Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.
Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions of working away from a regular office. The following matters should be considered:
- The use of lockable filing cabinets
- Secure transportation between locations
- Remote access
- Clean desk
- Remote printing
- Information disposal
Secure communications should take the following into account:
- The need for remote access to the organization’s internal systems.
- The sensitivity of the information that will be accessed and passed over the communication link.
- The need to connect to internal systems.
- The use of remote access (such as virtual desktop access) that prevents processing and information storage on privately-owned equipment.
- The threat of unauthorized access to information or resources from others at the remote working site (i.e., family, friends, and others in a public environment).
- The use of home and public networks.
- The requirements or restrictions on the configuration of wireless network services.
- Protection against malware and firewall requirements.
- The use of multi-factor authentication mechanisms when remote access to the organization’s network is allowed.
The guidelines should also include:
- Where the use of privately owned equipment not under the organizational control is not allowed.
- Revocation of authority and access rights and the return of the equipment when the remote-working activities are terminated
- Examine policy for adequacy, currency, communication, and effectiveness.
- Verify, via Interviews or otherwise, that remote sites and locations, especially those not under the control of the organization, are defined and demarcated.
- Verify, via Interviews or otherwise, that the policy and procedures are communicated to users.
- Examine policy and procedures for evidence of review or at least annually.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.