There are many threats to telework client devices, including malware and device loss or theft. Generally, telework client devices should include all the local security controls used in the organization’s secure configuration baseline for its non-telework client devices.
Examples are applying operating system and application updates promptly, disabling unneeded services, and using anti-malware software and a personal firewall. However, because telework devices are generally at greater risk in external environments than in enterprise environments, additional security controls are recommended, such as encrypting sensitive data stored on the devices, and existing security controls may need to be adjusted. For example, if a personal firewall on a telework client device has a single policy for all environments, then it is likely to be too restrictive in some situations and not restrictive enough in others. Whenever possible, organizations should use personal firewalls capable of supporting multiple policies for their telework client devices and configure the firewalls properly for the enterprise environment and an external environment, at a minimum.
Organizations should ensure that all types of telework client devices are secured, including PCs, cell phones, and PDAs. For PCs, this includes physical security (for example, using cable locks to deter theft). For devices other than PCs, security capabilities and the appropriate security actions vary widely by device type and specific products, so organizations should provide guidance to device administrators and users who are responsible for securing telework consumer devices on how they should secure them.