Working away from the office

Adopt a consistent and structured approach to protecting your people, information, and assets when people are working away from the office 

GOV040

On this page

 

More organisations are adopting flexible working arrangements for their people (staff and contractors) and equipping their people to work anywhere, at anytime.  As a result, working outside of traditional offices is becoming commonplace. Your people may use mobile devices such as laptops, notebook computers, tablets, and smartphones to do their work. They may also carry hard copy documents, though this is becoming rare.

Your people may work from home, hotels, or conference venues. They may work while visiting client offices, on public transport, or during fieldwork. These ways of working all carry risks. Use the guidance in this section to help you identify and reduce risks to your people, information, and assets. Remember that legislative requirements may take precedence over this guidance.

Planning for people to work overseas? Check the following sources for guidance:

Before working away from the office

GOV041

Understand the different ways of working away from the office, the risks your organisation could be exposed to, and how to approach planning to reduce those risks.

 

Ways of working away from the office

The two main ways that people work away from the office are through mobile or remote working.

  • Mobile working is mainly adopted by people who travel a lot and typically work in a public setting with limited security controls in place. For example, when visiting customers or clients, doing field work, commuting, or working in a cafe or airport lounge.
  • Remote working is when people work from controlled, fixed environments where the security risks have been assessed and security measures are in place. For example, people who regularly work from home, or work from an alternative location to their organisation’s office.

These flexible arrangements might be temporary or permanent, and they usually rely on technology to enable people to do their jobs effectively.

 

Working away from the office involves risks

Your people can face a variety of risks when they work away from the office. And these risks can sometimes extend to family, friends, and associates.

Working away from the office also increases risks to your organisation’s information and assets — they can be lost, misused, stolen, damaged, or destroyed.

The risks vary greatly depending on the amount of control that your organisation has on the environment where your people work.

 

Plan ahead to reduce your risks

Your organisation may find it hard to implement some elements of protective security in mobile and remote working scenarios. However, you must take all reasonably practicable steps to ensure the safety of your people, information, and assets.

To help you do that, consider the Information Security Lifecycle and Physical Security Lifecycle. In summary, you need to implement these five stages.

  • Understand the risks to your people, information, and assets (your vulnerabilities).
  • Assess the risks of threats happening and their likely impacts on your people and organisation.
  • Design and implement the security measures you need to protect your people, information, and assets.
  • Maintain secure operations and deliver needed support to your people.
  • Review and learn from security incidents. Improve your security measures, so they remain fit for purpose.

Understanding and assessing the risks

GOV042

Before you can protect your people, information, and assets in working away from the office scenarios, you need to understand the likely risks and their impacts.

Your organisation has a responsibility under the Health and Safety at Work Act 2015 (and any associated regulations and codes of practice that apply) to take all reasonably practicable steps to:

  • address any risks to your people
  • prevent injury to people in and near your facilities (including the public).

The safety and security of your people should take precedence over the security of your information and assets. Your people should not unreasonably put themselves at risk of injury or harm to protect information or assets.

You need to:

  • identify potential hazards, threats, and risks (including personal risks when carrying or protecting valuable information and assets)
  • assess the likelihood of hazards or risks occurring.

 

Assessing the risks of mobile working

GOV043

Consider the risks to your people, information, and assets from mobile working.

Your people might carry out mobile working using portable devices such as laptops, notebook computers, tablets, and smartphones. They may use hard copy documents, through this is becoming rare.

Some example scenarios for mobile working are:

  • fieldwork
  • occasional work from home without a remote-work agreement
  • temporary work from a client's facilities
  • ongoing work from a client's premises where your organisation can’t assure security arrangements
  • work done while in transit.

Pay close attention to the environment in which your people are expected to operate, as it may have a significant impact on security requirements.

Mobile working environments can range from airport lounges, to another organisation's office, to a remote location.

Work out if security zone requirements apply

Security zone requirements might apply to some locations. These requirements help to protect official or valuable information and resources. Most mobile working locations are ‘Zone 1: Public Access Areas’ with limited security in place.

If you are working in a secured office space it is most likely to be considered a ‘Zone 2: Work area’.

However, if you require ‘Zone 3: Restricted Work Area’, ‘Zone 4: Security Area’ or ‘Zone 5: High Security Area’ levels of protection, it might be hard to ensure the physical security measures meet your security requirements. Instead, rely on administrative and ICT security controls to protect your information and assets.

Consider the specific risks with mobile working

Consider the following risks and impacts for mobile working, and use the Checklist for mobile and remote working [DOCX, 18 KB] to help you assess the risks.

