[Insert Logo]

REMOTE WORK POLICY

[ORGANIZATION_NAME]

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

Version Control
002 Approved {Insert}
Policy Code:
By:
{Insert} Effective {Insert}
Owner:
Date:

Revision History
Date Version Created by Description of change

[FULL_ORGANIZATION_NAME] Confidential Page 2 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

Table of Contents
1. PURPOSE AND SCOPE.......................................................................................................4
2. INTRODUCTION................................................................................................................4
3. ROLES AND RESPONSIBILITIES..........................................................................................4
4. AUTHORIZATION FOR REMOTE WORK..............................................................................5
4.1 REMOTE WORK AGREEMENT.................................................................................................5
4.2 TRAINING...........................................................................................................................5
5. SECURITY FOR REMOTE WORKING ARRANGEMENTS........................................................5
5.1 USE OF PERSONALLY OWNED DEVICES....................................................................................6
6. MANAGEMENT CONSIDERATIONS WITH REMOTE WORK.................................................7
7. POLICY MAINTENANCE AND MANAGEMENT....................................................................7
8. REFERENCES.....................................................................................................................7
APPENDIX: REMOTE WORK AGREEMENT................................................................................8
1. PURPOSE & SCOPE...........................................................................................................8
2. WHO MUST COMPLY WITH THIS POLICY...........................................................................8
2.1 EXISTING POLICIES...............................................................................................................8
2.2 SECURITY...........................................................................................................................9
2.3 SCHEDULING.......................................................................................................................9
2.4 AVAILABILITY....................................................................................................................10
3. STATEMENT OF ACCEPTANCE.........................................................................................10

[FULL_ORGANIZATION_NAME] Confidential Page 3 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

1. Purpose and Scope

The purpose of this policy is to define [ORGANIZATION_NAME]’s rules for
remote working (i.e., when workforce members are engaged in the
organization’s work while physically outside of the its office facilities). This
topic may be referred to by a variety of terms, including telework,
telecommuting, virtual work, or work from home.

This document applies to all [ORGANIZATION_NAME] users.

2. Introduction
Remote work may be offered by [ORGANIZATION_NAME] for various reasons,
such as to support life balance, allow flexibility, promote productivity,
control facility space / costs, or help employees manage personal
obligations. Remote work may also be required in some situations due to
pandemic, natural disaster, or disruption at one of the organization’s
facilities.

Remote work can create or exacerbate security risks to organizational assets

and data. The safeguards defined in this policy are intended to protect the
confidentiality, integrity, and availability of the organization’s information
and information systems when work is conducted remotely.

3. Roles and Responsibilities

[FULL_ORGANIZATION_NAME] Confidential Page 4 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

Roles and Responsibilities

 Authorize specific roles or individuals to
work remotely
 Provide those users the Remote Work User
[Department Agreement (see Appendix)
Managers and  Retain the signed agreement
Supervisors]  Establish regular communications with
users working remotely to support a
productive and healthy remote work
arrangement
 Include security requirements for remote
work in regular security awareness
training
[Human Resources
 Work with department managers and
Manager]
supervisors to address any instances of
non-compliance with the remote work
agreement
 Select and implement appropriate
technical controls to address the risks of
remote work
 Respond to user questions or needs
[IT Director] regarding security while working remotely
 Ensure that disabling remote work
mechanisms (i.e., VPN access, remote
access to email) is included in standard off-
boarding processes
4. Authorization for Remote Work
Only users who have been approved by their [Manager or Supervisor] may
work remotely.

4.1 Remote Work Agreement

All users authorized to work remotely are required to read and acknowledge
[ORGANIZATION_NAME]’s Remote Work User Agreement, which is
included as an Appendix to this policy.

The agreement documents user requirements and responsibilities when

working remotely, with the intent of addressing potential security risks to
the organization’s information systems and assets.

4.2 Training

Remote work security risks and requirements are included in the

[ORGANIZATION_NAME]’s regular security awareness training program.
Users are encouraged to ask their supervisor or the IT department if they
[FULL_ORGANIZATION_NAME] Confidential Page 5 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

have any questions about remote work security or the controls in place to
reduce risk.

5. Security for Remote Working Arrangements

Remote work can introduce risk to the organization’s systems and data,
especially in unprotected environments. This potential for risk requires the
implementation of administrative and technical controls to manage those
risks.

The [IT Director] is responsible for ensuring that appropriate technical

safeguards are in place to address the risks of remote access.

