California Issues Telework Policy to Curb Cyber-Security Risks

To bolster security and create consistency in California's IT infrastructure, the Office of the State Chief Information Officer (OCIO) issued a new policy Tuesday, March 2, that includes telework and remote access security standards as well as a compliance form that state agencies must submit by July 1.

The policy letter aims to help state agencies develop robust and secure telework and remote access arrangements for state employees, while minimizing cyber-security risks. The standard highlights several measures that IT agencies must adopt to certify telework programs, including the use of up-to-date operating system software and security software (anti-virus, anti-spyware, firewall and host intrusion prevention) for every remote connection.

The standard also notes that all computing equipment connected to the state IT infrastructure network for teleworking purposes must be state-owned with secure configurations. Teleworkers can only connect to the infrastructure through secure, encrypted channels authorized by agency management. The security measures also apply to paper files and mobile devices, and all relevant material must be kept in secured locations.

"We know that departments are interested in maintaining the highest security standards for the state's networks," said OCIO spokesman Bill Maile. "When it comes to protecting sensitive data and our network infrastructure, no department wants a security breach."

At a time when governments at all levels are looking to cut costs and boost efficiency, telework programs have proved useful: Research shows that such arrangements can improve productivity, and virtual employees are more satisfied with their jobs; state workers who don't commute also help reduce traffic congestion and air pollution. But unmanaged telework programs can hurt services and increase costs. Not only that, but with viruses lurking in cyber-space, IT agencies must take proper precautions to keep the government's information secure.

Maile said the OCIO has been working with partnering departments for the past several months to craft the policy, which includes the Telework and Remote Access Security Standard SIMM Section 66A. "This state is always working to implement the highest security standards for our IT infrastructure," Maile said.

According to the information policy letter, agency heads must comply with the following:

• Making sure authorized users permitted to telework have been trained regarding their roles and responsibilities, security risks and the requirements included in the standard.
• Adopting and implementing the requirements in the standard and certifying their agency's compliance. If an agency has a telework program already in place that does not meet the standard, it must establish a timeline and a deadline for achieving compliance.
• Completing and submitting the Agency Telework and Remote Access Security Compliance Certification form included in SIMM Section 70E to the OCIO-Office of Information Security (OIS) no later than July 1, and annually thereafter beginning Jan. 31, 2011.

In a joint effort, the Department of General Services released a new statewide model Telework Program Policy and Procedures on Jan. 29, 2010.

The OCIO's new policy fits with best practices for telework programs, which require comprehensive support from IT representatives, HR and management, and information security specialists to address security and privacy issues, according to Liza Lowery Massey, who served as a public-sector IT executive for nearly 20 years. "The best telework programs," Massey wrote in a column for Public CIO last year, "have well developed evaluation procedures, strong- yet-flexible policies and a training program for everyone."

California is among the first governments in the country to write enterprisewide policies for telework, joining states such as Virginia and Arizona, and the federal government.