Emergency Telework Technology Guide for State Government



Emergency Telework Technology Guide for State GovernmentLast Updated: May 15, 2020For your convenience, any information added since the last version is highlighted in grey.Table of Contents TOC \o "1-3" \h \z \u Emergency Telework Technology Guide for State Government PAGEREF _Toc40452082 \h 1State Employees Working from Home PAGEREF _Toc40452083 \h 2Office Productivity Tools PAGEREF _Toc40452084 \h 2Caution on Coronavirus Scams PAGEREF _Toc40452085 \h 2Internet Access PAGEREF _Toc40452086 \h 2Personal Computer Protection (Using Non-State Issued Equipment) PAGEREF _Toc40452087 \h 2Personal Phone Protection PAGEREF _Toc40452088 \h 3Physical and Data Protection Best Practices PAGEREF _Toc40452089 \h 3Teleconferencing and Digital Engagement Tools PAGEREF _Toc40452090 \h 4Overview of Tools PAGEREF _Toc40452091 \h 4Teleconferencing Security Tips PAGEREF _Toc40452092 \h 5Guide for State IT Organizations PAGEREF _Toc40452093 \h 7Hardening End-User Devices PAGEREF _Toc40452094 \h 7Artificial Intelligence Tools PAGEREF _Toc40452095 \h 7Professional and Advisory Services PAGEREF _Toc40452096 \h 8Remote Access Suggestions for Critical Business Services PAGEREF _Toc40452097 \h 8Return to Work Information Security Direction PAGEREF _Toc40452098 \h 9Rogue Unmanaged Devices PAGEREF _Toc40452099 \h 9Home Laptops PAGEREF _Toc40452100 \h 9USB’s and NAS PAGEREF _Toc40452101 \h 9Inventory PAGEREF _Toc40452102 \h 9Updated Operating Systems and Software PAGEREF _Toc40452103 \h 10Updated and Active Anti-Malware (aka. Endpoint Protection Platforms EPP) PAGEREF _Toc40452104 \h 10Unregistered Software PAGEREF _Toc40452105 \h 10Software License Inventory PAGEREF _Toc40452106 \h 10Passwords PAGEREF _Toc40452107 \h 11New Employees PAGEREF _Toc40452108 \h 11Maintain Readiness for Future Work From Home PAGEREF _Toc40452109 \h 11Any reference to a specific product, process or service or to the use of any vendor is for the information and convenience of the?state government community and does not constitute or imply an endorsement by CDT or the State of California.State Employees Working from HomeOffice Productivity Tools To access Microsoft Office O365 applications, use this link: Office 365 is a subscription service that allows users to install applications on five different work or personal computers (Windows/Mac), five phones, and five tablets. Microsoft Free Training resources can be found at Teams training from CoreView (6 months): on Coronavirus ScamsScammers are targeting consumers with phony websites and telephone-based scams. Be cautious and always validate the credibility of any phone call, website, and email to make sure it is legitimate. Report any suspicious activity to your Information Security Office.For more information see: Internet AccessAT&T, Century Link, Charter, Comcast, Cox, Frontier, Sprint, T-Mobile, US Cellular, Verizon and many other companies are providing the following services for 60 days:Will not terminate service to any residential or small business customers Waive any late fees for residential or small business customers Open its Wi-Fi hotspots to any American who needs them. (For hotspot locations, please contact your local service providers.) When accessing public Wi-Fi, please see the Physical and Data Protection Best Practices section for security safeguards.In addition to the services provided above, some internet service providers have special offers for first responders, military families, students, and low income households. See links below for information on some of the available offers:CPUC Affordable Offerings Searchable WebsiteCalifornia Emerging Technology Fund (CETF) Affordable Internet and Device OffersPersonal Computer Protection (Using Non-State Issued Equipment)System and Software Updates Ensure the automatic system update feature for your specific Operating System is turned on. For Windows users, go to the Start button, then Settings->Update & Security-> Windows Update, and select “Automatic Updates”For Windows users, only use Windows 10 or other supported Operating Systems (Windows 7 is end-of-life)For Local Computer Passwords: Use complex passwords and PINs: At least 10 characters with upper and lower case letters, numbers, special charactersAvoid common dictionary wordsChange passwords periodicallyDon't use the same password for all of your accountsUsing Password Managers helps store and manage multiple accounts securely, for example: Anti-MalwareValidate you are running anti-malware/anti-virus Microsoft Defender Anti-malware is available on Windows 10 computers and tablets.MAC/OSX: Useful tips to validate anti-malware (XProtect) protection and other built-in security features are turned on: Free Options for anti-malware / anti-phishing / and network security solutions (for 6 months):Trend Micro Maximum Security: . Sign up using your State email account and optionally install it on your personal computer, smartphone, or tablet.McAfee LiveSafe: . To sign up use company code STA3303B35 and a State email account to install on your personal computer, smartphone, or tablet.Most Internet