Intimidating or violent behaviour from customers or strangers

When working away from the office, particularly when alone, your people are at increased risk from the people they interact with. For example, your people could be the target of verbal abuse or physical attacks from customers or strangers.

Tracking through GPS or device transmitters

Built-in GPS receivers and transmitters in devices may allow your people’s precise locations to be tracked, putting them and your information at risk.

Loss or theft of sensitive information

Hard copies of papers and portable devices are easy to lose or steal. In either case, your organisation’s sensitive information would be exposed. Your reputation or operations could be badly affected, or personal privacy could be breached.

Security or privacy breaches that compromise confidentiality

If your people read papers and use devices in public spaces, sensitive information could be overheard or overseen, resulting in compromised confidentiality, loss of intellectual property, or a breach of personal privacy.

Electronic interception resulting in malicious or covert acts

Devices used over wireless and public networks are vulnerable to electronic interception. Malicious software can disable security features and activate inbuilt microphones and cameras to record sights and sounds, enabling attackers to access private or privileged content and conversations.

USB devices, portable storage devices, CDs, and DVDs are easy targets for malicious activity, such as distributing malware and carrying out data exfiltration (data theft).

Malicious software corrupts networks or equipment

Just like any home or office computer, portable devices are susceptible to malware, which can be passed on to connected networks and other computing equipment. Your services and operations would be significantly disrupted.

Jurisdictional risks

If you are working outside New Zealand, some jurisdictions have legislation that may allow local authorities to access your information and systems.  You need to consider whether that is an acceptable risk given the nature of the information you are storing or transmitting.

 

Assessing the risks of remote working

GOV044

Consider the risks to your people, information, and assets from remote working.

When people work remotely, they might use hard copies of information or technology, such as mobile devices, personal computing devices, and wireless networks. 

Arrangements for working from home regularly might be:

  • part of a normal work arrangement, either full-time or part-time
  • for hours outside of normal work hours (known as ‘day extenders’)
  • part of a regular casual remote-working arrangement (for example, for a primary caregiver).

 Ongoing arrangements for people to work from an alternative location might be at:

  • a client premises, where your organisation has some ability to provide protective security
  • another location (for example, business continuity sites or regional sites)
  • another organisation's facilities.

 Consider supplying day extenders and part-time remote workers with dedicated portable devices to avoid synchronisation problems and to reduce costs.

Day extenders may expect ICT support at any time, day or night.

Work from an alternative office space could be in a business continuity site or regional site, in another organisation's facilities, or at a client's workplace where your organisation has some ability to provide protective security.

Specific risks to consider

Additional security risks may be associated with remote working. Remote work locations are often fixed and their locations known to many, including:

  • people working remotely and their associates
  • other members of your organisation and their associates.

Your organisation must assess the security requirements of all potential locations for remote work, including:

  • security clearance management
  • personal security and safety
  • information and ICT security
  • physical security.

Use the Checklist for mobile and remote working [DOCX, 18 KB] to help you assess the risks.

Remember that people working away from your office without ICT support may still have access to hard copies, information in electronic formats, and equipment that must be protected.

Assessing physical security for remote work locations

The right level of physical security for a remote work location depends on the Business Impact Level (BIL) of the potential harm to your people, information, and assets.

Applying the BIL helps you to get the level of security right.

When the BIL is assessed as high or above, you must ensure the security measures for any proposed locations are suitable before you implement any arrangements for remote work.

For lower BILs, you should assess the suitability of security measures in potential locations and improve them when necessary.

Security zone requirements might apply to some locations. Security zones help to protect official or valuable information and resources. Most locations will meet zone 2 requirements without needing significant modifications to the site. 

Security alarm system options for remote working

Consider the need for security alarm systems in remote-working arrangements during your risk assessment.

If a security alarm system is required, use a system that meets AS/NZ 2201.1:2007(external link) Class 2 or above.

 

Assessing physical security for official information and assets

GOV045

Before your people use any workspace outside the traditional office, work out how you will protect official information and assets that might be stored or used there.

Official information

For official information, answer these questions to help you.

  • Can you provide the right level of security for any protectively-marked information you plan to store at the workspace?
  • Can you secure the workspace independently?
  • How will you protect official information from being seen or heard by unauthorised people, including family and children?
  • Can ICT equipment used in the workspace be secured or segregated from your organisation's ICT system?

 Ensure any proposed sites have the appropriate accreditation. This usually involves carrying out site security inspections. For more information, go to: Validate your physical security measures.

