Justice says no to private PCs for telework
Because of security concerns, the Justice Department now forbids all employees from using their private PCs or digital assistants to access agency e-mail or other files, the department's top information security officer has said.
Previously, some Justice Department employees had been allowed to use their private personal computers for e-mailing, said Dennis Heretick, the Justice Departments chief information security officer. Instead, the agency wants employees who telework or work at remote locations to use government-issued laptops, docking stations or Blackberries.
Unlike employees' personal devices, Justice can ensure that government-issued systems are fully encrypted and monitored.
My very strong recommendation is not to allow people to use home computers to telecommute unless you dont care about the security of the information theyre working with, said Heretick, speaking at the 2007 Telework Exchange Town Hall Meeting on Sept. 12.
PCs computers, especially those shared by family members, are susceptible to eavesdroppers who want to view and access information stored and created on the workstation.
I just could not find a way to secure home computers, Heretick said. Our employees are worth it to give them either a docking station or the means to work from home.
In a recent survey by the Telework Exchange, 83 percent of 35 chief information security officers said laptop use in their agencies had increased over the past year. The exchange is a for-profit telework advocacy group that sponsored the event. However, just 17 percent of the CISOs surveyed said laptops represent 50 percent of their agency's PCs.
Meanwhile, budget constraints have slowed the movement from desktops to laptops, according to observers. Federal information technology, human resource and security managers have been working to balance security concerns and the costs of new mobile equipment with increasing pressure from lawmakers and telework advocates to increase the number of employees who regularly work remotely. Agencies are in charge of setting their own policies on whether employees are allowed to work from home computers or on other personal hardware.
Heretick also said that the ability to work remote from remote locations is crucial to the agency's mission and that IT security policy should be seen from that perspective.
Its important not to try to let your IT shop or the business managers that direct the IT shop to cheap out on the teleworkers by not giving them the right tools to do this job, Heretick said.
Over the past year and a half, highly publicized incidents have shown the challenges that mobile data poses to efforts to secure personally identifiable information. Even when data is stored on government-issued devices, as in the case of the lost Veterans Affairs Department's laptop, a careless employee or the failure to properly report an incident immediately can compromise data security.
One slip by a careless or untrained employee can compromise an entire agency's efforts, said Michael Castagna, the Commerce Department's chief information security officer, who spoke on the same panel as Heretick.
The bottom line on all this technology is that it comes down to two things the security of the endpoint and the training of the individual, he said. If you have an insecure endpoint all bets are off.
Ben Bain is a reporter for Federal Computer Week.