<div dir="ltr"><a href="http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/484286/">http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/484286/</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br><p>Government agencies should establish virtual mobile infrastructure
(VMI) technology, in which telecommuting employees would access network
information through customized mobile operating systems hosted on
virtual machines, and the intermediary connection is destroyed when the
session ends, according to draft guidance for telework protocol released
by the National Institute of Standards and Technology (NIST). </p>
<p>The guidance, an update to the federal agency's initial documents
drafted in 2009, also encourages agencies to implement mobile device
management tools, which prevent employees from accessing networks or
sensitive data on devices that do not conform to established security
standards. The update contained in NIST documents <a href="http://csrc.nist.gov/publications/PubsDrafts.html#800-46r2">800-46</a> and <a href="http://csrc.nist.gov/publications/PubsDrafts.html#800-114r1">800-114</a>,
offers solutions for the increasingly complex challenge of securing
government networks as federal agencies move to adapt the telecommuting
trend that has grown popular in the private sector.</p>
<p>“Organizations are realizing that many data breaches occur when
attackers can steal important information from a network by first
attacking computers used for telework,” NIST computer scientist Murugiah
Souppaya said in a <a href="http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm">statement</a>.</p>
<p>The new guidelines were released as federal agencies, and the private
sector continue to face difficulties creating secure telework
arrangements. The challenge of establishing secure telework arrangements
is especially complex for federal employees who work from abroad,
either from an embassy of elsewhere. Last week, Department of Veterans
Affairs (VA) Deputy Assistant Inspector General Brent Arronte <a href="http://www.scmagazine.com/house-subcommittee-questions-va-cio-over-security-weaknesses/article/483671/">testified</a> during a House Oversight subcommittee that the agency has “inconsistent implementation” of security protocol. </p>
<p>Among the security failings highlighted during Arronte's testimony
was an episode in which VA employees were given permission to work from
foreign nations, including from China and India, and employees
"improperly connected to VA's network from foreign locations" without
arrangements for secure network access and used personal equipment in
accessing the agency's network.</p>
<p>The private sector continues to struggle with solutions to the
challenge of employees accessing their organizations' networks remotely.
After a federal court ruled against JPMorgan Chase in a 2013 lawsuit
that claimed the financial institution had violated the Americans with
Disabilities Act by denying multiple requests to telecommute, the
company embarked on a proactive campaign to allow employees to work
remotely -- and then experienced a massive breach that compromised 76
million personal accounts and 7 million business accounts, and led to
the bank's <a href="http://www.scmagazine.com/jim-cummings-receives-new-position-in-texas-after-bank-breach/article/452043/">CSO</a> and <a href="http://www.scmagazine.com/jpmorgan-ciso-reassigned-over-handling-of-major-breach/article/424194/">CISO</a> being reassigned to new positions.</p>
<p>Security standards, such as the guidelines established by NIST or
through similar statewide initiatives, have been not always been
consistently followed. For instance, a <a href="http://www.scmagazine.com/california-ag-data-breach-report-24m-records-compromised-in-2015/article/477786/">California attorney general report </a>
stated that organizations have failed to implement the CIS Critical
Security Controls, California state cybersecurity guidelines enacted in
2014 that require businesses that collect personal information use
“reasonable security practices and procedures.”</p></div></div></div></div></div></div></div></div></div>
</div>