Summary of remote working considerations

For remote working, consider:

• which devices will be provided by your organisation, the remote worker, or be shared
• what the demand is for portable devices
• if portable devices are included in your asset management lifecycle
• how updates and patches to portable devices will be managed (for example, as part of your Asset Management Lifecycle)
• if your organisation has a fit for purpose mobile device management (MDM) plan or an equivalent set of processes and policies that include use of organisation-owned portable devices and worker-owned personal devices (including BYO-devices)
• how your MDM plan will cover:
  • managing authorised devices centrally, for example managing patching
  • rules and policies to control access, for example limiting access and requiring authentication
  • ensuring devices have the necessary software (to connect remotely and undertake work)
  • which devices can hold or access organisational data
• if your organisation is meeting mandatory Protective Security Requirements (PSR) for devices and remote working security.

Incident readiness and response

Consider:

• how many portable devices your organisation has available
• what the demand for portable devices will be if remote working is required
• what supply chain risks will need to be managed if more equipment is urgently required
• a prioritisation policy or process for access to portable devices if demand exceeds supply
• a process to make timely decisions in situations where there isn’t a policy
• if workers should take devices home to be ready for incidents
• what workers need to know or be reminded of in terms of keeping devices secure and information security
• if your system can remotely update and patch portable devices
• if all portable devices are capable of receiving updates and patches
• any other risks or issues to manage, for example based on your organisation’s insights from COVID-19.

Devices for remote working

For remote working, consider:

• whether all workers have connectivity, data and bandwidth for remote working
• providing technical advice boost connectivity at home
• policies and procedures for workers’ personal expenses for remote working such as internet
• what network capacity your organisation has to support employee requested remote working
• risks and issues for network resilience for:
  • Local area network (LAN)
  • Wide area network (WAN)
• the pros and cons of shifting from VPN to a cloud-based network
• contracting arrangements with providers for elastic capacity to accommodate more users when required
• architectural setting to avoid bottlenecks in the network
• using a TaaS provider (Telecommunications as a service).

Incident readiness and response

Things to consider:

• what network capacity your organisation may require if remote working is required
• your organisation’s network needs in different incident scenarios
• how you will prioritise network connectivity if demand exceeds supply.

Connectivity for remote working

For remote working, consider:

• the case for shifting to as-a-service office productivity platforms
• providing access to a variety of tools for collaboration
• how interoperable or compatible the collaboration tools that are provided are with other teams, organisations or key systems
• if remote workers can access legacy systems in a secure and controlled way
• if legacy systems can be loaded onto portable devices
• the extent to which information and workflows are digitised, including:
  • key corporate tasks
  • your organisation’s delivery functions
• if staff can access, manage and save information in a practical, secure way
• if information management practices and systems are consistently used and the system can be accessed remotely
• there are clear expectations for information management vs document sharing on collaboration platforms
• how well your organisation’s architecture supports remote working
• what new skills and knowledge is needed to support remote working

Incident readiness and response

Consider:

• how to provide technical support remotely
• if technical support is required over extended hours
• if some workers need priority access to technical support
• if there are sufficient licences for as-a-service software
• any corporate functions, or legislated or incident response functions that cannot be provided remotely or that is impacted by any of the following:
  • access to office productivity systems that are not cloud-based
  • access to legacy systems needed by remote workers
  • workflows, information and data that is not digitised

Access to tools, systems and information for remote working

Security considerations for remote working are not listed in detail.

Find more guidance or checklists in ‘More resources’ or in our security guidance:

Security for remote working

For remote working, consider:

• the mandatory Protective Security Requirements, and any actions that are required to support security for remote working
• cyber security and remote working
• completing risk assessments for every cloud-service
• physical and information security
• device security
• whether the resourcing for risk and incident management is fit-for-purpose
• consulting workers to ensure that security measures that are put in place are practical and workable
• informing workers on what they must and must not do to support cyber and information security
• keeping logs and actively monitor systems and environments
• what the most critical things to monitor are and whether configured alerts can help with monitoring
• including information on the effectiveness of risk controls and mitigations when reporting on security resilience
• reviewing risks periodically.

Incident readiness and response

Consider:

• creating or updating an incident management and response plan
• managing security incidents remotely
• reminding workers, especially those unfamiliar with remote work, about device, information and cybersecurity.

Follow current advice to inform your risk and issues assessment, and mitigating actions:

• National Cyber Security Centre (NCSC)
• Protective Security Requirements (PSR)
• CERT NZ

Manage Cabinet material securely:

• Secure handling of Cabinet material — Department of the Prime Minister and Cabinet

Use the checklist from the Resource Centre to manage the risks of workers accessing and using information offsite:

• Checklist for mobile and remote working — PSR