Service Providers (ISP) provide free anti-malware/anti-virus products. Contact your ISP to check for availability. Optionally, for increased privacy of personal, sensitive information use full-disk encryption:To turn-on BitLocker on Windows 10 : To enable FileVault encryption on a Mac: To enable encryption on an Android device: Personal Phone Protection Mobile Security McAfee LiveSafe: . To sign up use company code STA3303B35 and a State email account.Other Tools - Free tools to protect your iOS and Mobile devices Regularly Clean up Privacy Settings on Mobile DevicesFor iOS: Android: and Data Protection Best PracticesNever work at public places such as a coffee shop, etc.It is highly recommended not to connect to public or untrusted/insecure Wi-Fi connectionsHowever, if you need to use public Wi-Fi use extreme caution because of malicious and spoofed Wi-Fi hotspots. Here are a few tips:Only visit websites that are encrypted for business and sensitive personal use. This can be identified by looking at the browser address bar to see if the website address starts with ignore browser SSL/TLS certification warning when you access a website. Never disclose confidential or sensitive data to any unauthorized personnel, including friends and family.Always lock your computer when leaving it unattended.Do not store State-sensitive or confidential information on your personal computer.Store any sensitive or confidential information on encrypted media provided by your department.Ensure confidential paper documents are properly disposed of, i.e. shredding.Refrain from using personal email for business use.Always comply with your organization’s policies and procedures to protect specific high-risk data elements regulated by HIPAA, IRS, PCI, etc.Teleconferencing and Digital Engagement Tools Overview of ToolsThe list below represents a sample of what is available across the state, and includes options to access meetings online and by phone. WebExWhere to Access: CALNET (for more information, visit?)For hosts: Four plans are available including a free version, which is not recommended for public meetings due to the limits on participation and meeting length. Priced plans offer larger participation limits and longer meeting duration times. More information can be found here. Interested in utilizing a 90-day free trial version for your non-public meeting needs? Use the following links to acquire the software: For IT Teams: end users: participants: Participants can join in a variety of ways –through an email invite, or by clicking on a meeting link through their desktop or mobile application. Participants do not need an account to access a meeting. Accessibility: WebEx offers keyboard navigation, low-vision support, and screen reader support. WebEx also offers the ability to create automatic transcripts. Capturing Comments & Questions: Meetings set through WebEx come with an automatic chat function (though hosts will need to set user privileges) to enable comments and questions. Also available through CALNET as an option: AT&T Conferencing and NWN.ZoomWhere to Access: CALNET or DGS California Multiple Award Schedules (CMAS)For hosts: There are four plans available including a free version, which is not recommended for public meetings due to the limits on participation and meeting length. Priced plans offer larger participation limits and longer meeting duration times. More information can be found linked here. Interested in utilizing a 60-day free trial version for your non-public meeting needs? Contact john.mensik@zoom.us or katie.williamson@zoom.us. For participants: Participants do not need to have a Zoom account to attend a Zoom meeting. First-time users will be prompted to download the software, and can do so by clicking on a meeting link, or by heading to the Download Center. Accessibility: Zoom has four key accessibility features: closed captioning, keyboard accessibility, automatic transcripts, and screen reader support. More information can be found linked here. Each meeting room also comes with a dial-in number, which can be provided to those without reliable internet access. Capturing Comments & Questions: A chat function at the bottom of the screen allows any participant to comment or ask questions. You can save in meeting chat content by following these instructions. Microsoft Teams live eventWhere to Access: Find Teams live event through the Microsoft Office 365 bundle. Contact your IT support staff for assistance.For hosts: You can schedule, produce and broadcast meetings or events to online audiences of up to 100,000 attendees. Getting started instruction links can be found here.For participants: Public participants do not need an account or software to attend. Private participants will attend using Teams application - desktop, web or mobile. Accessibility: Teams live event offers screen reader support, and is compatible with assistive technologies like dictation software and eye control. For those with less reliable internet access, follow instructions on how to add a dial-in number linked here. Capturing Comments & Questions: To enable questions and comments, add