[BreachExchange] NIST releases updated telework guidance

[Inga Goddijn]

http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/484286/

Government agencies should establish virtual mobile infrastructure (VMI)
technology, in which telecommuting employees would access network
information through customized mobile operating systems hosted on virtual
machines, and the intermediary connection is destroyed when the session
ends, according to draft guidance for telework protocol released by the
National Institute of Standards and Technology (NIST).

The guidance, an update to the federal agency's initial documents drafted
in 2009, also encourages agencies to implement mobile device management
tools, which prevent employees from accessing networks or sensitive data on
devices that do not conform to established security standards. The update
contained in NIST documents 800-46
<http://csrc.nist.gov/publications/PubsDrafts.html#800-46r2> and 800-114
<http://csrc.nist.gov/publications/PubsDrafts.html#800-114r1>, offers
solutions for the increasingly complex challenge of securing government
networks as federal agencies move to adapt the telecommuting trend that has
grown popular in the private sector.

“Organizations are realizing that many data breaches occur when attackers
can steal important information from a network by first attacking computers
used for telework,” NIST computer scientist Murugiah Souppaya said in a
statement
<http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm>
.

The new guidelines were released as federal agencies, and the private
sector continue to face difficulties creating secure telework arrangements.
The challenge of establishing secure telework arrangements is especially
complex for federal employees who work from abroad, either from an embassy
of elsewhere. Last week, Department of Veterans Affairs (VA) Deputy
Assistant Inspector General Brent Arronte testified
<http://www.scmagazine.com/house-subcommittee-questions-va-cio-over-security-weaknesses/article/483671/>
during
a House Oversight subcommittee that the agency has “inconsistent
implementation” of security protocol.

Among the security failings highlighted during Arronte's testimony was an
episode in which VA employees were given permission to work from foreign
nations, including from China and India, and employees "improperly
connected to VA's network from foreign locations" without arrangements for
secure network access and used personal equipment in accessing the agency's
network.

The private sector continues to struggle with solutions to the challenge of
employees accessing their organizations' networks remotely. After a federal
court ruled against JPMorgan Chase in a 2013 lawsuit that claimed the
financial institution had violated the Americans with Disabilities Act by
denying multiple requests to telecommute, the company embarked on a
proactive campaign to allow employees to work remotely -- and then
experienced a massive breach that compromised 76 million personal accounts
and 7 million business accounts, and led to the bank's CSO
<http://www.scmagazine.com/jim-cummings-receives-new-position-in-texas-after-bank-breach/article/452043/>
and CISO
<http://www.scmagazine.com/jpmorgan-ciso-reassigned-over-handling-of-major-breach/article/424194/>
being reassigned to new positions.

Security standards, such as the guidelines established by NIST or through
similar statewide initiatives, have been not always been consistently
followed. For instance, a California attorney general report
<http://www.scmagazine.com/california-ag-data-breach-report-24m-records-compromised-in-2015/article/477786/>
stated that organizations have failed to implement the CIS Critical
Security Controls, California state cybersecurity guidelines enacted in
2014 that require businesses that collect personal information use
“reasonable security practices and procedures.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160321/9c3fa38a/attachment.html>