HRS-04: Remote and Home Working Policy and Procedures

Control Family:

Human Resources

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.

Implementation Guidance

Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions of working away from a regular office. The following matters should be considered:

  1. The use of lockable filing cabinets
  2. Secure transportation between locations
  3. Remote access
  4. Clean desk
  5. Remote printing
  6. Information disposal

Secure communications should take the following into account:

  1. The need for remote access to the organization’s internal systems.
  2. The sensitivity of the information that will be accessed and passed over the communication link.
  3. The need to connect to internal systems.
  4. The use of remote access (such as virtual desktop access) that prevents processing and information storage on privately-owned equipment.
  5. The threat of unauthorized access to information or resources from others at the remote working site (i.e., family, friends, and others in a public environment).
  6. The use of home and public networks.
  7. The requirements or restrictions on the configuration of wireless network services.
  8. Protection against malware and firewall requirements.
  9. The use of multi-factor authentication mechanisms when remote access to the organization’s network is allowed.

The guidelines should also include:

  1. Where the use of privately owned equipment not under the organizational control is not allowed.
  2. Revocation of authority and access rights and the return of the equipment when the remote-working activities are terminated

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Verify, via Interviews or otherwise, that remote sites and locations, especially those not under the control of the organization, are defined and demarcated.
  3. Verify, via Interviews or otherwise, that the policy and procedures are communicated to users.
  4. Examine policy and procedures for evidence of review or at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.