Assets

Most assets used outside the office are portable, and they’re at greater risk once they’re removed from your premises. Some examples of portable assets are:

  • vehicles
  • mobile working and communication devices
  • security containers and other furniture
  • weapons
  • animals
  • samples, such as biological or chemical samples
  • specialist, scientific, or research equipment
  • cultural or collection material.

 Consider how you will protect your organisation’s assets in mobile and remote working scenarios.

Designing and implementing your security measures

GOV046

Put a range of physical and information security measures in place to keep your people, information, and assets safe when working away from the office.

When your people are working away from the office, your organisation must:

  • ensure your people are appropriately briefed and trained to comply with your security and safety requirements and procedures
  • mitigate the risks to your people, information, and assets to an acceptable level before you approve any arrangements for working away from the office
  • apply security measures that give assurance in information and asset-sharing arrangements.

 

Reducing risks to your people

GOV047

Your chief security officer (CSO) and your health and safety officers should work together to develop responses that reduce risks to your people’s safety, and improve security when working away from the office. 

To help you develop your responses, decide which security measures you will use to reduce the risks you’ve identified. You should also:

  • identify preventive measures that apply before people leave the office
  • detail actions to take in an emergency
  • work out how your people should deal with clients and the public (if relevant)
  • include vehicle safety and security if your people will be transporting protectively-marked information and equipment
  • create procedures for reporting security incidents.

Developing incident reporting procedures

Advise your people to contact local police for assistance if they feel their safety is at risk. Once they’re safe, they should report the incident to your organisation.

You must have procedures in place for mobile or remote workers to report security incidents. These procedures should include reporting:

  • any security incident involving your organisation’s information and assets
  • other incidents at their work location.

When you’re developing your procedures, consider your ability to respond to, and investigate, incidents that occur outside your premises. 

Reporting incidents and conducting security investigations has more information and advice.

Security alarm system options for mobile working

Consider the use of a security alarm system. Your organisations may use portable alarm systems to protect assets in other mobile work scenarios. For example, vehicles may be fitted with alarms and engine immobilisers.

 

Managing ICT security

GOV048

Meet ICT security requirements before you allow mobile or remote working arrangements to begin.

Before arrangements start, your organisation must meet all ICT security requirements specified in the New Zealand Information Security Manual (NZISM) - Working Off-Site.(external link)

Be mindful that ICT security for equipment can be difficult to enforce in working away from the office scenarios. However, when your people are using equipment your organisation has provided, it’s reasonable to expect them to use it in much the same way as they would in the office.

Include boundaries for use of ICT equipment in your policies

In your policies for mobile and remote working, you should clearly define boundaries for the use of equipment your organisation provides.

You should cover:

  • what reasonable personal use means
  • whether equipment can be used by family members or not
  • any restrictions or rules you need your people to comply with.

Manage protectively-marked information

You must not allow your people to access protectively-marked information on public computers or other public ICT communication devices, such as internet cafes, hotel business centres, or airport lounges.

All information accessed on public ICT equipment is at risk. Your organisation has no control over who can access the equipment or the security features or applications that are enabled on the equipment by its owner or manager.

Consider the use of personal ICT equipment for work carefully

Today, more people are using their personal devices for corporate purposes, or their corporate devices for personal purposes. Both usage scenarios increase the risks to your organisation’s information. User education is crucial to managing the risks.

Before you approve the use of personal devices, refer to the following guidance on BYOD security controls you should have in place.

NZISM: 21.4. Non-Agency Owned Devices and Bring Your Own Device (BYOD)(external link)

Do not allow your people to use personal ICT equipment for processing information with a Business Impact Level (BIL) of high or above, or protectively marked RESTRICTED or above.

Be mindful that even when devices are turned off, information is still stored in memory and is therefore vulnerable.

Make sure your people understand the risk of information being lost when they’re working from a USB stick or similar storage device.

 

Protecting mobile devices

GOV049

Consider the following strategies for protecting mobile devices.

Mobile devices include portable computers, mobile communication devices, and USBs or other portable storage devices.

Prepare devices for use

  • Ensure security and application updates are installed on each device, and that your people understand how to carry our further updates on their devices.
  • Enable device security features and ensure that PINs and passwords are changed. Always use complex passwords containing upper and lower-case letters, numbers, and symbols.
  • Remove any information that is not required to reduce the risk of information exposure.
  • Back up information stored on the device. If a device becomes compromised, your opportunity to recover information from it may be limited.
  • Evaluate the potential for compromise if the device will hold any encrypted information.

Give instructions for keeping devices safe and secure

Ensure each mobile device user gets as many of the following instructions as they apply.

