[ISN] Justice says no to private PCs for telework

From: InfoSec News (alerts@private)
Date: Thu Sep 13 2007 - 23:18:55 PDT


By Ben Bain
Sept. 13, 2007

Because of security concerns, the Justice Department now forbids all 
employees from using their private PCs or digital assistants to access 
agency e-mail or other files, the department's top information security 
officer has said.

Previously, some Justice Department employees had been allowed to use 
their private personal computers for e-mailing, said Dennis Heretick, 
the Justice Departments chief information security officer. Instead, the 
agency wants employees who telework or work at remote locations to use 
government-issued laptops, docking stations or Blackberries.

Unlike employees' personal devices, Justice can ensure that 
government-issued systems are fully encrypted and monitored.

My very strong recommendation is not to allow people to use home 
computers to telecommute unless you dont care about the security of the 
information theyre working with, said Heretick, speaking at the 2007 
Telework Exchange Town Hall Meeting on Sept. 12.

PCs computers, especially those shared by family members, are 
susceptible to eavesdroppers who want to view and access information 
stored and created on the workstation.

I just could not find a way to secure home computers, Heretick said. Our 
employees are worth it to give them either a docking station or the 
means to work from home.

In a recent survey by the Telework Exchange, 83 percent of 35 chief 
information security officers said laptop use in their agencies had 
increased over the past year. The exchange is a for-profit telework 
advocacy group that sponsored the event. However, just 17 percent of the 
CISOs surveyed said laptops represent 50 percent of their agency's PCs.

Meanwhile, budget constraints have slowed the movement from desktops to 
laptops, according to observers. Federal information technology, human 
resource and security managers have been working to balance security 
concerns and the costs of new mobile equipment with increasing pressure 
from lawmakers and telework advocates to increase the number of 
employees who regularly work remotely. Agencies are in charge of setting 
their own policies on whether employees are allowed to work from home 
computers or on other personal hardware.

Heretick also said that the ability to work remote from remote locations 
is crucial to the agency's mission and that IT security policy should be 
seen from that perspective.

Its important not to try to let your IT shop or the business managers 
that direct the IT shop to cheap out on the teleworkers by not giving 
them the right tools to do this job, Heretick said.

Over the past year and a half, highly publicized incidents have shown 
the challenges that mobile data poses to efforts to secure personally 
identifiable information. Even when data is stored on government-issued 
devices, as in the case of the lost Veterans Affairs Department's 
laptop, a careless employee or the failure to properly report an 
incident immediately can compromise data security.

One slip by a careless or untrained employee can compromise an entire 
agency's efforts, said Michael Castagna, the Commerce Department's chief 
information security officer, who spoke on the same panel as Heretick.

The bottom line on all this technology is that it comes down to two 
things the security of the endpoint and the training of the individual, 
he said. If you have an insecure endpoint all bets are off.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Thu Sep 13 2007 - 23:46:24 PDT