only be used again after successful authentication.
INF.9.A4 Working with Third-Party IT Systems (B) [IT Operations, Employees]
The institution MUST regulate how employees may work with IT systems not belonging to the institution. All mobile employees MUST be briefed on the dangers of third-party IT systems. The regulations MUST specify whether and how sensitive information may be processed on third-party IT systems. They MUST also specify how unauthorized persons are prevented from viewing the information. When employees work with third-party IT systems, it MUST in principle be ensured that all temporary data created in the process is deleted.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
INF.9.A5 Prompt Loss Reporting (S) [Employees]
Employees SHOULD promptly report to their institution when information, IT systems, or storage media have been lost or stolen. There SHOULD be clear reporting channels and contact persons within the institution for this purpose.
INF.9.A6 Disposal of Confidential Information (S) [Employees]
Confidential information SHOULD also be disposed of securely while traveling. Before discarded or defective storage media and documents are destroyed, it MUST be checked whether they contain sensitive information. If this is the case, the storage media and documents MUST be transported back and disposed of or destroyed through institutional channels.
INF.9.A7 Legal Framework for Mobile Working (S) [HR Department]
For mobile working, employment law and occupational health and safety frameworks SHOULD be observed and regulated. All relevant aspects SHOULD be regulated either through works agreements or through individual agreements between the mobile employee and the institution in addition to the employment contract.
INF.9.A8 Security Policy for Mobile Workplaces (S) [IT Operations]
All relevant security requirements for mobile workplaces SHOULD be documented in a security policy that is binding for mobile employees. It SHOULD also be coordinated with the institution’s existing security policies and with all relevant specialist departments. The security policy for mobile workplaces SHOULD be regularly updated. Institution employees SHOULD be sensitized and trained with respect to the current security policy.
INF.9.A9 Encryption of Portable IT Systems and Storage Media (S) [IT Operations]
For portable IT systems and storage media, it SHOULD be ensured that they are secured in accordance with internal policies. Mobile IT systems and storage media SHOULD be encrypted. Cryptographic keys SHOULD be stored separately from the encrypted device.
INF.9.A12 Use of a Screen Privacy Filter (S) [Employees]
When IT systems are used at mobile workplaces, employees SHOULD use a privacy filter for the screens of IT systems.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection representing the state of the art. The proposals SHOULD be considered when protection needs are elevated. The specific determination is made within an individual risk analysis.
INF.9.A10 Use of Anti-Theft Devices (H) [Employees]
If the IT system used provides an anti-theft device, it SHOULD be used. Anti-theft devices SHOULD always be used where there is heavy public traffic or the turnover of users is very high. Employees SHOULD always bear in mind that protecting the information stored on IT systems usually has a higher value than the replacement cost of the IT system. Procurement and usage criteria for anti-theft devices SHOULD be adapted to the institution’s processes and documented.
INF.9.A11 Prohibition of Use in Insecure Environments (H) [IT Operations]
Criteria SHOULD be established for the working environment that must at minimum be met for information with elevated protection needs to be processed in a mobile context. The criteria SHOULD cover at minimum the following topic areas:
- viewing and access by third parties,
- closed and, if necessary, lockable or guarded rooms,
- secured communication options, and
- an adequate power supply.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for the equipment and furnishing of mobile workplaces in standard ISO/IEC 27001:2013, Annex A.11.2.
The International Organization for Standardization (ISO) provides requirements for developing a policy for mobile devices in standard ISO/IEC 27001:2013, Annex A.6.2.1.
The Information Security Forum (ISF) provides requirements for handling mobile end devices in its standard “The Standard of Good Practice for Information Security” in chapter PA2.
The National Institute of Standards and Technology (NIST) has published NIST Special Publication 800-46 on “Remote Access and Bring Your Own Device (BYOD)” as part of its Special Publications series, and provides requirements for remote access to hardware.