  • Maintain physical control of the device at all times. Do not leave it unattended in places where it may be an easy target for theft or tampering.
  • Be vigilant at all times. When using a device, make sure that a conversation can’t be overheard and screen data can’t be seen by others.
  • Avoid taking devices into situations where a sensitive or private conversation is likely. If you can’t avoid this situation, turn off the device and, when possible, remove the battery.
  • If you lose physical control of the device (for example, when it is secured outside a meeting), ask your ICT security people for guidance before you use it again.
  • Use corporate devices with all relevant security measures enabled. Only use a personal device for official business when BYOD polices allow and appropriate security measures are in place.
  • If you’re concerned about the risk of tracking, disable any GPS capability. For extra security, turn off the device and, when possible, remove the battery.
  • Disable any features or capabilities that you don’t need. For example, disable wireless, Bluetooth, and location services. Consider doing this before having confidential conversations.
  • Always confirm the integrity of any new storage media with your ICT security people before you connect it to a device. All storage media should be regularly scanned for threats.

Ensure email usage is secure

To help keep emails secure, provide clear instructions in line with your policies on the following topics.

  • Use of private email accounts to store or communicate official information.
  • Forwarding emails from corporate email systems to personal email accounts, such as Gmail. This policy is especially relevant for emails with a classification of ‘restricted’ or higher.
  • When you need additional email security and how to achieve it.
  • How to reduce the risk of downloading hidden malware.

Keep internet usage secure

To help keep internet usage from becoming a security concern, provide clear instructions in line with your policies on the following topics.

  • Using the privacy mode in an internet browser.
  • Use of cookies.
  • Disabling autofill to prevent your browser from storing usernames and passwords.
  • Connecting to external networks. The simplest precaution is to not connect to the internet using unknown hotspots and instead use mobile 3G or 4G mobile networks.

Secure devices after use

  • Following travel it is a good idea to change all device passwords.
  • Treat any unencrypted information on a device that is lost as compromised.

 

Protecting conversations

GOV050

You need to protect your important information from being overheard or recorded.

You must develop procedures for protecting conversations that involve sensitive or protectively-marked information.

It is much easier to record a conversation than it is to record a laptop screen, so conducting these conversations in unsecured places is very risky.

The following measures may reduce the threat of conversations being accidentally overheard or recorded.

Avoid high-risk areas

Remind your people that high-risk conversations, including phone calls, should not be held in hire cars, taxis, shuttles, official vehicles, hotel rooms, or conference rooms unless measures are in place to ensure audio security. These areas are at high-risk of audio surveillance.

Also discourage your people from holding sensitive conversations or conversations involving classified information in closed public spaces while sitting or standing in one place, as the conversations can easily be overheard or recorded. Discussing classified information in public, on aircraft, in airport lounges, while at the local café, or in other locations known to be frequented by your people puts this information at significant risk and should be discouraged.

Use secure facilities when possible

The risk of audio interception is greatly increased when travelling overseas. Advise your people to use secure facilities for conversations or phone calls involving sensitive or classified information whenever possible. Using the secure facilities of an allied government is acceptable if the facilities are accredited to the appropriate level and the information being discussed is permitted to be shared with that government.

Use an open area

When no secure facility is available and a conversation or phone call is essential, direct your people to find an open public place, such as a park or open area. They should then talk while walking, being careful to ensure the conversation is not overheard by casual observers.

Parks and open areas offer the greatest protection from casual audio surveillance. 'White noise', such as running water from fountains, may also make it harder for someone to remotely record a conversation without specialist equipment.

Protect classified information

‘Audio secure areas’ are used to keep conversations involving classified information secure.

Outside these areas, it may be impossible to prevent determined adversaries, including foreign intelligence services, from listening in. You should only allow conversations involving classified information to happen outside audio secure areas if it is critical to an operation. 

For SECRET information, seek advice from the originator of the information before you allow any conversations outside of audio secure areas.

For TOP SECRET information, seek advice from the New Zealand Security Intelligence Service and the originating organisation before you allow any conversations outside of audio secure areas.

 

Protecting information

GOV051

You must protect information when it is being used away from your office or being transported to another location. You must also comply with the handling requirements for protectively-marked information.

Securing official information in private facilities

You might find it difficult to adequately secure your information when your people are working in private facilities, such as commercial or client facilities. You’re unlikely to have control over key security controls such as alarm or keying systems.

Unless your organisation has full control over the space, you should treat the facilities as zone 1 security areas for information and asset storage.

