Telework Exchange

The State of California has had a formal government-wide telework guidance document in place since 2003. While it encouraged the work arrangement and addresses key managerial questions, the document did not include specific guidance on more technical concerns. That changed recently when the state's Office of the Chief Information Officer (OCIO) issued a government-wide policy defining telework and remote access security standards.

All agencies must comply with the security policy or submit a detailed plan and a timeline for meeting the new standards by July 1, 2010.

"We found that agencies were moving off in different directions and doing different things in terms of how they were securing their teleworkers," explains Mark Weatherford, California's Chief Information Security Officer (CISO). "So the vision was that we needed to corral the herd, so to speak, and make sure that everybody was thinking along the same lines."

The new telework security policy, among other things, requires agencies to do the following:

• Use an encrypted link and two-factor authentication for connections between a remote worker's computer and the state network
• Implement, maintain, and regularly update anti-virus, anti-spyware, firewall, and host intrusion prevention software
• Provide all teleworkers with a government-owned computing device and bar employees (unless an exception is granted) from accessing the state network with a personally-owned computer or computing device
• Limit each teleworker's access to only those network and information resources needed to perform their jobs
• Train teleworkers about their personal security responsibilities; security risks; procedures for disclosing a security breach; how to protect remote access-specific authenticators, such as passwords and hardware tokens; and procedures on handling and backing up government information while working remotely

California is only the third state to create an enterprise-wide telework security policy, following Arizona and Virginia. In conjunction with the new security policy, California's Department of General Services worked with the OCIO to issue an updated telework procedure and policy guide that agencies can adapt for their own programs. The document provides sample forms and checklists, a glossary, state telework resources, and step-by-step guidance on implementing telework, determining which jobs are appropriate for telework, managing telework, and ending participation.

Weatherford says that the new telework security policy not only will effectively safeguard the state's information assets from unintended breaches and data corruption, it also will save public money.

"As we identify the specific security controls that we want to standardize on, we can begin procuring those products and negotiate better pricing," Weatherford says. "So there might be twenty different solutions out there for remote access, but if we standardize on, say, three of them, we can save money on the training of our IT staff and in the ability for that staff to respond to problems and maintain the solutions because we have reduced the variety of products and discrepancies the staff has to support."

Weatherford says that telework has been gaining momentum in recent years among California agencies, and he believes that the new security policy will encourage increased participation.

"I can't tell you how many times I've gotten calls from agency officials who say, 'We want to implement telework, but we have absolutely no idea what we should be looking at from the security side,'" he notes. "So now, we've answered that question for them, we've given them a roadmap on how to secure their remote access setup. And, as a result, I think agencies are going to feel a lot more comfortable moving in this direction."

For more information on the California telework security policy, visit: www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66A.pdf.