What is NIST 800-46?
Today, many employees choose to telework, also known as telecommuting. Although telework is an important option for employees, it also brings some cybersecurity risks to their organizations.
To help with this, the National Institute of Standards and Technology (NIST) offers a number of NIST special publications, including the NIST Special Publication 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.
This publication provides information on security considerations for remote employees and several types of remote access solutions. It also offers recommendations for securing a variety of telework, remote access, and BYOD technologies and gives advice on creating telework cybersecurity policies.
NIST 800-46 offers information targeted toward the computer security industry. The Special Publication 800 series includes guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
Created in 1990, the Special Publication 800 series reports on NIST’s Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, along with its collaborative efforts with industry, government, and academia.
Many companies allow their employees to use enterprise telework technologies to perform work from external locations. However the nature of enterprise telework and the remote access technologies teleworkers use to connect to their organizations’ networks, generally puts them at increased risk of being hacked—more so than the technologies they use to access the networks from inside their organizations.
As such, companies should secure the components of telework and remote access solutions, such as remote access servers, client devices, and internal resources accessed remotely, against potential cybersecurity threats.
Some of the major cybersecurity concerns related to remote access include using unsecured networks, the lack of physical security controls, and using infected devices to connect to internal networks.
There are other cybersecurity concerns for companies that allow client devices outside their control to access their networks. These include devices controlled by contractors, business partners, and vendors as well as their personal mobile devices.
To improve the cybersecurity of telework and remote access technologies, and better mitigate the risks posed by BYOD and technologies controlled by third parties to enterprise networks and systems, organizations should implement these recommendations:
- Assume that external environments contain hostile threats and plan telework-related cybersecurity policies and controls based on that assumption. To mitigate these cybersecurity threats, companies should encrypt all the sensitive data stored on client devices, or, alternatively, not store sensitive data on client devices.
- Develop a telework cybersecurity policy detailing telework, remote access, and BYOD requirements. An organization’s telework security policy should define which forms of remote access it allows, which type of telework devices are allowed to use which form of remote access, and the type of access each type of teleworker is granted.
- Secure remote access servers effectively and configure them to enforce telework security policies. The security of remote access servers is especially important because they provide a way for external hosts to access internal resources.
- Secure telework client devices against common threats and maintain their security regularly as there are many threats to telework client devices, including malware and the loss or theft of devices.