Secure the Work Environment
IT Administrators interested in securing the work environment for distributed staff can refer to the recommendations and guidelines on this page.
IT Administrator requirements
State of CA IT Administrators will provide numerous services to the organization and its telework employment ranging from security to asset management. Software and hardware maintenance is also at the forefront of this ongoing battle to stay ahead of the curve when it comes to protecting all aspect of the web the telework environment. Security controls such as logging, auditing, encrypting, Role based Access Control, monitoring and periodic review of all these controls should need to be planned when considering a telework environment for employees. Intrusion detection and intrusion prevention mechanism like anti-virus and firewall enhances the security of the environment that should not be neglected.
Section 5.1 to 5.4 of SIMM 5360-A provides more information for IT Administrator considerations.
Validating control requirements
Some level of control requirements is needed when Teleworking solution is implemented. Audit Logging and event monitoring activities of Teleworking sessions is important when it comes to protecting the teleworking environment, its users and ultimately the agency’s integrity.
Section 5.4 of SIMM 5360-A provides more information on controls requirements.
Bring Your Own Device (BYOD)
Each Agency is responsible for establishing policies for the use of personal devices on their networks. However, it is highly encouraged for Agencies to refrain from allowing the use of personal devices on their networks and plan according to supply staff with state owned and managed devices. If an Agency decides to allow use of personal devices, it is highly recommended to use automated network security compliance tools to enforce security compliance for personal devices. Personal device compliance controls should match the security compliance controls applied to similar state-owned devices. Staff should be informed of these requirements, made aware of the level of control the Agency may have on their personal device, and complete an agreement with their Agency/department.
Section 7.1 of SIMM 5360-A provides more information on Bring Your Own Device requirements.
To counter the increasingly sophisticated threat to state data and networks, agency must ensure that they abide by SIMM 5355-A and have all required capabilities. If the agency has an existing platform that only partially covers the capabilities listed in SIMM 5355-A, the agency is required to seek out an additional or replacement technology to ensure that any associated gaps are addressed.
SIMM 5355-A provides more information on Endpoint Protection.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is required before personnel may access remotely confidential information systems and information. O365 MFA is recommended via MS Authenticator App, SMS text, or phone call.
Section 5.3 of SIMM 5360-A provides more information on MFA.
Tunneling architecture involves the use of Virtual Private Network technologies that create a secure mode of communication between the client and the agency’s network to allow users to access internal resources securely. In this scenario, an employee initiates a VPN connection from an agency-managed device using a preinstalled and preconfigured VPN client software. Once, the tunnel has been established, resources within the agency’s internal network are accessible.
For smaller agencies, software-based VPN solutions may be adequate. Larger agencies may consider hardware-based VPN solutions.
Section 2.2.1 of NIST800-46r2 provides more information on tunneling architecture.
The second remote work technology worth considering are Portal Applications. The idea behind Portal Applications is that all applications that an employee needs can be accessible through a single portal via a web browser. Whereas the data and applications are distributed in VPN technology, the data and applications in Portal Applications are centralized at the portal servers hosted by agency. To connect using Portal Application for telework, employees traverse to Portal Application via their browser. The data and services present to employees are merely screen refresh of the applications hosted on agency’s network. Another great advantage of Portal Application is that the client devices need not be agency owned. If approved and authorized, an employee can use their own personal devices to access agency resources.
Section 2.2.2 of NIST800-46r2 provides more information on portal architecture.
Direct Applications Access
Working remotely can be accomplished without the need for remote access technologies. Applications that users need as part of their remote work can be accessed directly over the internet. The applications will provide encryption, application authentication and roles, logging, and other security mechanisms to protect the data being served.
Direct Applications Access range from Software-as-a-Service (SaaS) to on-premises applications. Examples of SaaS Direct Applications Access include O365 services such as email, SharePoint, OneDrive, etc. If an agency wishes to expose Direct Applications Access from an on-premises environment, all aspects of security must be taken into consideration. This includes using Proxy appliances in the Demilitarized Zone(DMZ) to provide additional security buffer functionalities, having firewall that can decrypt traffic for inspection, Security Information and Event Management (SIEM) product to monitor and alert the security experts of an organizational, etc.
Section 2.2.4 of NIST800-46r2 provides more information on Direct Application Access.
Remote work technology options
Many remote work technology options exist in the market. State of CA entities must weigh the risk and take into consideration confidentiality, integrity and availability of the system when determining which solution best fits their needs. This section provides some of the most common remote work technologies used in the market today.
Restriction on telework hardware and remote access level
Agencies have multiple telework technologies and solutions at their disposal, however, not all solutions are suitable. Each Agency must weigh the risks and choose the right combination of telework solutions, devices, security controls, and etc. for each access type. The following table depicts a few typical scenarios for the mode of telework in conjunction with the systems users are accessing. State-Owned Equipment or Government-Furnished Equipment (GFE), for instance, are recommended as the access device since agency have more control of the security aspect of the devices.
Section 5.1.2. of NIST-800-46r2 provides more information on remote access restrictions.
Data Loss Prevention (DLP) policy and recommendations
- Classify and categorize your data. This will help your department prioritize data, as not all data is equal in criticality. Identify which data will cause the biggest risk and impact to the department if lost or stolen and allocate resources appropriately.
- Ensure that you can identify where your data is located.
- Understand when your data is at risk. Ensure that all data is encrypted when in-transit and at-rest.
- Monitor your network for anomalous read, write, modify, and delete behavior on your file systems.
- Ensure that the Least Privileged Principle is implemented in your department. Do not over-provision user permissions for the sake of ease. Staff should only be provisioned access to files and locations that are mandated for their jobs and listed in their duty statements.
- Set up a device control policy and system. Prevent unauthorized and/or unapproved storage devices from connecting into your network and State-issued devices. Implementing triggers can help notify your security staff when an unauthorized device has been plugged into your network.
- Train employees and staff about secure data handling. User training can often mitigate the risk of accidental data loss by insiders. Emphasize the importance of sanitizing and redacting all sensitive and confidential information before public distribution of a file or system.
- Consider restricting the ability to save files to a local device, enforce Cloud solutions for file use and sharing. Cloud solutions can help provide automated oversight and management of your department’s data and can provide a more robust data governance control. Consider a Cloud Access Security Broker (CASB) solution to streamline this process.
- Prevent file downloads on non-State issued devices.
- Consider investing in a Data Loss Prevention system to help streamline identifying, categorizing, reporting, and protecting your data. Ensure a data retention policy is established and implemented, to mitigate excessive data loss in the event of an incident.