All eligible executive branch employees engaging in telework must adhere to the Enterprise Security Policies and Standards published by the Executive Office of Technology Services and Security on October 5, 2018.
Of particular note is the “Acceptable Use of Information Technology Policy” and its sections on the handling of confidential information, the secure transfer of information, information protection requirements, and remote access.
Per the Enterprise Security Policies and Standards:
PERSONAL DEVICES: Use of personal devices is currently allowed when accessing email and other web-based applications while working remotely; provided that:
Regularly updated antivirus/anti-malware software is installed and running on all devices.
Provided that all devices are password protected.
ACCESSING SENSITIVE OR CONFIDENTIAL COMMONWEALTH INFORMATION: To access Commonwealth information systems, services, or applications that contain information deemed sensitive or confidential by an agency or secretariat – or information intended for internal agency use only – employees, contractors, and vendors must use a Commonwealth-approved VPN client or Remote Desktop to access their respective systems, services, or applications.
Exception: Due to Microsoft’s recent expiration of support for Windows 7, any end-users utilizing personal/non-state-issued devices to access Commonwealth resources via VPN connections (or other forms of remote access) must upgrade such devices to Windows 10.
Exception: Personal/non-state-issued devices running Windows 7 will no longer be allowed to access Commonwealth resources February 29, 2020
DOWNLOADING/COPYING/PRINTING FILES ON PERSONAL DEVICES: Nothing explicitly prohibits users from downloading/copying files directly to – or printing from – their personal devices; however, employees should follow their agency’s policies with respect to downloading/copying/printing confidential information or any information intended for internal agency use only.
AGENCY RESPONSIBILITY: Agencies are required to ensure that employees who handle confidential or sensitive information or information intended for agency use only are properly trained on the handling of that information.
THUMB DRIVES/EXTERNAL DRIVES: While not encouraged, the use of thumb drives/external drives is not explicitly prohibited.
It is the responsibility of the individual user, as well as their organization, to protect the data from loss, theft, or misuse – and to ensure that all portable devices are (at a minimum) protected by password and encryption controls.