1. Allow Only Managed Devices to Use Regular Agency Networks
It’s generally best to allow only agency-managed laptops, smartphones and other devices to connect directly to the agency’s regular networks. When devices are managed, their security can be much better controlled; for example, by ensuring they’re fully patched and the necessary anti-malware tools are running and up to date.
When devices are agency-issued but unmanaged — meaning they’re manually managed by support personnel or the users themselves — it’s more likely that they’ll have significant security issues. And if Bring Your Own Device is permitted, such as when employees who normally work at the office have to telework unexpectedly, those devices are even more likely to pose a major security risk.
Instead of allowing unmanaged or personal devices to use regular networks, strongly consider establishing quarantine networks for these devices to use. This keeps higher risk user devices separate from the lower risk ones and gives the agency a better chance to ensure the devices are safe. A quarantine network should allow the devices on it to have only minimal access to the agency’s resources.
EXPLORE: What tools are available to help improve government security.
2. Check the Cyber Hygiene of Each Connecting Device
User devices connecting to any agency networks should have their cyber hygiene assessed before granting network access. Check for the following:
- Is all software on the device (OS and applications) fully patched?
- Is there any malware or unauthorized software installed on the device?
- Are anti-virus software and all other required security controls present, enabled and updated (if applicable)?
- Are there any signs of prior compromise, such as attacker tools?
Ideally, all devices should automatically connect to a separate (often virtual) quarantine network first, and be allowed to connect to a regular network only after all the cyber hygiene checks succeed. A variety of endpoint security technologies are available to do these checks.