INFOSEC: information security news from the University System of Georgia, Aug. 2009 (Vol. 1, No. 4)

Information Security News from the University System of Georgia
V0l. 01 No. 04 August 2009

INFOSEC

WWW.USG.EDU/INFOSEC

TELEWORK SECURITY

THINKING AND PRACTICING
SAFE COMPUTING IN THE
EVOLVING WORKPLACE
The ability of University System of Georgia (USG) employees to perform their duties from home, a remote office, or other geographically convenient worksites is increasing. As a result, the need to examine telework, telecommuting, and mobile workforce strategies for information and system access has grown proportionally.

As USG institutions consider adopting telework and telecommuting as an alternative to the traditional office environment, it is important to understand the security risks and establish appropriate counter measures.

The key to establishing a secure telework or telecommuting arrangement with the proper security controls is to design the alternative work site and computing environment in the same manner as the primary office location.

Management must also understand the budgetary tradeoffs associated with telework or telecommuting. For example, although traffic congestion and commuting overhead costs may decrease, the cost of supporting the appropriate technology and the required security measures will almost certainly be greater. However, using an in-depth defense strategy can strengthen a legitimate business need to move operations outside of the normal boundaries.

This means addressing information security (in terms of confidentiality, integrity, and availability...) and information in three states:
At Rest: data are located in a secondary storage device such as a hard drive or thumb drive
In Transit: data are between the headquarters site and the telework or telecommuting location
In Process: data are being used by the employee
This applies to all types of data used for official business: public, confidential, and sensitive. Ensuring the availability of non-confidential data that is critical in the performance of the work is as important as ensuring proper access controls for confidential information.

"DESIGN THE ALTERNATIVE WORKSITE IN THE SAME MANNER AS THE PRIMARY OFFICE..."
- Stanton S. Gatewood Chief of Information Security University System of Georgia

WHO DOES WHAT

To ensure that security remains an integral part of any remote computing scenario, roles and responsibilities must be defined and met by all parties involved in a telework/telecommuting arrangement. Only when these obligations have been clearly defined and adhered to across the institution can vulnerabilities be

>> cont., PG 2

>> from PG 1
kept at a minimum. The following broadly outlines how those roles and responsibilities may be established:
INFORMATION TECHNOLOGY RESPONSIBILITIES
Establish and use a securely configured Virtual Privacy Network (VPN) connection between institutions and the telework/telecommuting site. This will help ensure firewalls, encryption and tunneling protocols adequately protect the information while in transit across public networks.
Equip telework/telecommuters with authorized USG-owned and USGissued equipment (e.g., laptop or workstation, thumb or flash drives) and manage those devices as part of the agency assets.
Establish an internal process so routine system updates and upgrades on anti-virus signatures, security patches, and other optimal configurations can be pushed to the telework/telecommuter's computing device automatically by the IT department.
Use a Network Access Control (NAC) approach, when possible, to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement.
Use two-factor authentication, such as a combination of strong passwords (something you know) and endpoint device authentication (tokens-something you have), to guard against unauthorized network access. Manage the token devices as an enterprise asset.
Enable "session lock" on computers so when employee leave their desks, they go into sleep mode and requires employees to log in using a password to bring their session back up. Do not allow employees the ability to disable this or similar access controls.
Use whole-disk encryption and strong passwords on mobile devices (e.g., laptops, hard drives, thumb drives) so the information cannot be accessed if lost or stolen, and would render it useless to an unauthorized user.
Configure wireless devices so that they do not automatically attempt to join wireless networks they detect. If wireless is a business requirement, consider third party wireless solutions, like cellular air cards, which are typically more secure.
MANAGEMENT RESPONSIBILITIES
Establish an enterprise telework/telecommuting policy that defines the classifications and types of functions permitted to telework/telecommuting since not all jobs lend themselves to secure telework/telecommuting. For example, it may not be feasible to allow human resources staff to telework/telecommuting, given the sensitive nature of employee information they handle on a daily basis. In some cases, legal or state policy requirements may specifically prohibit the electronic or physical; removal of such material from campus or the traditional workplace environment (e.g., certain employee personnel records are to be "adequately protected and shall not leave the premises".

