Leverage what’s already been done. Agencies can get a headstart on any remote security policy by looking to the Federal Desktop Core Configuration security settings and the National Institute of Standards and Technology’s Guide to Enterprise Telework and Remote Access for Security.
Look to others for help. Security officials at other agencies — especially those that are experiencing success — are usually more than willing to share with colleagues facing similar issues.
Get top cover. It’s critical in any new security or mobile venture to gain the support of both management and employee unions and convince them of the value of your plan.
Communicate, communicate, communicate. Putting in place tough effective security policies might mean taking away some long-held worker privileges. To make sure employees keep their focus on the whys of those security steps, Vaughn Noga, chief information security officer at the Environmental Protection Agency, suggests that security officials communicate often and in many different forms, such as on fliers posted around the office and through e-mail, web-based training and in-person reminders.
Make training mandatory and frequent. The remote employee is the first line of defense in any security effort, says Patent and Trademark Office CISO Rod Turk. “It’s important that they fully understand their responsibilities, how to use a remote computer and how to protect their data and themselves from common security vulnerabilities.”