OPS.1.2.4 Telework
Telework refers to any activity supported by information and communications technology that is performed wholly or partly outside the premises and buildings of the institution.
Description
Introduction
Telework refers to any activity supported by information and communications technology that is performed wholly or partly outside the premises and buildings of the institution. In home-based telework, employees regularly alternate between working at their workplace in the institution’s premises and at their home workplace, on a daily or hourly basis.
Objective
The objective of this building block is to protect information that is stored, processed, and transmitted during telework. For this purpose, typical threats are identified and special requirements for secure telework are defined.
Scope and Modeling
The building block OPS.1.2.4 Telework is to be applied to every telework workstation.
This building block focuses on the form of telework carried out in the home environment (home-based telework). It is assumed that a secure telecommunications connection exists between the telework workstation and the institution, which makes it possible to exchange information appropriately and access data on the institution’s server. The requirements of this building block cover the following three areas:
- the organization of telework,
- the employees’ workstation PCs, and
- the communication link between telework computers and the institution.
Security requirements for the infrastructure of the telework workstation are not taken into account in this building block, but are described in building block INF.8 Home Workplace. Requirements for a non-permanently established workplace can be found in building block INF.9 Mobile Workplace.
Detailed recommendations on how IT systems can be configured and secured are not addressed within the scope of this building block. They can be found in SYS.2.1 General Client and in the operating system-specific system building blocks. Other security aspects relevant to telework, such as for WLAN, are examined in the building blocks of the NET.2 Wireless Networks or NET.4 Telecommunications sublayers.
If data modified during telework is not stored directly on the institution’s IT systems, it must be regulated how a data backup is performed. Requirements for this can be found in building block CON.3 Data Backup Concept.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.2.4 Telework.
Missing or Inadequate Regulations for the Telework Workstation
The use of a telework workstation requires supplementary organizational arrangements between the employees and the managers. In addition, they need instructions for action in the event that security-relevant incidents occur at the telework workstation. If, for example, confidential information falls into the hands of third parties, serious damage to the institution can result.
Unauthorized Private Use of the Official Telework Computer
In the home environment, hardware or software that has not been checked and approved can more easily be used, and malware can, for example, end up on the telework computer through thoughtless action. This could compromise confidential information.
Delays Due to Temporarily Limited Accessibility of Employees
If employees do not have fixed working hours at the telework workstation and no fixed times are agreed at which they must be reachable, workflow may be delayed as a result.
Inadequate Integration of Employees in the Information Flow
Since employees are not in the institution every day, they have less opportunity to participate in direct information exchange with managers and colleagues. It is therefore possible that teleworkers, in particular, do not receive or receive with a delay information that has been passed on verbally. This can disrupt workflows and business processes and limit the productivity of the employee.
Non-Compliance with Security Measures
At the telework workstation, for example, a lack of control options can lead to employees not implementing recommended or ordered security measures, or not implementing them to their full extent. For example, confidential information can fall into the hands of third parties.
Requirements
The following are the specific requirements of building block OPS.1.2.4 Telework. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Information Security Officer (ISO) |
| Additional responsibilities | Employees, IT Operations, Supervisors, HR Department |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.2.4.A1 Regulations for Telework (B) [Supervisors, HR Department]
All relevant aspects of telework MUST be regulated. For information purposes, the applicable regulations or a specially prepared information sheet explaining the security measures to be observed MUST be provided to teleworkers. All contentious points MUST be regulated either by works agreements or by individual agreements concluded in addition to the employment contract between the employee and the institution. The regulations MUST be regularly updated.
OPS.1.2.4.A2 Security-Related Requirements for the Telework Computer (B)
Security-related requirements that an IT system for telework must fulfil MUST be defined.
It MUST be ensured that only authorized persons have access to the telework computers. Furthermore, the telework computer MUST be secured so that it can only be used for authorized purposes.
OPS.1.2.4.A3 DISCONTINUED (B)
This requirement has been discontinued.
OPS.1.2.4.A4 DISCONTINUED (B)
This requirement has been discontinued.
OPS.1.2.4.A5 Raising Awareness and Training Employees (B)
Using a guide, employees MUST be made aware of the dangers associated with telework. They also MUST be briefed on the institution’s relevant security measures and trained in using them. The training and awareness measures for employees SHOULD be repeated regularly.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.1.2.4.A6 Creation of a Security Concept for Telework (S)
A security concept for telework SHOULD be created that describes security objectives, protection needs, security requirements, and risks. The concept SHOULD be regularly updated and revised. The security concept for telework SHOULD be coordinated with the institution’s overarching security concept.
OPS.1.2.4.A7 Regulation of the Use of Communication Facilities in Telework (S) [IT Operations, Employees]
It SHOULD be clearly regulated which communication facilities may be used in telework under which conditions. The official and private use of internet services during telework SHOULD be regulated. In doing so, it SHOULD also be clarified whether private use is generally permitted or prohibited.
OPS.1.2.4.A8 Information Flow Between Employees and Institution (S) [Supervisors, Employees]
Regular internal information exchange between employees and the institution SHOULD be ensured. All employees SHOULD be informed promptly about changed security requirements and other security-relevant aspects. All colleagues of the respective employees SHOULD be aware of when and where they can be reached. Technical and organizational telework regulations on task management, security incidents, and other problems SHOULD be established and communicated to employees.
OPS.1.2.4.A9 Support and Maintenance Concept for Telework Workstations (S) [IT Operations, Employees]
A special support and maintenance concept SHOULD be created for telework workstations. The following aspects SHOULD be regulated therein: contact person from IT Operations, maintenance dates, remote maintenance, transport of IT equipment, and introduction of standard telework computers. In order to keep employees operational, contact persons for hardware and software problems SHOULD be named for them.
OPS.1.2.4.A10 Conducting a Requirements Analysis for the Telework Workstation (S) [IT Operations]
Before a telework workstation is set up, a requirements analysis SHOULD be performed. This SHOULD show, for example, which hardware and software components are needed for the telework workstation. The requirements for the respective telework workstation SHOULD be coordinated with the IT responsible persons. It SHOULD always be determined and documented what protection needs the information processed at the telework workstation has.
Requirements for High Protection Needs
No requirements for high protection needs are defined for this building block.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides in the standard ISO/IEC 27001:2013, in particular in Annex A, A.6.2.1 “Mobile device policy” and A.11.2.6 “Security of equipment and assets off-premises,” information on dealing with telework.
The Information Security Forum (ISF) also makes requirements for telework in its standard “The Standard of Good Practice for Information Security,” in particular in Area PA2 Mobile Computing.
The National Institute of Standards and Technology (NIST) has published NIST Special Publication 800-46 as “Guide to Enterprise Telework, Remote Access and Bring Your Own Device (BYOD) Security” within the framework of its Special Publications.