T5.7.2 - TELEWORKING Implementation Guidance
The entity shall implement security measures to protect information accessed, processed or stored on teleworking sites.
Back to T5.7.2 - P4 - TELEWORKING
Entities allowing teleworking activities should establish security measures that define the conditions and restrictions for using teleworking. Where deemed applicable and allowed by law, the following matters should be considered:
- A. The existing physical security of the teleworking site, taking into account the physical security of the building and the local environment
- B. The proposed physical teleworking environment
- C. The communications security requirements, taking into account the need for remote access to the entity’s internal systems, the sensitivity of the information that will be accessed and pass over the communication link and the sensitivity of the internal system
- D. The provision of virtual desktop access that prevents processing and storage of information on privately owned equipment
- E. The threat of unauthorized access to information or resources from other persons using the accommodation, e.g. family and friends
- F. The use of home networks and requirements or restrictions on the configuration of wireless network services
- G. Policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment
- H. Access to privately owned equipment (to verify the security of the machine or during an investigation), which may be prevented by legislation
- I. Software licensing agreements that are such that entities may become liable for licensing for client software on workstations owned privately by employees or external party users;
- J. Anti-virus protection and firewall requirements
The guidelines and arrangements to be considered should include
- A. The provision of suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment that is not under the control of the entity is not allowed
- B. A definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access
- C. The provision of suitable communication equipment, including methods for securing remote access
- D. Physical security
- E. Rules and guidance on family and visitor access to equipment and information
- F. The provision of hardware and software support and maintenance
- G. The provision of insurance
- H.The procedures for backup and business continuity
- I. Audit and security monitoring
- J. Revocation of authority and access rights, and the return of equipment when the teleworking activities are terminated
Back to T5.7.2 - P4 - TELEWORKING
