Teleworking and just working may be starting to overlap — at least from the point of view of the government’s information technology and IT security shops.
The government, mainly through the General Services Administration and the Office of Personnel Management, still is promoting official telework arrangements and pushing agencies to increase the number of employees who work from home or a federal center a day or more a week. But for CIOs and chief information security officers, the issue is really about supporting employees wherever they are.
Employees simply want access to data to do their jobs, says Justice Department CISO Dennis Heretick. “It’s our job to make it possible for them to do their jobs outside the office just as they do inside the office — just as responsively and just as securely.”
On a survey this summer, 63 percent of the 35 federal CISOs interviewed told the Telework Exchange that data security on mobile systems is their number 1 priority.
Here are some pointers:
Think long and hard before letting employees use their own computers to telework.
The Securities and Exchange Commission wrestles with this problem. It is letting its workers do so. SEC employees are mainly professionals who come to government from organizations such as law and accounting firms and whose backgrounds tend to focus on keeping a great deal of data secure from prying eyes, notes CISO Joseph Gerrity.
But does that mean it’s the best option security-wise? He sees the wisdom in Justice’s ban on employees using any nongovernment system for work — on or off Justice premises. But some agencies will have a hard time getting funding for equipment. One option, Gerrity suggests, is to extend licenses for security tools, such as intrusion detection systems and firewalls, to cover employees’ own systems.
Training cannot be a secondary item — especially if you plan to use telework as part of your continuity of operations strategy.
Training dollars are often the first to be reprogrammed or cut when budgets are tight. But Pamela Budda, work/life program manager at the Labor Department, warns against that if an agency wants to have employees work from home in the event of a disaster. “People who have never teleworked won’t be prepared to do so,” she points out.
As the Labor telework coordinator, she participated in the planning the department has done for sustaining operations during a pandemic, and that included extensive tests of telework networks over the past year. The tests found that little things count a lot. For instance, when teleworking, “the lack of familiar shortcuts hampers access,” she says.
From a security perspective, agencies need a new mindset that looks at all employees as potential teleworkers.
That’s the point of view of Michael Castagna, CISO for the Commerce Department. He notes that at any given moment, employees may be unofficially teleworking — at airports, hotels and home on the weekend — just to keep up with today’s frenetic pace. Are all of them “official teleworkers?” Probably not. But are they teleworking? Probably.
Because of the mobile nature of employees generally, agencies need to augment perimeter security strategies with an end-point security model, Castagna says. That means standardizing the approach to data encryption, configuration management and patch management. Host-based intrusion prevention and host-based firewalls are paramount when the perimeter extends beyond the physical building or agency campus.
Parity doesn’t mean making sure everyone teleworks.
The government has set the bar at offering telework to all eligible employees. But what constitutes eligible, and how do agencies ensure fair practices?
“It doesn’t make sense to offer the same thing to everybody. But you do have to offer something to everybody,” says Gil Gordon, a telework consultant. There are jobs that can’t be done anywhere but on agency premises — running the printing systems at the Mint, for instance.
Agencies need to think in the context of the entire work environment, Gordon says. There are alternative schedules and other options to make the environment more flexible for employees whose jobs demand that they work at the agency.