Organizations need to ensure they effectively address the security of information assets that are taken off-site.
It may be difficult to maintain the same level of security controls for information systems or other assets when they are taken off-premises. Controls in place while systems are connected to the organization’s network may not be enforceable when working off of the network.
Physical security controls are very likely to be significantly different as well. These risks may be further magnified if personnel are not well trained on security best practices and acceptable use requirements. The security of information assets is the focus of pitfall #46 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Computers, peripherals, paperwork, reports, software, or other information assets belonging to your organization should not be taken off site without prior authorization.
Records should be maintained for all information assets that are taken off site. These records should be updated once a timely return of the equipment or other information assets has been completed. The asset inventory of your organization is likely the most convenient place to document what assets have been taken off-site, by whom, and when they are scheduled to be returned.
Information asset security controls should be applied to off-site equipment that are comparable to on-site controls. The different risks associated with working outside the organization’s premises should be considered. Particular attention should be given to protecting equipment during business or personal travel. Full-disk encryption should be deployed on all laptops.
Information assets remain the property of your organization even when they are off-premises. Personnel should be trained that these assets should not be used by family members or friends. This unauthorized use may introduce not only technical risks, but also potential risks to the confidentiality of data contained on devices due to improper viewing of information by unauthorized audiences. All of your personnel need to be responsible, and held accountable, for all actions performed on or with the information assets that are presently assigned to them.