- Developing and enforcing a telework security policy, such as having tiered levels of remote access
- Requiring multi-factor authentication for enterprise access
- Using validated encryption technologies to protect communications and data stored on the client devices
- Ensuring that remote access servers are secured effectively and kept fully patched
- Securing all types of telework client devices—including desktop and laptop computers, smartphones, and tablets—against common threats
A lack of physical security controls is an issue because telework client devices are used in a variety of locations outside of the organization’s control, such as employees’ homes, coffee shops, and other businesses. The mobile nature of these devices makes them likely to be lost or stolen, which places the data on the devices at increased risk of compromise.
1. Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. Options for mitigating this include encrypting the device’s storage, encrypting all sensitive data stored on client devices, and not storing sensitive data on client devices. For mitigating device reuse threats, the primary option is using strong authentication—preferably multi-factor—for enterprise access.
• NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-114 Revision 1, User’s Guide to Telework and Bring Your Own Device (BYOD) Security
• NIST SP 800-77 Revision 1 (Draft), Guide to IPsec VPNs
• NIST SP 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
• NIST SP 1800-4, Mobile Device Security: Cloud and Hybrid Builds
• NIST SP 1800-21 (Draft), Mobile Device