CYBER ALERT LEVELS
The Alert Indicator shows the current level of malicious cyber activity and reflects the potential for actual damage:
Green (Low): Indicates a low risk. No unusual activity exists beyond the normal concern for known hacking activities, known viruses, or other malicious activity.
Blue (Guarded): Indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Yellow (Elevated): Indicates a significant risk due to increased hacking, virus, or other activity which compromises systems or diminishes service. At this level, there are known vulnerabilities that are being exploited with a moderate level damage or disruption, or the potential for significant damage or disruption is high.
Orange (High): Indicates a high risk of increased hacking, virus, or other malicious cyber activity which targets or compromises core infrastructure, causes multiple service outages, multiple system compromises, or compromises critical infrastructure. At this level, vulnerabilities are being exploited with a high level of damage or disruption, or the potential for severe damage or disruption is high.
Red (Severe): Indicates a severe risk of hacking, virus, or other malicious activity resulting in wide-spread outages and/or significantly destructive compromises to systems with no known remedy At this level, vulnerabilities are being exploited with a severe level or wide spread level of damage or disruption of critical infrastructure assets.

Establish and routinely review all telework/telecommuting agreements to ensure they are in compliance with the institution's information security and privacy policies.
Work with employees to ensure they fully understand the security ramifications and have the knowledge to comply with the security and privacy requirements including:
a. Ensuring employees receive information security and privacy training on an annual basis.

More info at: http://www.msisac.org/alertlevel/
NETCASTS
To listen to USG Infosec netcasts on several security-related topics, go to:
http://itunes.usg.edu/

>> from PG 2
b. Ensuring the employee has acknowledged receipt of the institution's Appropriate Use Policy, and monitoring employee usage for conformance.

c. Informing employees of their responsibility to notify the institution's Information Security Officer should a breach or loss of data occur.

Monitor and enforce employee conformance with appropriate use, and security and privacy requirements.

Develop secure methods for the protection of sensitive paper documents and other materials that contain confidential information, such as personal information.

Establish procedures for tracking the removal and return of potentially sensitive materials, when such removal is authorized.

Ensure all equipment is re-imaged or wiped to remove data when the employee leaves the organization or transfers to another program area.

Follow normal equipment disposal practices at end-of-life.
TELEWORKER RESPONSIBILITIES
Ensure the home telework/telecommuting environment is equipped for adherence to security and privacy requirements.

Report security incidents immediately to the agency's Information Security Officer.

Participate in the institution's annual information security and privacy training.

Achieve sufficient technical proficiency to implement the required security measures.

Provide a high level of security to any personal or private information (paper or electronic) accessed at the telework/telecommuting site or transported between locations. For example, do not allow family members or others to use the work-issued equipment or computer access, and secure all confidential, personal, or sensitive material in a locked file cabinet when not in use, or when visitors are present.

Comply with institution policies such as the Appropriate Use Policy and any additional requirements identified in the telework/telecommuting agreement.

Remain sensitive to individual rights to personal privacy.

Equipment and work papers should be moved from the vehicle to the alternate worksite and not be stored in the vehicle even overnight.
REFERENCES
NIST SP 800-114, User's Guide to Securing External Devices for Telework & Remote Access: http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
NIST SP 800-53, Recommended Security Controls for Federal Systems: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST SP 800-46, Security for Telecommuting and Broadband Communications: http://csrc.nist.gov/publications/nistpubs/800-46/sp800-46.pdf

GFIRST5:
The 5 Pillars of Cyber Security: Threat, Vulnerability, Attack & Detection, Mitigation, and Reflection
5th Annual GFIRST National Conference August 23-28, 2009 Omni Hotel at CNN Center Atlanta, GA

MORE INFORMATION...
USG Office of Information Security

Stanton S. Gatewood, Chief of Information Security 706-583-2001 or 888-875-3697 www.usg.edu/infosec