Lock up those laptops
US government CIOs struggle with an issue that troubles companies the world over.
By Tim Greene, Network World (US) | Techworld | Published: 11:00, 19 October 2007
Despite official urging, telecommuting within federal agencies is languishing, in part because standards for how to secure mobile endpoints don't exist, mainly the laptops telecommuters would use when outside the office.
Federal CISOs, who are aware of data breaches in both the public and private sectors that have compromised personal information of thousands of people, say that security of laptops - the key to most telecommuter programs - is their biggest worry.
At the same time, government managers face existing federal laws dating back to 2000 that mandate telework programs. In addition, new pressure is being applied for them to encourage more government workers into telecommuting programs as an attempt to dramatically boost the number of work-at-home employees.
Some government CISOs say the best course of action is to follow best practices set down by the National Institute of Standards and Technology (NIST) - the closest thing to certification available.
NIST recommendations include basics such as installing, running and updating anti-virus software; periodically scanning machines with spyware-removal software; and adopting a "paranoia level" of security awareness when writing personal firewall rules.
NIST also encourages encrypting data on laptops and as it is transmitted and the ability to remotely lock down laptops reported lost or stolen - good advice but not as formal as top federal network security executives want.
The General Services Administration (GSA) - which has championed telecommuting for years - has set a high bar for its own programme. At a recent forum run by the industry group Telework Exchange, GSA administrator Lurita Doan called for a dramatic leap in telecommuting for her agency by the end of 2009.
With just 10 percent telecommuting today, she set goals of 20 percent to be telecommuting by the year-end, and 40 percent by the end of 2009. According to published GSA estimates, just 4 percent of federal workers telecommute today.
The US Office of Personnel Management breaks that down further, saying that of those who telecommute, only a quarter of them do so three or more days per week, and 39 percent do so less than once a week but at least once a month.
While other factors weigh into the slow adoption rate, a recent survey of federal CISOs found that 63 percent say securing mobile devices used at home is their top data-security priority, but they have no way to know that their precautions are adequate.
The overriding problem federal CISOs face is that there is no official certification of mobile devices that assures them that laptops they issue comply with the Federal Information Security Management Act (FISMA), which contains the blueprint for all federal telecommuting.