A woman logs into her computer from her home.

Remote Work

Overview

Remote work (also known as work from home or telecommuting) is a type of flexible working arrangement that allows employees to work from a remote location outside NYS offices by connecting to your agency’s network. 

The menu items to the left contain valuable resources and common troubleshooting tips that are designed to support individuals who are working remotely.

 

Working Remotely Online Training

NYS Agency Staff:
Please follow your agency's specific policy and mandate for training and remote work.

NYS Office of Information Technology Staff: 
All ITS employees are required to complete and pass the "How to Work Remotely" online training course before beginning to work remotely. This course covers the technical aspects of working remotely and can be found in the Statewide Learning Management System (SLMS) using code ITS_Work_2019.

 

Hardware

Your Agency may or may not provide you with any additional hardware for the sole purpose of working remotely. Subject to your agency's discretion, employees who have been approved to work remotely may be permitted to use their personal devices, such as a personal desktop computer, laptop, tablet, and/or smartphone. ITS will not be responsible for any hardware issues that may occur on personal equipment because of the program. Users are responsible for keeping their personal devices functioning.  The ITS Service Desk cannot answer calls and/or respond to tickets that are related to personal device hardware issues. 

Please note that individuals must be approved to work remotely and secure appropriate access prior to doing so.

For additional information, including information on Virtual Private Networks (VPN) and Virtual Desktop Infrastructure (VDI), visit the Workplace Hardware and Productivity Software webpage.

 

Security

Should you utilize remote access, please note the following requirements:

Important Telecommuting Security Guidelines

RSA SecurID Token

To access your agency's network and necessary applications remotely you will need to request and activate an RSA SecurID token. 

An activated RSA SecurID authentication token will enable you to access programs such as the Outlook Web Application (OWA), Office 365 (O365) products including SharePoint, and Virtual Desktop Infrastructure (VDI).  

To obtain a token you will need to submit your request through https://mytoken.ny.gov/.  

More Information on RSA SecurID

Multi-Factor Authentication (MFA)

 What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) provides a second layer of security to any type of login, requiring extra information or the use of a physical device or token to log in, in addition to your password. By requiring two different channels of authentication, ITS can better protect user logins from remote attacks that may exploit stolen credentials such as usernames and passwords.

Why do we need MFA for Active Directory (ADFS) protected Apps when accessed remotely?
Login credentials are more valuable than ever and are increasingly easy to compromise. More than 90 percent of breaches today involve compromised usernames and passwords. A lack of MFA presents different risks, depending on the accounts and applications involved. At a minimum, lack of MFA could mean compromise or loss of personal data for New Yorkers, if their individual accounts are compromised. For active directory accounts, this could mean compromise of entire systems or multiple systems, extending to the compromise of core ITS systems impacting all agencies.

What is RSA SecurID?
RSA SecurID (see tab), often referred to as SecurID, is a two-factor, public-key encryption authentication technology, available as a Software app or a hardware token, that is used to protect network resources. SecurID provides a convenient experience for users to verify who they are, while providing the right level of security assurance.

How will MFA (RSA SecureID) change my login experience?
When you log in to an application protected by RSA SecureID, you will still enter your username and password. After inputting your login information, you will need to use the RSA SecurID Software app on your phone or an RSA SecurID Hard Token (fob) to complete the second-factor authentication as shown below:

Single Sign On

 

Office 365

Office 365 is a collection of apps and cloud services that you can use to be productive across a variety of devices from just about anywhere. Office 365 (O365) is a cloud-based version of the Microsoft Office suite. For New York State employees, Office 365 includes online versions of Word, Excel, PowerPoint, and SharePoint. 

More information on Office 365 

Working Remotely Hygiene Guidelines

Cleaning Sensitive NYS Information from Personal Devices 

Employees who use their own personal electronic devices for official New York State business must ensure that their use is in full compliance with the New York State Information Security Policy and the New York State Acceptable Use of Technology Resources Policy, as well as their agency's work rules and ITS Enterprise technical standards, including ITS mobile/personal device technical standards and policies. 

Employees must not download or save sensitive or confidential NYS data to a personal device. If you inadvertently do save or download such data to your personal device, or your device automatically backs up items, you should take the following steps to ensure that no sensitive New York State data remains resident on that device. 

To prevent unintentional deletion of data from NYS systems, you should not be remotely logged in with your New York State credentials when performing these actions. 

Clear any saved passwords to NYS resources 

Security best practice discourages saving passwords in your web browser. All passwords to New York State resources that are saved within a web browser should be cleared. The option to remove saved passwords is found in most browser configurations under privacy or security settings, or browser history. 

Delete locally saved files 

This includes, but is not limited to, screenshots, photos, emails and files that were directly downloaded or created. Files may be present in the “Downloads,” “My Downloads,” “Documents,” or “My Documents” folder. Documents downloaded from email attachments, SharePoint or other web-based resources may also be stored in temporary locations on your system’s hard drive. Use the Storage Sense or Disk Cleanup utilities in Windows, and selecting Temporary Files and Temporary Internet Files, to remove these files. 

Remove Microsoft Office Suite (e.g., Excel and Word) autosaved files 

Microsoft Office products may automatically save documents to an AutoRecover location commonly found under File -> Options. Select “Save” in the left column and the right column will show the path next to “AutoRecover file location.” Browse to this path to see files that may need to be deleted. 

Delete Microsoft Office Document Cache 

Microsoft Office may cache documents for faster viewing. These cached files should be deleted. Click Start (Windows Icon), Microsoft Office Tools, Office Upload Center, Settings and choose the option to delete cached files. 

