Implementation and audit guidance for securing remote work environments.
AIJET Principles: A = Awareness I = Integrity J = Judgment E = Ethics T = Transparency
| ID | Requirement | Guidance to implement | Guidance to audit | AI Threats and Mitigation | Principles | KPI |
|---|---|---|---|---|---|---|
| REM-01 | Establish guidelines and best practices for securing remote work and workspaces | Develop and distribute detailed guidelines for securing home networks. Offer remote support resources. | Guideline documents and employee acknowledgment receipts. | Remote work guidelines must include safe AI tool usage, prohibiting sharing sensitive data with external LLMs (e.g., ChatGPT). | A | T | X% of employees acknowledge and follow remote work security guidelines. |
| REM-02 | Mandate secure VPN usage for all remote work connections | Enforce VPN usage through network policies and continuously monitor remote connections. | VPN usage logs and network access control reports. | Enforce VPN usage to prevent interception by AI-enhanced traffic analysis and unauthorized model scraping. | I | T | X% of remote work connections use a secure VPN. |
| REM-03 | Restrict remote work to company-approved devices only | Enforce conditional access based on device compliance. Integrate MDM/UEM solutions to restrict access only to enrolled, compliant devices. | Review conditional access logs, device compliance reports, and platform access attempts from unauthorized devices. | Restrict use of unmanaged AI apps on remote devices to prevent data leakage and AI model poisoning. | I | J | T | X% of remote devices must comply with company-approved device policies. |
| REM-04 | Schedule regular compliance checks to ensure accounts and remote devices meet security standards | Deploy automated compliance scans for remote devices and remediate non-compliant cases promptly. | Compliance scan reports and remediation records. | Compliance checks should review unauthorized AI tool usage and employee adherence to AI-specific guidelines. | I | J | T | X% of remote devices pass compliance scans and are remediated within 24 hours. |
| REM-05 | Implement enhanced security protocols (e.g. jump servers, just-in-time access) for critical remote systems | Deploy advanced access solutions (like jump servers) for critical systems and log all sessions. | Session logs and advanced access configuration records. | Jump server environments must block uncontrolled interactions with generative AI services. | I | T | X% of critical remote systems must use jump servers and log all access. |
| REM-06 | Implement mandatory verification processes before acting on critical LLM-generated outputs. | Define categories of decisions (e.g., financial transactions, legal decisions, customer escalations) that require secondary human validation when influenced by LLM outputs. | Sample decisions influenced by AI tools and verify whether documented human validation or source triangulation is present. Cross-check logs with team leaders for spot compliance reviews. | Addresses OWASP LLM05:2025 by reducing risks from acting on hallucinated, fabricated, or misleading LLM outputs. | I | J | X% of AI-generated recommendations are reviewed before action. |
| REM-07 | Notify the security team prior to business travel | Establish a pre-travel notification workflow | Travel forms | Alert traveling employees about AI-powered impersonation scams (deepfake voices pretending to be security or executives). | A | T | X% of employees notify security before business travel and are educated on AI scams. |
| REM-08 | Report any unusual incidents or security concerns during business trips | Set up a dedicated reporting channel (e.g., hotline or mobile app) for travel-related incidents and train employees on its use. | Incident reports and hotline call logs. | Incident reporting during travel should include categories for AI-generated threats or manipulations. | A | I | T | X% of travel-related incidents are reported, including AI-generated threats. |
| REM-09 | Utilize hotel safes for storing sensitive items when available | Include hotel safe usage guidelines in travel protocols and encourage their use. | Travel policy documents and employee acknowledgment records. | Recommend travelers avoid connecting sensitive devices to unsecured networks that may host AI eavesdropping tools. | I | T | X% of employees use hotel safes and avoid risky networks during travel. |
| REM-10 | Limit travel to only essential documents and data | Advise employees on data minimization and enforce encryption for any data carried during travel. | Travel checklists and data minimization policy documents. | Minimize the quantity of sensitive data carried during travel to reduce risks of AI-augmented physical theft or spying. | I | T | X% of sensitive data carried during business trips is encrypted and minimized. |
| REM-11 | Ensure documents and IT equipment are never left unattended in public areas | Incorporate clear guidelines for asset supervision during travel and emphasize vigilance in training. | Travel supervision logs and incident reports. | Protect IT equipment rigorously, preventing capture by AI-based hardware surveillance technologies. | A | I | T | X% of employees follow guidelines for asset supervision during business trips. |
| REM-12 | Lock devices immediately when not in use | Educate employees to lock their devices as soon as they are not in use. Reinforce via policy reminders. | Policy documents and training attendance records. | Encourage use of auto-lock features to protect devices from AI-enabled opportunistic attacks. | A | I | T | X% of employees lock their devices when not in use during business trips. |
| REM-13 | Exercise discretion during external interactions | Provide guidelines on maintaining discretion during external interactions, include role-playing scenarios in training. | Travel policy documents. | Exercise discretion during external interactions to mitigate risks of AI-assisted social engineering attempts. | A | I | T | X% of employees practice discretion during external interactions to mitigate AI-related risks. |