a Q&A section that will display during the meeting. Microsoft is transitioning former Skype users to Microsoft Teams, which is part of the Office 365 bundle. Departments are currently learning about Teams’ webcasting functionality.For a limited time and a limited quantity, Microsoft is providing a 90-day free trial of Teams Audio Conferencing to state departments. To request licenses, contact your Microsoft representative as soon as possible.?Set up assistance can be found linked here. ?Teleconferencing Teleconferencing can be an important supplement to web conferencing. To add teleconferencing services, call the provider your organization has chosen from the CALNET options and purchase additional services using Form 20. One service that offers a broad range of features is AT&T Teleconferencing, which can be offered as audio through web browsers, and features scheduling, comment queueing, moderated question and answer session. It also allows voting and polling. Different service levels include translation, question queueing and transcripts. Other Video Tools Available through CALNETThe following services also are available through CALNET. These services typically are used for point-to-point virtual conferencing and may not provide all of the features necessary for conducting a public meeting.Jive Multipoint Video Conferencing Bridge Service allows 6-80 participants to join and communicate via both video and audio on the same conference call.Verizon Managed Video Conferencing Service provides video conference session support with assistance of a live conferencing attendant.Verizon Open Video Communication Service (OVC) is multi-party video conferencing with a variety of usage levels suitable for individual devices to multi-screen telepresence rooms with document sharing.Teleconferencing Security TipsThe Federal Bureau of Investigation (FBI) released an article warning users of teleconferencing sessions being hijacked all over the nation. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. In the wake of reports of this activity being reported to the FBI’s Internet Crime Complaints Center, they have published the following recommendations:Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.Manage screensharing options. Ensure users are using the updated version of remote access/meeting applications. (This is especially critical if using Zoom since they are releasing software upgrades to address their security gaps.)Office of Information Security (OIS) recommends exercising diligence and caution in use of teleconferencing tools. The following best practices can be taken to mitigate teleconference hijacking threats if you host meetings.Consider turning on the “waiting room” for your meeting so that you can scan who wants to join and then allow only appropriate people into the meeting.Schedule a Meeting instead of using your Personal Room. By scheduling a meeting, a one-time weblink is created where a Personal Room weblink does not change. Consider enabling the use of meeting passwords and use a strong password. Passwords protect against unauthorized attendance since only users with access to the password will be able to join the meeting.Use Entry or Exit Tone or Announce Name Feature to prevent someone from joining the audio portion of your meeting without your knowledge.Do not allow attendees or panelists to join before the host. This setting is typically set by default by the site administrator for meetings.Lock the meeting once all attendees have joined in. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress.Expel attendees from a meeting, as needed.If recording a teleconference session, set a password for your recordings before sharing them to keep the recording secure. Password-protected recordings require recipients to have the password in order to view them.Create a Host Audio PIN. Your PIN is the last level of protection for prevention of unauthorized access to your personal conferencing account. Should a person gain unauthorized access to the host access code for a Personal Conference Meeting (PCN Meeting), the conference cannot be started without the Audio PIN. Protect your Audio PIN and do not share it.Guide for State IT OrganizationsHardening End-User DevicesAnti-Malware Resources (at no cost for 6 months):Crowdstrike: Trend Micro Maximum Security: LiveSafe: - To sign up use company code STA3303B35 Microsoft Defender Anti-malware is available as part of Windows 10 computers and tablets.Other Security Protection Manage Bitlocker encryption on all computers, tablets, and laptops within your enterprise: Note: All devices outside of a state building must be encrypted.Microsoft Office 365 ResourcesOffice 365 is a subscription service that allows users to install on five different work or personal computers (Windows/Mac), five phones and five tablets. For additional information on the following products and more, contact your Microsoft representative: Enterprise Mobility & SecurityAzure Active Directory Premium – Identity ManagementIntune Device ManagementAzure Information Protection – Data ProtectionPatching and Asset InventoryTanium as a Service: