Remote Work / Telework Policy¶
Document ID: AUL-POL-12 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy defines the security requirements for personnel working remotely (telework) for Aulendur Labs, Inc. As a remote-distributed workforce with headquarters in Omaha, Aulendur must establish alternate work site controls that maintain the confidentiality, integrity, and availability of information — including CUI — regardless of the physical location from which work is performed. This policy implements NIST SP 800-171 Rev. 3 control 03.10.06 (Alternate Work Site).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, and advisors performing Aulendur work from any location other than the Omaha headquarters.
- Systems: All Aulendur-managed endpoints and cloud systems accessed from remote locations.
- Data: All data classifications — Public, Internal, Confidential, CUI, and ITAR-controlled technical data.
- Locations: Home offices, co-working spaces, hotels, client sites, and any other non-Aulendur facility.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; authorizes remote work arrangements. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; defines remote work security requirements; approves remote access to CUI; validates remote work environment security. |
| All Personnel | Comply with remote work security requirements; secure their remote work environment; report security concerns. |
4. Policy Statements¶
4.1 Remote Work Authorization¶
4.1.1 Remote work is authorized for all Aulendur personnel by default, given the organization's distributed model. Personnel do not require individual remote work agreements for general Internal-classified work.
4.1.2 Remote access to Confidential data requires: (a) an Aulendur-managed endpoint with full-disk encryption, (b) active MFA (YubiKey FIDO2/WebAuthn), and (c) compliance with this policy's workspace security requirements.
4.1.3 Remote access to CUI requires all of the above plus: (a) CTO/ISSM written authorization, (b) a private workspace (not a public co-working space or coffee shop) where screen visibility and conversation overhearing are controlled, and (c) use of the CUI Enclave (when operational) or CTO/ISSM-approved interim system.
4.1.4 Remote access to ITAR-controlled data requires all CUI requirements plus verification that the remote location is within the United States and accessible only to US persons.
4.2 Remote Workspace Security¶
4.2.1 Personnel working remotely shall maintain a workspace that provides reasonable physical security:
- (a) The work area shall not be visible to unauthorized individuals (family members, roommates, visitors) when CUI or Confidential data is displayed on screen or in print.
- (b) Aulendur-managed endpoints shall not be left unattended and unlocked in shared living spaces.
- (c) Printed CUI or Confidential documents shall be secured in a locked drawer or cabinet when not in active use, and shredded when no longer needed.
- (d) Video calls discussing Confidential or CUI content shall be conducted in a private room with the door closed.
4.2.2 Personnel shall not conduct Aulendur work from public locations (coffee shops, libraries, airports) when the work involves CUI or Confidential data visible on screen. Internal-classified work in public is permitted with screen privacy filter and VPN active.
4.3 Network Security¶
4.3.1 Personnel shall use a VPN connection when accessing Aulendur systems from public or untrusted Wi-Fi networks (hotels, airports, co-working spaces). Home networks with WPA3 or WPA2-Personal with a strong passphrase (minimum 16 characters) are considered trusted for Internal-classified work.
4.3.2 Personnel shall not connect Aulendur endpoints to open (unencrypted) Wi-Fi networks without an active VPN.
4.3.3 Home routers used for Aulendur remote work should have firmware updated to the latest available version and default administrator credentials changed.
4.3.4 For CUI access, the network connection shall be encrypted end-to-end using FIPS 140-2/3 validated cryptographic modules (satisfied by the VPN or direct TLS to CUI Enclave).
4.4 Endpoint Security¶
4.4.1 Only Aulendur-managed endpoints shall be used for accessing Aulendur Confidential, CUI, or ITAR data. Personal devices may be used for accessing Internal-classified data (email, Slack, calendar) with CTO/ISSM approval, provided the device has: (a) full-disk encryption enabled, (b) OS auto-updates enabled, (c) screen lock configured at 5 minutes, and (d) no jailbreak/root modification.
4.4.2 All remote endpoints shall comply with the Acceptable Use Policy endpoint requirements: full-disk encryption, 15-minute auto-lock, current OS patches, and active endpoint protection.
4.4.3 Remote endpoints shall be kept physically secure. Lost or stolen devices shall be reported to the CTO/ISSM within 1 hour of discovery. The CTO/ISSM shall initiate remote wipe of the device within 4 hours of the report.
4.5 Separation of Work and Personal Use¶
4.5.1 CUI and Confidential data shall not be transferred to personal devices, personal cloud accounts, or personal email. Work shall remain within Aulendur-managed systems (Google Workspace, GitHub, 1Password, approved cloud services).
4.5.2 Personnel shall not allow family members or other unauthorized individuals to use Aulendur-managed devices for any purpose.
4.6 International Remote Work¶
4.6.1 Personnel shall not access Aulendur systems containing CUI or ITAR-controlled data from outside the United States without prior written approval from the CTO/ISSM and compliance with the Travel Security Policy (forthcoming) and export control requirements.
4.6.2 Accessing ITAR-controlled data from outside the United States is prohibited without a valid export license or applicable exemption, per the Export Control Policy (forthcoming).
4.7 Incident Reporting¶
4.7.1 Remote personnel shall report security incidents (lost/stolen devices, suspected compromise, unauthorized observation of CUI, network intrusions) to the CTO/ISSM within 1 hour of discovery, per the same timelines as on-site personnel.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Physical & Environmental Security Policy
- Acceptable Use Policy
- Travel Security Policy (forthcoming)
- Export Control Policy (forthcoming)
- Remote Access Policy (forthcoming)
- Endpoint Security Policy (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in revocation of remote work privileges, suspension of system access, and disciplinary action up to and including termination. Accessing CUI from an unauthorized location or non-compliant device is a reportable security incident. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy. Emergency access from a non-compliant environment (e.g., critical incident requiring immediate response from travel) shall be logged and ratified by the CTO/ISSM within 24 hours.
8. Definitions¶
| Term | Definition |
|---|---|
| Remote Work / Telework | Performing Aulendur job duties from any location other than the designated Aulendur office. |
| Alternate Work Site | Any location outside the primary Aulendur facility from which work is performed. |
| Trusted Network | A network controlled by the user with strong encryption (WPA3/WPA2 with strong passphrase) and changed default credentials. |
| Untrusted Network | Any network not controlled by Aulendur or the individual worker, including public Wi-Fi. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| VPN | Virtual Private Network — an encrypted tunnel protecting data in transit over untrusted networks. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.10.06 | Alternate Work Site | Full |
| CMMC 2.0 L2 | PE.L2-3.10.6 | Alternative Work Sites | Full |
| NIST SP 800-53 R5 | PE-17 | Alternate Work Site | Full |
| NIST SP 800-53 R5 | AC-17 | Remote Access | Supports — full coverage in AUL-POL-20 |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.