Republished with permission from WatchGuard Technologies, Inc.
Fredrick M. Avolio
The Easy Stuff
We should make sure we have responses—both procedural and mechanical—to each of these. The solutions suggested in Part 1 must be required. That’s the easy part. The following is also fairly easy.
1. Have a policy that says the IT staff will regularly get their hands on any remote PCs. They will check all software, especially any related to security and/or regulated by policy. They will also back up the disks. For road warriors whose permanent base is the office, these checks will be easier to implement. For the occasional visitor, they may take more effort to orchestrate. It’s worth the effort.
2. Remote users must have anti-virus (AV) software properly installed on every computer used for business. This might mean providing—gratis—the same AV software for home computers that we provide in the office. Along with this, we provide an explanation of how to update AV software on the remote systems over the Internet or from a connection to the office. We might choose to put it on a Web page, e-mail the update procedure and tell them to "click here," or physically mail out floppies or a CD monthly. Sending periodic notices helps remind users to keep their AV defenses current.
3. Remote disks must be backed up. We provide the software, the media, and the reminding. We might also provide a means to do it easily via a Web interface.
4. Allow only encrypted remote connections to the enterprise network, such as those provided by Watchguard Mobile User VPN. At no time will we allow reusable passwords to flow unprotected outside of our network. This is easy since we control the access points (unless we allow modems on desktop computers).
The Hard Stuff
1. Corporate computers are provided for corporate business only. We know that people will use them to shop on the Internet and to send e-mail to Aunt Ida and Uncle Pete, but we don’t want them running a second business from it, nor do we want it to be used as the household Internet machine. Why? Fewer hands touching the computer mean fewer things to worry about.
2. Do not use remote back-up services. While we want users to back up their computers, we do not want confidential data in the hands of a third party, and passed on unencrypted channels. We should inform users of the dangers and provide easier and more secure ways for them to safely back up their data.
3. Sensitive internal e-mail should remain within the organization’s e-mail servers and computers. Where exceptions are made to this rule and people are allowed to access work e-mail from home or the road, we need to make the process for doing so clear and easy. Sensitive data should never be forwarded to outside, personal e-mail accounts (unless it is always encrypted. This is difficult, but not impossible, to require and mechanically enforce).
4. Avoid remote connection via kiosks. Remote logins from home or hotel room are almost always less risky than reading e-mail from a kiosk on a conference show floor. At a kiosk, is the user really using Netscape Communicator or Internet Explorer? It could be a reasonable facsimile that captures data and passwords. After the user finishes, will he or she remember to remove passwords and user names? Will he delete the e-mail he downloaded? Since the answer to these questions is usually "No," never allow remote reading of e-mail from such locations.