Clear browser cache and history 

Web Browsers such as Internet Explorer, Chrome, or Firefox retain some information from web sites that you have visited in the browsers cache. The option to clear the cache is usually found within browser settings under browser data or browsing history. 

Ensure all NYS data has been removed 

If any other NYS data not explicitly mentioned above has been saved to your personal device, please remove this data as well. This may include notes written as text files, files in paint, or Adobe documents. 

Empty the Recycle Bin 

To finalize deletion, the Recycle Bin should be emptied after you remove locally saved files.

Teleconferencing Guidelines

Due to the ongoing COVID-19 global emergency, employees are turning to teleconferencing platforms to conduct meetings in order to continue business operations. Unfortunately, threat actors are taking advantage of the increased use of these platforms to obtain sensitive information, eavesdrop on meetings, or conduct other malicious activities.

To protect against teleconferencing attacks, we recommend you implement the following general practices, when offered and practical, if available:

  • Select appropriate access options as part of the meeting set-up (such as turning off attendee videos, muting all attendees, and preventing attendees from sharing their screen).  
  • Ensure that you are using the most up-to-date version of the platform.
  • Do not click on any meeting invitations from unknown senders.
  • Beware of look-alike domains. Carefully inspect meeting invitation links to verify the address of legitimate websites (e.g., webex.com, zoom.us, zoom.com).
  • Do not share meeting invitations publicly, such as on public websites or in social media forums (e.g., Facebook, Twitter).
  • Schedule a meeting instead of using "personal rooms" or "personal meeting IDs" for meetings. This will ensure use of a one-time link.
  • Require a password to join the meeting.  
    • Set a strong password that cannot be easily guessed.
    • Set a different password for every meeting.
  • Do not allow attendees to join before the host.
  • Use a "waiting room" feature to keep participants from joining the meeting without host approval.
  • Use an entry/exit tone or announce name feature to prevent someone from joining the meeting without your knowledge.
  • Remove any unknown participants from your meeting and choose settings that do not allow them to re-join.
  • Lock the meeting once all attendees have joined.
  • Share an individual application or window, instead of sharing your desktop to prevent accidental exposure of sensitive information to your screen.
  • Manage screensharing through a host to prevent someone from randomly taking over what is shown on the screen.
  • Do not use other applications (e.g. Facebook) to sign into teleconferencing meetings to limit the amount of personal data the teleconferencing platform has access to.
  • Consider disabling the chat feature to prevent unwanted messages from being displayed.
  • If calls are recorded:
    • Set a password for your recording.
    • Delete recordings after they are no longer needed.
    • Do not upload recordings to a shared platform (e.g., Dropbox, Sharepoint) that is open to unauthorized parties.
    • If your teleconference comes under attack, immediately go the participants list if available, identify the offending actor, remove them from the meeting, and lock the meeting. Consider putting all other attendees on mute if you have not already done so.
  • If your teleconference comes under attack, immediately go the participants list if available, identify the offending actor, remove them from the meeting, and lock the meeting. Consider putting all other attendees on mute if you have not already done so.

FAQs

"What is Remote Access?"

Remote access is a way to access New York State IT systems from home or other off-site locations.  A description of the remote access solutions is available at https://its.ny.gov/working-remotely

From your personal computer, you may access many New York State IT systems directly from just a web browser.  Microsoft Office 365 Web Access (OWA) is one example of this.  The other remote access solutions that may be available to you from your personal computer are SSL VPN or VDI. 

"Will remote access keep my data safe?"

Yes. The connections are encrypted which prevents data from being intercepted. The use of SSL VPN, VDI, or OWA only grants your personal computer limited access to remote connect to your work computer, the VDI system, or Microsoft Office and does not allow your work computer to access your personal computer. 

"Will using remote access install software on my personal computer?"

Yes. SSL VPN installs Host Checker which is only used to verify that your personal computer is running a supported version of its operating system, is patched, and has functioning antivirus software.  VDI installs the Horizon Client, which is used to access the VDI system.  Neither software runs in the background after you log out.

"Will using SSL VPN, VDI or OWA grant NYS access to my personal computer?"

No.  None of the remote access solutions grant NYS access to your personal computer.  

"Would ITS be able to access logs or other information that reveals how my personal computer has been used other than the connection to NYS?"

No. During the remote access connection, activities that occur through the encrypted remote connection to NYS through OWA, SSL VPN, and VDI are logged, however, activities that occur outside of that connection are not. 

"Does using remote access require an administrator user account on my personal computer?"

Before using SSL VPN or VDI the first time, you must install the Host Checker or Horizon Client, respectively. These installs both require administrative rights.  After installation, you should run SSL VPN or VDI with a non-administrative user account on your personal computer. OWA does not require an installation or administrator privileges to access. 

"Why can't I access my V drives from my personal computer?"

This would create a security risk to NYS systems and data.  Instead, you may access your V drive or other mapped NYS drives within your remote connection to your work computer from an SSL VPN connection, from within a VDI session, or from a NYS issued laptop computer using VPN. OWA will not grant access to the V drive or other NYS mapped drives. 

"Does the use of a soft token on my personal mobile device give NYS any access to my personal mobile device?"

No.  The soft token on a mobile device only stores an encryption key unique to that device.  The encryption key is used to provide an additional authentication factor for your remote login.  This greatly reduces the ability for someone to impersonate you and login into NYS systems inappropriately.