SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
HRS-04: Remote and Home Working Policy and Procedures
Remote and Home Working Policy and Procedures
HRS-04: Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations established, documented, approved, communicated, applied, evaluated, and maintained?
Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions of working away from a regular office.

The following matters should be considered:
a. The use of lockable filing cabinets
b. Secure transportation between locations
c. Remote access
d. Clean desk
e. Remote printing
f. Information disposal

Secure communications should take the following into account:
g. The need for remote access to the organization’s internal systems.
h. The sensitivity of the information that will be accessed and passed over the communication link.
i. The need to connect to internal systems.
j. The use of remote access (such as virtual desktop access) that prevents processing and information storage on privately-owned equipment.
k. The threat of unauthorized access to information or resources from others at the remote working site (i.e., family, friends, and others in a public environment).
l. The use of home and public networks.
m. The requirements or restrictions on the configuration of wireless network services.
n. Protection against malware and firewall requirements.
o. The use of multi-factor authentication mechanisms when remote access to the organization’s network is allowed.

The guidelines should also include:
p. Where the use of privately owned equipment not under the organizational control is not allowed.
q. Revocation of authority and access rights and the return of the equipment when the remote-working activities are terminated
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.

Remote and Home Working Policy and Procedures
HRS-04: Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations reviewed and updated at least annually?
Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions of working away from a regular office.

The following matters should be considered:
a. The use of lockable filing cabinets
b. Secure transportation between locations
c. Remote access
d. Clean desk
e. Remote printing
f. Information disposal

Secure communications should take the following into account:
g. The need for remote access to the organization’s internal systems.
h. The sensitivity of the information that will be accessed and passed over the communication link.
i. The need to connect to internal systems.
j. The use of remote access (such as virtual desktop access) that prevents processing and information storage on privately-owned equipment.
k. The threat of unauthorized access to information or resources from others at the remote working site (i.e., family, friends, and others in a public environment).
l. The use of home and public networks.
m. The requirements or restrictions on the configuration of wireless network services.
n. Protection against malware and firewall requirements.
o. The use of multi-factor authentication mechanisms when remote access to the organization’s network is allowed.

The guidelines should also include:
p. Where the use of privately owned equipment not under the organizational control is not allowed.
q. Revocation of authority and access rights and the return of the equipment when the remote-working activities are terminated
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
Description

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.