Tanium provides no-cost, endpoint management services for up to 90 days. This includes patching, software asset inventory, threat hunting, and compliance validation. Contact (916)765-8042 / brian.boyan@ to get started. Enhancing Access & Authentication for Critical Applications through?One Click AuthenticationOkta Identity as a Service - Free Solution for 6 months – Includes single sign on up to 5 apps, ?multi-factor authentication, multi-factor for VPN: Intelligence ToolsIBM Watson Citizen Assistant for COVID Response (via voice and text) SaaS subscription for 90 days free. If interested, contact Kim Hewitt at (916) 425-6287 or Todd Bacon at (410) 693-1309. Microsoft Azure COVID-19 Chatbot available for free: . Professional and Advisory Services The following vendors are offering emergency assistance (e.g., assessment, planning, strategy, guidance, etc.) on a pro-bono or reduced fee basis, depending on the exact needs of the State:Accenture – Contact is Teri Bennett at (916)202-6608 or teri.bennett@. KPMG – Contact is Todd Jerue at (916)955-2204 or tjerue@. Microsoft Teams Consulting - Kiefer Consulting Resource Centers from Research Groups (no membership required to access) Gartner Research and Advisory Services - COVID-19 Resource Center? Info-Tech Research Group - COVID-19 Resource CenterManaging Remote Teams training - freePluralsight - Managing Remote Teams and Making Work From Home Work for YouOnline learningO’Reilly (free access through July 6, 2020 - Access Suggestions for Critical Business ServicesInventory all IT critical services that need to be accessed remotely. Consider classification and sensitivity of data and ensue appropriate safeguards are implemented.Identify the best way to access each of the critical services:Ensure multi-factor authentication is used for remotely accessing resourcesIntranet web applications – Securely expose intranet web applications externally, Virtual Desktop Infrastructure (VDI) or Virtual Private Network (VPN) accessFat client applications - VDI or VPN accessBusiness applicationsBusiness services requiring public interactionCall Centers Field Offices (i.e., DMV Services)Look at re-platforming or relocating critical services to the cloud if current environment is too limited. For example: Many departments have productivity files and home directories on premises. If access to file shares is a need for telework, consider use of Microsoft’s OneDrive, SharePoint, or Teams for departments using Office 365. Network considerationsCalculate Wide Area Network (WAN) bandwidth requirementsIntrusion Prevention System (IPS) capacitiesFirewall rules VDI/DaaS Solutions (Available on the State’s FedRAMP Cloud Contracts):Amazon WorkSpaces: ?Amazon WorkSpaces is a managed, secure?Desktop-as-a-Service (DaaS)?solution.?Learn more at Microsoft Windows Virtual Desktop: Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud.? Learn more at to Work Information Security DirectionAs the phased approach to modify the stay at home order is progressed. The departmental IT teams must implement the following directions to allow the workforce to return to the office safety and securely. As employees start to transport IT equipment they have used at home potentially may introduce new vulnerabilities. Some of this is common office equipment coming back may include monitor, docking stations, cables, but other computing devices and multi-functional peripheral equipment will require extra precaution.Rogue Unmanaged DevicesUnknown connected devices pose a security risk at all times as they are not likely to be managed per department security standards. Employee’s returning to work with devices not managed by your departments introduces significant risk. Employees could have used all sorts of devices during their time at home, for leisure, convenience, and even distance learning for family members. This results in a possible introduction of vulnerable software. When non-department managed hardware or software gets introduced into State networks this increases our overall risk posture.Do run a full vulnerability scan on your network to identify new, and unknown hardware assets (i.e. peripheral, network printers, smart devices, etc.) and ensure they are approved, managed, and authorized by your IT teams. Home LaptopsSome employees working from home may have had to user their own laptops. In such circumstances, they are likely to bring these laptops with them when they return to the office, plug them into the department network and continue to work as they had been doing at home. These devices could potentially be infected with malware or compromise. Do forbid work on personal laptops/computers in the State environment whenever possible.Do always use department approved storage medium to transfer any data from personal computers to work computers. Do ensure any data that is transferred from non-departmental computers is scanned using an approved enterprise anti-malware solution. Do plan to install Network Access Control (NAC) for physical and wireless network connectivity to segment access from sensitive applications/data where employees may attempt to utilize