By Ben Bain
Sept. 13, 2007
Because of security concerns, the Justice Department now forbids all
employees from using their private PCs or digital assistants to access
agency e-mail or other files, the department's top information security
officer has said.
Previously, some Justice Department employees had been allowed to use
their private personal computers for e-mailing, said Dennis Heretick,
the Justice Departments chief information security officer. Instead, the
agency wants employees who telework or work at remote locations to use
government-issued laptops, docking stations or Blackberries.
Unlike employees' personal devices, Justice can ensure that
government-issued systems are fully encrypted and monitored.
My very strong recommendation is not to allow people to use home
computers to telecommute unless you dont care about the security of the
information theyre working with, said Heretick, speaking at the 2007
Telework Exchange Town Hall Meeting on Sept. 12.
PCs computers, especially those shared by family members, are
susceptible to eavesdroppers who want to view and access information
stored and created on the workstation.
I just could not find a way to secure home computers, Heretick said. Our
employees are worth it to give them either a docking station or the
means to work from home.
In a recent survey by the Telework Exchange, 83 percent of 35 chief
information security officers said laptop use in their agencies had
increased over the past year. The exchange is a for-profit telework
advocacy group that sponsored the event. However, just 17 percent of the
CISOs surveyed said laptops represent 50 percent of their agency's PCs.
Meanwhile, budget constraints have slowed the movement from desktops to
laptops, according to observers. Federal information technology, human
resource and security managers have been working to balance security
concerns and the costs of new mobile equipment with increasing pressure
from lawmakers and telework advocates to increase the number of
employees who regularly work remotely. Agencies are in charge of setting
their own policies on whether employees are allowed to work from home
computers or on other personal hardware.
Heretick also said that the ability to work remote from remote locations
is crucial to the agency's mission and that IT security policy should be
seen from that perspective.
Its important not to try to let your IT shop or the business managers
that direct the IT shop to cheap out on the teleworkers by not giving
them the right tools to do this job, Heretick said.
Over the past year and a half, highly publicized incidents have shown
the challenges that mobile data poses to efforts to secure personally
identifiable information. Even when data is stored on government-issued
devices, as in the case of the lost Veterans Affairs Department's
laptop, a careless employee or the failure to properly report an
incident immediately can compromise data security.
One slip by a careless or untrained employee can compromise an entire
agency's efforts, said Michael Castagna, the Commerce Department's chief
information security officer, who spoke on the same panel as Heretick.
The bottom line on all this technology is that it comes down to two
things the security of the endpoint and the training of the individual,
he said. If you have an insecure endpoint all bets are off.
Visit the InfoSec News Bookstore