Storing protectively-marked information

Protectively-marked information must not be stored outside your offices unless you have implemented:

 You should not allow TOP SECRET information to be stored outside your premises unless it is critical for an operation. The New Zealand Security Intelligence Service must certify all storage of TOP SECRET information.

Transferring information away from the office

It is unrealistic to expect people to maintain physical custody of information at all times if it can’t be carried on their person.

However, you should restrict the use of removable ICT media, such as USB sticks and portable hard drives, for carrying large quantities of information, as they are easily lost.

Information is at considerable risk when it is being transported. Consider all alternatives before you allow your people to transport information to remote locations.

Some alternatives to consider are:

  • giving people remote secure access to your ICT networks (if a connection can be arranged)
  • transporting the information to nearby New Zealand Government or jurisdictional facilities using endorsed couriers or secure networks
  • storing the information on a portable device approved by the Government Communication Security Bureau — a device that provides additional logical controls to prevent unauthorised access.

When you can’t arrange alternative transport, consider arranging for information to be secured in suitable New Zealand Government or New Zealand Government-approved facilities during breaks in trips.

For more information, go to:

Disposing of official information securely

Your organisation should have procedures in place for the secure disposing of official information for all working away from the office scenarios.

You must ensure all protectively-marked information is returned to your premises for destruction unless you have approved destruction equipment located off-site.

For more information, refer to:

 

Protecting assets

GOV052

Follow this guidance to protect your organisation’s assets when they’re away from the office.

Add to your asset management register

Include assets used by people working away from the office in your asset management register, even when the value of the assets is below the threshold you normally apply to control assets.

Permit removal only when necessary

Only allow your people to remove assets from your facilities if they are necessary for performing their out-of-the-office duties.

Assign custody

Assign custody of each asset to an individual before you allow the asset to be removed from your premises. And consider requiring people to sign for equipment before taking it.

Brief your people and implement security measures

Advise your people of their responsibilities for safeguarding any assets entrusted to them. Ensure they know about your security measures and how to uphold them.

Make sure your people know and follow your incident reporting procedures for assets that are lost or damaged. Treat as compromised any information contained in misplaced, lost, or stolen physical assets.

Protecting assets in vehicles

Tell your people not to leave assets in vehicles unless it is unavoidable or physical security measures are in place to protect the vehicle and its contents.

Protecting assets in hotels

Remind your people that assets left in hotel rooms or hotel safes will be at risk, particularly when travelling overseas. Ensure you evaluate and treat the risks before your people depart to stay at a hotel.

Protecting assets in planes

When travelling, assets in carry-on luggage are more secure than checked-in baggage, providing the carry-on luggage remains in the employee's control.

For more information, go to Physical security zones.

Protecting assets in private facilities

You may not be able to control the security of assets located in client premises, even when given a dedicated work space. In that case, evaluate the risks to your assets in a similar way to any other unsecure off-site work environment.

If you have assets that are used to regulate the client's activities, those assets may need extra protection. For example, when you need to protect assets from tampering or other actions that would compromise your regulation activities.

 

Arrangements for working remotely from home

GOV053

Working remotely from home is subject to an agreement between management and the employee.

Note that if your people work from locations that haven’t been approved or had a risk assessment, you must treat their arrangements as mobile working.

Assess the home office or work site

An agreement for working remotely normally requires you to assess the home office or work site. You should assess compliance with any occupational health and safety, and human resource requirements that apply to your organisation through a self-assessment process.

Include the right information in an agreement

In an agreement, you must include at least the following:

  • conditions of employment
  • occupational health and safety requirements
  • security requirements.

 The agreement should cover technology and equipment; safety and security; and communication and availability.

Technology and equipment

Identify which technology is appropriate for accessing information from the remote location.

  • Work out what equipment your organisation will provide, what equipment the remote worker will provide, and what will be shared (including any specific controls relating to use of personal equipment).
  • If you provide equipment, include a schedule of equipment.
  • Detail how you will provide technical assistance in the event of equipment failure or disruption.

Safety and security

  • Find out if the physical attributes of the remote workplace conform to safety and security standards.
  • Ensure remote workers have your emergency procedures.
  • Include your procedures for disposing of official information securely (if relevant).

Communication and availability

  • State your expectations for communication and availability. For example, that remote workers must be contactable by phone or email during a set time.
  • Identify which processes you will use if you need to change the agreement.

 For advice on employment agreements, go to Employment New Zealand’s site: Employment agreements

Finding more advice on working away from the office

GOV054

Related advice available in this site:

 Advice from the National Institute of Standards and Technology (NIST):