Factors that should be considered when identifying risks and appropriate

safeguards relating to remote working arrangements include:
 Communications security requirements, taking into account the need
for remote access to the organization’s internal systems, the
sensitivity of the information that will be accessed and passed over
the communication link, and the sensitivity of the internal systems
 Physical security of sites where users will perform work remotely
 The threat of unauthorized access to information or resources by
other persons at the remote location (e.g., family, roommates, friends)
 The use of personally owned devices, if the use of company-owned
devices is not available to some or all users
 The use of personal email, if access to company email is not available
remotely to some or all users
 The use of home networks and requirements or restrictions on the
configuration of wireless and wired network services
 The use of cloud applications
 Issues relating to the organization’s software licensing agreements
that may not permit such software to be used on workstations or other
devices owned privately by users
 Malware protection and firewall requirements
 Procedures for backup and business continuity
 Audit and security monitoring (accountability)
 Revocation of authority and access rights, and the return of
equipment when remote work or employment is discontinued
 Permitted and forbidden types of activities
[ORGANIZATION_NAME] uses the following security controls to mitigate
risks related to remote work:
 Virtual Private Network (VPN)
 Time-out of remote sessions and cloud applications
[FULL_ORGANIZATION_NAME] Confidential Page 6 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

 Long, strong passwords

 Multifactor authentication
 Secure configuration of cloud applications
 Antivirus
 Encryption, at rest and in transit
 Secure methods for file-sharing
 Clear communication channels for security concerns or signs of
suspicious activity to the IT team

5.1 Use of Personally Owned Devices

The use of personally owned devices may be needed for remote work,
especially when it is in response to an event such as pandemic or natural
disaster. If personally owned devices will be used for remote work,
[ORGANIZATION_NAME] will implement a process to inform those users
who are permitted to use such devices, along with rules and guidelines they
must follow. In considering the use of personally owned devices for work
purposes, [ORGANIZATION_NAME] will consider appropriate security
controls that should be in place as well as issue user guidance on secure
remote work. Examples of security controls for personally owned devices
include, but are not necessarily limited to the following:
 Full-disk encryption
 Long, strong passwords
 Current OS version and patching, with automatic updates enabled
 Anti-virus, with automatic updates enabled
 Physical security of devices
 Automatic screensaver / locking devices when unattended
 Requiring work-related files and applications to be closed if the
device will be used by another person (i.e., family members)
 Restricting or prohibiting the storage of sensitive data on personal
devices
 Mobile device management

6. Management Considerations with Remote Work

Remote work arrangements require attention and communication to be
productive and healthy for both the user and the organization. Managers
and supervisors must establish consistent communications with users
working remotely to help foster a positive remote work situation.
Communication needs may include tasking, deliverables, status updates,
scheduling, and more. Communication plans may include regular check-ins

[FULL_ORGANIZATION_NAME] Confidential Page 7 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

by phone, daily or weekly status emails, weekly progress reports, or a

combination of strategies.

Managers should also take steps to maintain a sense of teamwork and

collaboration. These steps may include regular team meetings, conducted
remotely if needed, or requiring remote workers to call in to all regularly
scheduled meetings. The use of chat applications, group conference calls,
and video-conferencing can contribute to maintaining connections among
teams and coworkers, and should be encouraged if they are authorized by
the organization.

7. Policy Maintenance and Management

The owner of this document must review and perform any necessary updates
to this document at least annually, or may delegate tasks related to this
policy as appropriate. Revisions must be communicated to relevant roles and
users throughout the organization.

8. References
NIST Cybersecurity Framework References
 ID.AM – Asset Management
 PR.AC – Identity Management and Access Control
 PR.AT – Awareness and Training
 PR.DS – Data Security
 PR.IP – Information Protection Processes and Procedures
 PR.PT – Protective Technology

Policy References
 Access and Authorization Policy
 Acceptable Use Policy
 Mobile Device Policy
 Information Classification, Handling, and Transfer Policy
 Asset Management

[FULL_ORGANIZATION_NAME] Confidential Page 8 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

APPENDIX: REMOTE WORK AGREEMENT

1. Purpose & Scope

Remote work may be offered by [ORGANIZATION_NAME] for various reasons,
such as to support life balance, allow flexibility, promote productivity,
control facility space / costs, or help employees manage personal
obligations. Remote work may also be required in some situations due to
pandemic, natural disaster, or disruption at one of the organization’s
facilities.

Remote work can create or exacerbate security risks to organizational assets

and data. This policy contains rules and guidelines intended to protect the
confidentiality, integrity, and availability of the organization’s information
and information systems when work is conducted remotely.

With the goal of making remote work a successful arrangement for both
users and the organization, [ORGANIZATION_NAME] has set the following
requirements and expectations for remote work. This Remote Work
Agreement must be reviewed and signed by all users who have been
authorized by [ORGANIZATION_NAME] for remote work.

2. Who Must Comply with this Policy

All users are required to comply with this Policy. By signing and returning
the Statement of Acceptance below, you acknowledge your understanding
of, and willingness to comply with, all aspects of this policy.

