Question DATA-24
Do you have a documented and currently implemented strategy for securing employee workstations when they work remotely (i.e., not in a trusted computing environment)?
Weight | 20 |
High Risk | No |
Required | Yes |
Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
EDUCAUSE provides no guidance here
Answering "YES"
Provide a detailed summary outlining the security controls implemented to protect the institution's data.
Reason for Question
Telecommuting in the IT world is the norm and an institution should know that proper safeguards are in place when remote access is allowed. Vendor responses vary greatly, so confirm the context of the response if it is not clear. Many cloud services can only be managed remotely, so there is often a gray area to interpret for this response. In the context of the CIA triad, this question is focused on confidentiality. Printed documents, mobile device use, and remote access are all relevant to this question. A vendor's response to this question will provide insight into their overall business process. Vendor business activity that poses additional security risks should be met with increased concern.
Follow-Up Inquiries
Vague responses to this question should be investigated further. Ask for additional documentation and verify that procedure (and possibly training) exists to ensure proper customer data handling activity.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]