The IT Law Wiki

Definition[]

A telework client device is "[a] PC or consumer device used by a teleworker for performing telework."[1]

Security[]

There are many threats to telework client devices, including malware and device loss or theft. Generally, telework client devices should include all the local security controls used in the organization’s secure configuration baseline[2] for its non-telework client devices.

Examples are applying operating system and application updates promptly, disabling unneeded services, and using anti-malware software and a personal firewall. However, because telework devices are generally at greater risk in external environments than in enterprise environments, additional security controls are recommended, such as encrypting sensitive data stored on the devices, and existing security controls may need to be adjusted. For example, if a personal firewall on a telework client device has a single policy for all environments, then it is likely to be too restrictive in some situations and not restrictive enough in others. Whenever possible, organizations should use personal firewalls capable of supporting multiple policies for their telework client devices and configure the firewalls properly for the enterprise environment and an external environment, at a minimum.

Organizations should ensure that all types of telework client devices are secured, including PCs, cell phones, and PDAs. For PCs, this includes physical security (for example, using cable locks to deter theft). For devices other than PCs, security capabilities and the appropriate security actions vary widely by device type and specific products, so organizations should provide guidance to device administrators and users who are responsible for securing telework consumer devices on how they should secure them.

References[]

  1. NIST, Guide to Enterprise Telework and Remote Access Security, at A-1 (NIST Special Publication 800-46) (June 2009) (full-text).
  2. The National Checklist Repository (http://checklists.nist.gov/) is a source of security configuration baseline information.