Remote users are the weakest VPN link
John McCormick
Published: 23 Jul 2002 13:13 BST
Considering policy issues The first thing you must do to get a handle on this new work environment is to come up with a policy that covers all remote workers and doesn't allow for any exceptions. That latter requirement means that there can and often should be subcategories of workers and special guidelines based on categories of tasks.
Let me clarify this. There is a big difference between securing a system for a telecommuter who merely answers some e-mails during occasional home working sessions, a part- or full-time telecommuter with critical corporate responsibilities, and an executive or technical expert who routinely carries around a laptop with a load of confidential corporate data.
These three categories would obviously require different rules regarding security and other issues, but they should fall under a general superset of rules that apply to everyone.
The general remote worker policy that should apply to all workers can simply be an extension or modification of your existing network user rules involving such things as not sharing details about the system with others, not modifying spreadsheet formulas or macros without authorisation, not sharing passwords, not opening e-mail attachments, not visiting porno sites, not responding to spam, making regular backups, and so on.
Just take your existing computer usage policy and make some intelligent alterations and deletions that recognise the different situation faced by remote workers. This part should be simple if you already have a good computer usage policy; if you don't, this is a good time to develop one. Then, you can work from it when creating your remote worker usage policy.
Policy recommendations I suggest defining two major categories of users for the remote worker policy: what I call full-use or full-access telecommuters and casual telecommuters. Road warriors will need some additional rules specific to them but will fall into one or the other of the two main categories.
These groups can be defined technologically. For example, does the person have a VPN link to the office network (full access), or does the person simply perform independent research and file reports, having no passwords or ability to link directly to the office network (casual users)? You can also group people into categories based on the kind of data they deal with (in other words, how confidential or critical the data is).
Large organisations with many telecommuters doing very different things will need more categories, probably taking the two technical groupings and adding subcategories for each depending on the kind of data handled by the employees.
Previous
Did you find this article useful?
180 out of 366 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