their own device. Ensure all computers use a department issued anti-malware solution.USB’s and NASEmployees may have adopted the practice of using personal USB thumb drives and network storage devices. Personal storage devices should be prohibited in department networks and not allowed to connect to any State issued computers and networks. Do enforce device control to block unauthorized USB and other peripheral devices.InventoryAs many employees took equipment home, it is necessary to register and keep an up-to-date hardware/software asset inventory of this equipment and its locations. This will mitigate budgetary issues with the avoidance of wasting resources: ensuring employees return cables and screens that they have borrowed from the workplace. It is possible that some staff took an extra laptop/computer home and that the device is now in an unknown/unsecure location, perhaps even connected to an exposed network.Do keep an up-to-date hardware/software asset inventory. It will also help in the event employees have to move back to working from home in the future.Updated Operating Systems and SoftwareUnpatched and outdated Operating Systems often introduce major data breaches. Some employees may have ignored the update prompt process or rescheduled these indefinitely. In addition, some computers and servers left on premise may have been shut down throughout this period. After restarting these, it is important to install/validate all available software patches and updates.Do make sure that all software is patched on all devices returning to the office as soon as practically possible.Do validate that the majority of the computers being brought into the office are patched and up to date.If uncertain about the integrity of a computers patches, anti-malware, or unauthorized software, do consider reimaging and starting from a clean state.Updated and Active Anti-Malware (aka. Endpoint Protection Platforms EPP)An updated anti-malware solution is vital to securing the laptop at home, and it is a mandated requirement in securing all devices in the work environment. It’s not uncommon of for some employees to disable security software in order to perform certain actions on their devices. Do ensure that all your endpoints have an active and up to date anti-malware Solution.Unregistered SoftwareIt is possible that some employees have installed software for their own use, perhaps because they were unable to use department resources or simply because it was more convenient than asking for the approval of the IT department.Do make sure your endpoint management solution can obtain inventory of software and can report on application risk levels.Ensure needed software is patched and managed. Software License InventoryWorking from home may have required certain software licenses that are no longer needed when working at the office. For example, temporary trial licenses obtained for all employees as part of the transition to remote work. For any software that employees no longer need access to, it is important to cancel these licenses to be in compliance and/or reduce costs. This applies to subscriptions such as cloud resource usage (i.e. AWS, Azure, etc.), which may have increased while people were working from home but which now may no longer be necessary. .Do revoke unnecessary software licenses and transition staff back to using resources provided on-site.PasswordsIt is possible that employees have shared their laptops and credentials with their family or friends. They may have re-used passwords on new services or devices at home, or resorted to other insecure practices. It is advisable to reset credentials and ensure 2FA/ MFA for all devices and software.Do ensure that all your employees are aware of department password policy and enforce compliance.New EmployeesSome departments have hired new employees during the COVID-19 outbreak and have on boarded them remotely. Moving into the office will be a new experience for these new hires and they may need an early refresher on security awareness and other trainings that was not applicable while they were working from home.Do ensure new hires are up to speed on additional department security policies that are pertinent to working in the office.Maintain Readiness for Future Work From HomeIt could be necessary to transition to work from home in the future, and there’s always the real possibility in the near-to-midterm future that individual employees could contract the virus and need to self-isolate again. It is important to use the lessons learned from the mass transition to work from home in early 2020 and be better prepared to do it again, whether on a small scale or throughout the State. This includes having an up-to-date inventory of all IT equipment, having all department issues laptops/computers installed with a modern anti-malware solution and ensuring that employees have access to department applications via VPN protected by Multi-Factor Authentication (MFA/2FA).Do apply the lessons learned from this crisis in order to operationalize similar tactics in the future. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download