For Agency Leadership
Many of the following security devices or platforms do not ‘come out of the box’ fully secured - they require analysis and changes to settings. Some may require technical expertise provided by a security/IT department, or a cybersecurity provider.
Implement Multi-Factor Authentication (MFA)
- Defined: Multi-factor authentication grants users access to a website or application after successfully presenting two or more pieces of evidence to an authentication tool.
- EXAMPLES: Applications such as Duo, Google Authenticator, RSA SecurID, Ping, and some password managers have this capability. NOTE: Must look at office needs, and determine the fit for the office
- Consider industry initiatives such as SignOn Once as a resource.
Limit employee Access Privileges to only what is necessarily specific to staff based on their role and responsibilities. Consider reports that should be available to download to a non-work-issued computer.
Be aware of PUPs (Potentially Unwanted Programs) that can be launched when loading a new app. PUPs can disable services to make an app work better, collect unwanted info, and slow computer speed.
Secure all access points: - Configure your VPN (Virtual Private Network) / RDP (Remote Desktop Protocol) with appropriate security levels. Also, limit the number of RDP (Remote Desktop) connections whenever possible.
Implement strong password management and possibly purchase password management software (such as LastPass, KeePass, DashLane, etc.).
Turn on Access Logs to ensure important data is captured for review in the event of a breach. This should be part of larger agency cyber security policies like those outlined in the Agency Cyber Guide 3.0.
Consider reports that should be available to download to a non-work-issued computer. Make sure you consider any reporting that could be available to download to non-agency drives.
When company devices are not provided, define acceptable use of personal devices as well as system requirements necessary when accessing sensitive data
- Ensure devices going home with staff are up to date and properly secured according to appropriate agency policies and procedures.
- Consider adding an extra step to have validation/dual approval on financial transactions for remote staff that handle financial processes/requests.
- Implement strong and consistent agency security training as part of the Agency Cyber Guide recommendations.
- Develop and implement policies and procedures aligned to cybersecurity best practices (refer to the Agency Cyber Guide 3.0 for more detailed content).
For Employees Working Remotely
Consider data exposure in your home or another remote work environment. Who can see/hear what you're doing? What devices share a network and could access information?
Treat your work-at-home environment as if you were in the office. Adhere to agency processes on limiting non-work use on devices or networks that are connected to the office or accessing resources.
Apply an overall 'best practices' methodology for your mobile devices - The NSA offers an easy-to-use overview HERE.
At-Home Physical Technology
- Change default router password. Initial setup, and change 2x/year ongoing
- Segment router for work vs. personal: If possible, use existing segmentation between Wi-Fi nodes. GRFX: Initial setup, and as needed
- 2.4 GHz (for work applications and connectivity), vs.
- 5.0 GHz (for personal streaming, online gaming)
- Use hard-wired ethernet cable if available – dedicated work bandwidth. Initial setup
- Update firmware or router itself (if outdated) Initial setup
- Updates may require advanced knowledge and assistance
- If you can, invest in a quality router to avoid using the ISP-provided router
Computer/Laptop – Agency-Issued
- Only allow work-related software to be installed.
- Limited to work use only: do not access personal sites or social platforms.
- Use password-protected login and set screen timeouts. Initial setup, and as needed
- Use next-generation antivirus or other security platforms for mobile devices (ex: Lookout). Initial setup, daily
- Devices should be remotely monitored with the capability to push updates (not dependent on connection to the company network).
- Use hard drive encryption and outdated or retired hard drives should be cleaned. Initial setup – Refer to Agency Cyber Guide 3.0.
- Consider making devices 'wipeable'; able to remotely lock/erase data.
Computer/Laptop Personal, used for Work (whether accessing agency data via VPN or software such as Citrix)
- Treat it like a work-issued device, see above for the 'Agency-Issued' considerations – Security and processed for personal devices should be at the same level as work-issued devices. Daily
- Set up separate 'work' and 'personal' user profiles. Initial setup
- Use next-generation antivirus or another security platform for mobile devices (ex: Lookout). Initial setup, daily
- Use a VPN to shield connection when connected to public Wi-Fi or use a mobile hotspot Initial setup, daily
- Even in a remote environment, watch for people looking over your shoulder or people eavesdropping. Always
- Don't leave devices unattended.
- Don't use a public charging station.
- Have disk encryption in place in case a device is stolen. Initial setup
Document/Data Point Storage
- Do not store documents and data locally on your computer
- Ensure you understand your cloud storage options on the AMS, CRM, and other agency systems. Ensure you follow corporate cloud guidelines.
- Utilize approved cloud file hosting services such as Microsoft OneDrive as well as network storage whenever applicable
- Destroy any customer/credit card/PCI and agency data that you capture as soon as it is stored
- Adopt an agency shredding policy
- Use a webcam cover – both for built-in and external cameras.
- Use a laptop webcam 'kill' switch (if available) when not in use.
- As with previous steps, use solid anti-malware/spyware virus protection. Initial setup, daily
- Follow agency policy on securing, retention, and shredding.
- Wireless printers (Initial setup, daily):
- Limit or disable network printing
- Secure printing ports (disable ports 515, 721-731, 9100)
- Use your firewall
- Update firmware to the latest version
- Change default password