A telework security policy defines which forms of remote access an organization permits, which types of telework devices are permitted to use each form of remote access, and the type of access each type of teleworker is granted. It should also cover how the organization's remote access servers are administered and how policies in those servers are updated.
As part of creating a telework security policy, an organization should make its own risk-based decisions about what levels of remote access should be permitted from which types of telework client devices. For example, an organization may choose to have tiered levels of remote access, such as allowing organization-owned personal computers (PC) to access many resources, teleworker-owned PCs to access a limited set of resources, and other PCs and types of devices (e.g., cell phones, personal digital assistants (PDA) to access only one or two lower-risk resources, such as Web-based email. Having tiered levels of remote access allows an organization to limit the risk it incurs by permitting the most-controlled devices to have the most access and the least-controlled devices to have minimal access.
There are many factors that organizations should consider when setting policy regarding the levels of remote access to grant; examples include the sensitivity of the telework, the level of confidence in the telework client device’s security posture, the cost associated with telework client devices, the locations from which the telework is performed, and compliance with mandates and other policies.
For telework situations that an organization determines are particularly high-risk, the organization may choose to specify additional security requirements. For example, high-risk telework might be permitted only from organization-issued and secured telework client devices that employ multi-factor authentication and storage encryption. Organizations may also choose to reduce potential risks by prohibiting telework and remote access involving particular types of information, such as highly sensitive personally identifiable information (PII).