Put a range of physical and information security measures in place to keep your people, information, and assets safe when working away from the office.
Designing and implementing your security measures
When your people are working away from the office, your organisation must:
- ensure your people are appropriately briefed and trained to comply with your security and safety requirements and procedures
- mitigate the risks to your people, information, and assets to an acceptable level before you approve any arrangements for working away from the office
- apply security measures that give assurance in information and asset-sharing arrangements.
Your chief security officer (CSO) and your health and safety officers should work together to develop responses that reduce risks to your people’s safety, and improve security when working away from the office. To help you develop your responses, decide which security measures you will use to reduce the risks you’ve identified.
Meet ICT security requirements before you allow mobile or remote working arrangements to begin. Before arrangements start, your organisation must meet all ICT security requirements specified in the New Zealand Information Security Manual (NZISM) - Working Off-Site.
Consider the following strategies for protecting mobile devices. Mobile devices include portable computers, mobile communication devices, and USBs or other portable storage devices.
You need to protect your important information from being overheard or recorded. You must develop procedures for protecting conversations that involve sensitive or protectively-marked information.
You must protect information when it is being used away from your office or being transported to another location. You must also comply with the handling requirements for protectively-marked information.
Follow this guidance to protect your organisation’s assets when they’re away from the office. Add to your asset management registerInclude assets used by people working away from the office in your asset management register, even when the value of the assets is below the threshold you normally apply to control assets.
Working remotely from home is subject to an agreement between management and the employee. Note that if your people work from locations that haven’t been approved or had a risk assessment, you must treat their arrangements as mobile working.
Related advice on working away from the office, both on this site and externally.