Telework security a challenge for federal agencies
And more than half of those surveyed in May, nearly a year after a laptop containing information about 26.5 million Americans was stolen from the home of a Department of Veterans Affairs worker, said their agencies didn’t provide security training or update encryption or protection technology in response to the data breach.
“It’s kind of alarming...that people still are not doing everything they can do to protect their mobile devices,” said Joshua Wolfe, of Utimaco Safeware, a cybersecurity vendor that underwrote the survey. “You’ve got a lot of unofficial teleworkers out there who are taking information out of the agency and working from home on unsecured computers.”
Agencies should encrypt all computer devices, figure out who works at home and train them how to protect information, Telework Exchange recommends. “There should be one security policy for everyone across the agency — teleworker, non-teleworker and unofficial teleworker,” Wolfe said, the Federal Times reports.
One government agency that has made progress in the last year is the Defense Information Systems Agency (DISA), which has identified 2,500 positions, or 50 percent of its work forced as eligible for telework, The Teleworker reports. Telework opportunities facilitated relocation of DISA facilities from Arlington, Virginia to Ft. Meade, Maryland last year when base closing were ordered.
Most DISA employees who telework do so for two days a week, according to Jack Penoske, Director of Manpower, Personnel and Security. Each worker is issued a laptop with a docking station, and DISA pays half of the broadband costs. Not all employees work from home. Some DISA personnel can work from a Federal Telework Center or another DISA location.
The Internal Revenue Service (IRS), on the other hand, which last year relied on teleworkers working from Federal Telework centers or from home after the agency’s headquarters was flooded, needs to make greater efforts to address laptop security, according to the Treasury Inspector General for Tax Administration (TIGTA). A TIGTA study of the IRS laptop security published in March is entitled “The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices.” In the highlight statement issued with the report, TIGTA says “the risk of loss is particularly high because IRS employees are allowed to take electronic taxpayer data outside of the office for business purposes and the IRS has over 47,000 portable laptop computers assigned to its employees.”
Additional highlights included the finding that since 2003 “hundreds of IRS laptop computers and other computer devices had been lost or stolen. While TIGTA determined 176 incidents likely did not involve any loss of taxpayer data, but 126 incidents involved the loss of personal information for at least 2,359 individuals.
A separate test by TIGTA of 100 laptop computers currently in use by employees determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data. Also, backup tapes were not encrypted and adequately protected at non-IRS offsite locations reviewed.
The IRS has agreed to implement most of the TIGTA’s recommendations. The study is published on TIGTA’s Web site at http://www.treas.gov/tigta/auditreports/2007reports/200720048fr.pdf. 
TIGTA’s own telework program focuses on three major areas: infrastructure, devices and policy, according to Ben Trapp, Assistant Director for Client Services, The Teleworker reports, but it all begins with a policy framework, defining specific authorized users, devices and connections. TIGTA teleworkers access the agency networks using a Virtual Private Network VPN, and data flowing from the networks is encrypted. The user can access only one network at a time.
TIGTA teleworkers must use TIGTA-issued equipment which comes pre-programmed with firewalls, antivirus, and antispyware packages.