Skip to contentCYBERINFO
|

Control 6.7 : Remote Working

Summary

Security measures should be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organization's premises. This ensures that the security posture remains consistent regardless of the physical location of the worker.

Applicability

In-Scope: Mandatory for organizations with remote or hybrid work models. It is critical for managing the risks associated with public networks, home offices, and the physical security of assets outside the corporate perimeter.

Out-of-Scope: Only applicable if 100% of work is performed strictly on-premises with no remote access permitted, which is rare for modern digital enterprises.

Implementation Guidance

Microsoft 365 / Entra ID

  • Zero Trust Access: Enforce Entra ID Conditional Access policies that require Multi-Factor Authentication (MFA) and compliant device status for all remote connections.

  • Secure Connectivity: Utilize Microsoft Tunnel or VPN integrations to ensure that traffic to on-premises resources or sensitive cloud apps is encrypted and authenticated.

  • Endpoint Protection: Deploy Microsoft Defender for Endpoint to maintain real-time visibility and threat protection for laptops used on unmanaged home networks.

Evidence Checklist

  • Remote Work Policy: A documented policy defining the security requirements for working from home or public locations.

  • Configuration Logs: Reports from Microsoft Intune showing that remote devices meet minimum security baselines (e.g., disk encryption, firewall enabled).

  • Training Records: Evidence that staff have been educated on the risks of remote work, such as shoulder surfing or the use of public Wi-Fi.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you verify the identity of a remote worker before allowing them to access sensitive company resources?

  • What technical measures prevent a remote user from printing or saving sensitive data to an unmanaged personal device?

  • How does the organization respond if a laptop used for remote work is reported lost or stolen?

  • Can you demonstrate how your Conditional Access policies restrict access from high-risk or unauthorized geographic locations?