Work At Home
As everyone has a vested interest in encouraging work at home, would it make sense for a single set of guidelines to be used across government? The clarity would be useful for smaller units and if vetted by someone like the CSIA, might increase take-up. I think the areas to be covered are fairly clear:
1. Prohibition of unsecured wireless access to the Internet
2. Password protection of both computer and government files/data
3. Preference for use of government laptops/desktops for home work
4. Minimum set of physical security requirements for computers, including anti-virus protection, protection against malware, etc.
5. Reporting procedures (not punitive) for loss of data or computer
6. Procedures regarding peripheral equipment
7. End of life turnover of computer or hard disk to controlling authority for destruction
I googled the term and the first return was for the Hertfordshire Constabulary. They seem to have done quite a good job, except for end of life issues for personal computers used for work.
However, the Surrey, Heath and Woking Primary Care Trust merely states that employees must keep equipment secure and bizarrely, that the PCT must inform them of security requirements. Hope there’s another document out there.
The Robert Gordon University policy is much more worried about viruses transported back to the University system than anything else, although they mention the importance of backing up data frequently to avoid loss or corruption, and say that employees must have ‘appropriate safeguards’ for home computing. This is followed by a link to the University IT policy, a series of Word documents that must be downloaded separately, and none of which are labeled ‘Security.’
I really think someone like the CSIA should promulgate a policy for basic home work procedures, and tack on an addendum for those who deal with sensitive information. Clarity and consistency would, I think, go a long way. So would the ability for a small business unit to feel that they have covered all the bases. It could be as simple as their Get Safe Online website…
September 12th, 2007 at 1:41 pm
I would change (1) to “All access to remote government systems and data must be made over a secured VPN” - then it is irrelevant whether you have switched on crappy local wireless encryption protocols on your access point.
I would probably go further and mandate that gov data can only be accessed remotely using a thin client. This makes it more difficult for careless staff to save sensitive data on unsecured local disks. It gives CIOs much stronger control over the configuration of their users’ environments and reduces the impact of malware on users’ own systems. Also enforces (2) and reduces the need for (7).
September 12th, 2007 at 3:39 pm
I don’t think that really covers all the bases, since the biggest risk is human error (the dreaded PEBKAC, in fact). See for example today’s Register story about the worm spreading through Skype’s IM by sending apparently innocent JPG links to users’ contacts. As I have a Guardian piece about to say, anti-virus software is increasingly seriously challenged by the furious pace of new malware releases.
Also, perhaps someone more expert than I am can say how easy it is for someone to attach an extra WAP to a secured wireless connection.
wg