2.1 Existing Policies

[ORGANIZATION_NAME]’s existing policies continue to apply whether
working in the office or remotely. This includes requirements documented in
the Employee Handbook, Acceptable Use Policy, Data Classification Policy,
and more.

Here is a summary of policies that users should keep in mind while working
remotely.
 Do not attempt to bypass any security measures implemented by
[ORGANIZATION_NAME], (i.e., antivirus, password requirements,
multifactor authentication, screensaver, restricted file access).
 Do not use organizational assets or network for prohibited activities,
such as gambling, illegal activity, accessing adult content, operating
your own business, or other activities generally considered
inappropriate for work purposes.
 Use only approved methods for sending and receiving information.
 Only use approved software and applications, including cloud
applications.

[FULL_ORGANIZATION_NAME] Confidential Page 9 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

 Continue to pay attention to data classification, such as sensitive and

confidential, and the associated requirements around handling,
transmission, storage, sharing, and secure destruction.
 Do not use removable media unless you have been specifically
authorized to do so. Never connect removable media if you do not
know its source or owner.
 Remember that you do not have a right to privacy when using
[COMPANY_NAME]’s technology resources. Use may be monitored.

2.2 Security
Primary considerations for users performing remote work include securing
sensitive documents, physical protection of mobile devices, locking screens
when unattended, preventing “shoulder surfing”, and taking care when
conducting phone calls to ensure that company or client information is not
overheard.

 Physical Security
o Physically safeguard all devices to prevent theft or damage. Do not
leave devices unattended in vehicles, checked luggage, or publicly
accessible areas.
o Prevent unauthorized viewing of your computer screen
o Lock computer screens when left unattended
o Secure documents when not in use
o Ensure work-related phone conversations and meetings cannot be
overheard by others
o Establish a safe space dedicated to work free from potential
hazards and conducive to a safe and healthy work environment
o Immediately report lost or stolen devices.

 IT Security
o Follow security requirements issued by the [IT Department or
Security Officer], such as the use of VPN, long passwords, and
multifactor authentication
o Do not connect directly to untrusted public networks, such as free
wireless at coffee shops. Connect to a trusted network or VPN
whenever possible.
o Watch for phishing emails, and be wary of phone calls asking you
for information
o Keep passwords secure. Do not keep them on post-it notes or
where others can access them. Never disclose passwords by email
or phone
o Keep work and personal accounts separate, and do not reuse
passwords between work and personal accounts
o Do not use applications or cloud services that have not been
explicitly approved. If you have a specific work need (i.e., file
sharing with clients), contact the [IT Team or Help Desk] for
guidance
o Only use a personal device for work if you have been authorized to
do so. If so, follow all security guidance from the [IT Director or
[FULL_ORGANIZATION_NAME] Confidential Page 10 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

your Manager], and be sure to close all work files and applications
if the device will be used by someone else (i.e., family members).
Periodically delete work files from the device when no longer
needed.
o Immediately report anything suspicious to your [IT Team or Help
Desk]

2.3 Scheduling

If your remote work hours will vary from your usual office schedule, be sure
to communicate your plan.
 Clearly communicate planned work hours and changes to plans to your
supervisor and any coworkers who are likely to need to be in contact with
you
 Work during the agreed upon work hours
 Notify your supervisor if your plans change due to illness, family needs,
or any other circumstance that will require you to use time off rather
than work as planned
 Accurately record work hours versus time off if your plans change
 Request remote work at least 24 hours in advance for planned
occurrences, and as soon as possible for unplanned situations

2.4 Availability

Take steps to be as available and responsive as you are in the office.

 Be available to your supervisor, coworkers, and clients during your
planned work hours, by email, phone, text, and chat
 Notify your supervisor by email, chat, or text if you expect to be
unavailable during the agreed upon work hours.
 Be proactive and go the extra mile to keep the lines of communication
open with coworkers

3. Statement of Acceptance

By signing below, I acknowledge all of the following:

1. I acknowledge that I have read and understand all sections of this

Remote Work Agreement.
2. I understand that violation of this agreement may result in
disciplinary action, up to and including termination of employment.
3. If I have any questions about these policies and procedures, I will ask
my immediate supervisor or [ORGANIZATION_NAME]’s [Help Desk or
Security Officer].
*
Signature : ________________________________________

Printed Name: ________________________________________

[FULL_ORGANIZATION_NAME] Confidential Page 11 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.
 Remote Work Policy Internal Use

Date: ________________________________________

* Note that remote work necessitated by a pandemic or facility/natural

disaster may make a physical signature impractical. In such cases, an email
acknowledgement may suffice. If needed, ask your supervisor or manager
how to proceed.

[FULL_ORGANIZATION_NAME] Confidential Page 12 of 12

©2020 by LMG Security. www.LMGsecurity.com All rights reserved. Used under license.