>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-17Alternate Work Site

Moderate
High

>Control Description

a

Determine and document the organization-defined alternate work sites allowed for use by employees;

b

Employ the following controls at alternate work sites: organization-defined controls;

c

Assess the effectiveness of controls at alternate work sites; and

d

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites.

Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

>Cross-Framework Mappings

SCF

PES-11
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern alternate work sites where organizational information is processed or stored?
  • How does the organization assess the security of alternate work site locations?
  • What is the process for approving and documenting alternate work site arrangements?
  • How are security requirements communicated to personnel working at alternate sites?
  • What governance exists for periodically re-assessing alternate work site security?

Technical Implementation:

  • What security controls are implemented for alternate work site systems?
  • How are alternate work site networks secured and segregated?
  • What endpoint security tools are deployed on alternate work site devices?
  • How is data encrypted when stored or transmitted from alternate work sites?
  • What remote monitoring capabilities exist for alternate work site security?

Evidence & Documentation:

  • Provide the list of approved alternate work site locations with security assessments.
  • Provide alternate work site security requirements and control documentation.
  • Provide evidence of location assessment and approval.
  • Provide records of periodic alternate work site security reviews.

Ask AI

Configure your API key to use AI features.