Worry Over Telework Security
By Allan Holmes | Thursday, September 13, 2007 | 12:57 PM
By Allan Holmes | Thursday, September 13, 2007 | 12:57 PM
Yesterday, Lurita Doan, head of the General Services Administration, announced an ambitious plan to have half of the agency's eligible workforce teleworking by 2010. Yes, the ambitious part may be convincing more GSA employees to telework. (Only 10 percent of those eligible do so now.) The ambitious part also may be overcoming managers’ fear that employees will goof off and be less productive (although many studies indicate employees are more productive).
The most ambitious part of the effort may very well be the hazard involved – the risk of information security. Near the end of the Government Executive article on Doan’s announcement was this paragraph:
Later, Joseph Hungate, the chief financial officer and former chief information officer for the Treasury Department's inspector general for tax administration, told the audience that the top risk with telework is not "some technology" but "someone." In other words, the greatest danger is staff not following security policy.
Many news organizations last month reported on the fact that security wasn’t a big concern among federal security managers, according to a study. The Telework Exchange, an advocacy group that sponsored the telework symposium, released a study in August that concluded that “94 percent of federal chief information security officers [CISOs] do not consider official telework programs a security threat.” (The study was funded by computer manufacturer and federal supplier HP.)
Still, CIOs like Hungate and CISOs are reluctant to embrace telework because few agencies (and corporations, for that matter) invest in the technology, including information security hardware and processes, needed to make telework digitally safe. In a blog item on telework posted in July for CSO Magazine, Dan Lohrmann, citing the GSA report with the title “Telework Technology Cost Study,” writes:
One big take-away from this study is that to save money with telework, we require “real” initial investment. This may seem obvious, but I’ve lost count of the number of times that business areas have pushed for telework programs with a $0 budget.
Basically, they wanted employees to use home PCs. That was it. No laptops, no home network checks for security, nothing.
Of course I just said no – and tried to explain the risks and the laws we need to enforce. But again, that makes security the Party Poopers. Not good. We generally end up with the same slower approach that the feds have used, because no one wants to make big upfront investments.
All this still leaves the fear that employees inadvertently will leave sensitive information exposed while teleworking. As has been posted in Tech Insider before, creating effective security policies and then providing the necessary training on those policies is seriously lacking in agencies and, as Hungate points out, likely is holding back many government managers from embracing telework more.
For those supporting telework, the wait to see more agencies embracing it may be a long one. In its annual Global Information Security Survey, released just this week, CIO Magazine reports that 61 percent of public-sector organizations do not require employees to complete training on the organization's privacy policies and practices.
That’s more than 50 percent, as in 50 percent of eligible employees teleworking by 2010.
Comments
I beleive that if the managers would allow the employees who work mostly on spread sheets and almost all the work is on the conputer they should be allowed to work from home. Most already have a laptop to use.
This would eliminate a lot of stress on the employees caused by the long commute and the traffic problems.
We are being told that the GS7's are not allowed to work at home due to the grade. Is that true or is it just our area. I beleive that many employees who have worked for the government for many years would be more productive if allowed to work at home.
They could work before normal work hours, and even after normal work hours, this would eliminate a lot of overtime if the work was required to be done that day or week.
I am with the IRS and most of us are not allowed to work at home.
There will always be required touch labor in all business functions who will need to continue commuting to work. There would need to be accountability for employee activities for telework. Additional computer/network security risks do exist. Government furnished equipment would be a nightmare to support, inventory and push security/anti-virus updates from an IT perspective. An employee's workstation who has access to the network is the highest network security risks.
Anonymous | Monday, September 17, 2007 | 06:50 AMI teleworked a LOT back in the 80's. The key is having a "dumb" terminal at home, or wherever, connected into a mainframe at work. ALL info is stored at work and protected and commands are given to work with a particular piece of data. There are no PC's or laptops involved. A laptop, however, could be made "dumb" and only communicate with the mainframe and have almost no data stored at all. When powered off all data in the dumb terminal would be lost. No permanent storage was allowed at home, nor was it needed. It's quite simple, really.
kmp | Sunday, September 16, 2007 | 01:47 AMABOUT THIS BLOG
Allan Holmes on what's happening and what's being discussed in the world of federal information technology.
feed