Security is telework's weakest link

Lawmakers and federal officials focus on raising teleworkers' security awareness

Increased security training has gained new importance as lawmakers and telework advocates prepare to push legislation this fall to expand federal telework programs.

A lack of data security training tops the list of the most serious security threats caused by employees who work from home, according to a recent survey of 35 chief information security officers. The Telework Exchange, a for-profit group that promotes the expansion of federal teleworking, conducted the survey with support from Hewlett-Packard.

'Any time that sensitive data is used remotely, there is a concern that users may fail to protect it properly,' said Patrick Howard, CISO at the Housing and Urban Development Department. Howard was not among the CISOs polled.

'Part of my job is to make sure teleworkers know that the need for them to employ good security practices is heightened when they telework and access sensitive data remotely,' Howard said.

Legislation in the House and Senate to expand federal telework would require agencies to incorporate training, including security practices, into their new-employee orientation programs. The House measure, which lawmakers approved Aug. 4 as part of an energy-efficiency bill, would require all federal managers and new teleworkers to receive such training.

Unlike the Senate measure, which would include judicial and legislative branch employees, the House bill would apply only to executive branch workers.

No uniform requirement for telework training exists. The Office of Personnel Management and the General Services Administration run www.telework.gov, where federal employees and managers can enroll in courses and receive guidance on telework. Agencies are using expanded training for employees and managers as a primary tool for overcoming barriers to telework, OPM officials say.

Sponsors of the telework legislation also say telework and related security training cannot be ignored. 'The success of telework policies, like any workplace policy, will depend heavily on the training of managers and employees,' said Rep. John Sarbanes (D-Md.), a sponsor of the House measure. 'My amendment requires that each agency develop a plan for telework training as part of its overall telework policy, which will be assessed annually by the Government Accountability Office.'

Under the House and Senate measures, agencies would offer their own training programs, but both bills would transfer much of the oversight of telework policies from OPM to GAO.

In the Telework Exchange survey, 94 percent of CISOs said they do not think official telework programs, which often require some employee and manager training, pose a data security threat. However, they did say that unsanctioned telework is risky.

Howard said official telework programs can also be risky if employees are unaware of security risks. Earlier this year, an approved teleworker at the Transportation Department inadvertently shared government files while working on a home computer on which her teenage daughter had downloaded peer-to-peer file-sharing software.

As part of a strategy to prevent future incidents, DOT is developing a telework-specific security course that will focus on the risks of using home PCs, Daniel Mintz, the department's chief information officer, said in congressional testimony in July.

Calls for expanded telework training have increased as agencies face pressure from White House officials to improve their disaster preparedness and continuity-of-operations plans. OPM officials have urged agencies to integrate telework into their COOP plans, but only 35 percent of federal agencies have done so, according to a recent OPM report to Congress.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group