-
Review telework agreements and policies to ensure they comply with your agency’s information security policies.
-
Create a clear, written data handling policy that accounts for realities of working outside a physical office (e.g., working on the laptop in view of family members).
-
Enforce personal privacy requirements for records.
-
Keep all policies accessible in a place where everyone knows to look for them (like Confluence or other team collaboration tool).
-
Track removal and return of potentially sensitive materials, such as personnel records.
-
Choose a password manager and make sure teams adopt it for secure, unique passwords across all logins.
-
Enforce two-factor authentication across agency systems and employee logins.
-
Provide training on use of password management and two-factor authentication (this can be a simple half-day workshop to onboard everyone to the tools and practice using them).
-
Explicitly forbid the use of passwords written on sticky notes or browser auto-fill passwords for agency system logins.
-
Set up a Virtual Private Network (VPN) for secure internet connection, and confirm that your employees can access it from their homes.
-
Make sure the right employees can securely login and access systems remotely (this can mean expanding access for some employees and limiting it for others).
-
Consider reimbursing employees if they need to use their mobile hotspot for remote systems access.
-
Information systems security training (can be provided by third-party vendor)
-
Workshops for setting up and using password manager and two-factor authentication
-
Training on recognizing and avoiding phishing attacks (here’s a simple quiz you can use to test employee awareness)
-
Emails that ask you to confirm personal information
-
Email addresses or websites that don’t look genuine
-
High-intensity subject lines or messaging (i.e., "Urgent COVID Directive!")
-
Don’t open attachments you don’t recognize
-
Onboard to the password manager tool your team is using
-
Set an example to others if your team isn’t collectively using a password manager (and perhaps offer to lead a one-hour workshop to help colleagues get set up)
-
Avoid browser password autofill or writing passwords on sticky notes
-
Enable remote lock-out and re-set on your phone / laptop
-
Require password entry on power-up and login
-
Close laptop and remove CAC / PIV card when not in use
-
Encrypt hard disks (and wipe disks before giving away or discarding)
-
Never leave devices in the car or out of your sight
-
Lock your doors when you leave the house
-
Don’t use a thumb drive unless you know where it came from
-
Comply with organizational policies and with any additional requirements spelled out in your telework agreement.
-
Use only your agency services and tools for email, file sharing, and other work activities -- not your personal accounts.
-
Avoid unsecured WiFi in public places when working on sensitive information (mobile phone hotspot is also not entirely secure). Use agency VPN for secure connection.
-
Keep software and systems up-to-date -- the latest version will always have the best security fixes. This includes:
-
Cell phone operating system
-
Web browser
-
Laptop / computer operating system
-
Web tools and apps (video conferencing, etc.)
-
-
Security & IT (U.S. Office of Personnel Management)
-
Telework Security Basics (NIST)
-
Enterprise VPN Security (U.S. Department of Homeland Security)
-
Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions (NIST)
-
Cyber-Safety for Mobile Workers (British Columbia Office of the Chief Information Officer)
-
Cybersecurity Recommendations for critical infrastructure using videoconferencing (CISA)
-
Why you should use a password manager, and how to get started (How To Geek)
-
5 ways to spot a phishing email (National Cybersecurity Alliance)
-
Selecting and Safely Using Collaboration Servicesfor Telework (National Security Agency)
-
Zoom security fixes and Zoom bombing (John O-Duinn)