I consider her fairly reliable. However, letting my computers leave the office makes me feel a little aprehensive.
Reluctantly, I have agreed to let her keep one of my laptops with her. I have customized it for her convenience (read graphical straightforward point-and-click, and mostly no choices to make).
While at home, she needs to do mostly what she does in the office, which is:

1. accessing some online collaboration tools and also one online service through rdp (using rdesktop)
2. accessing and editing documents on a disk in the office(sshfs), authorized only to some of us
3. communicate with the rest of us through email and jabber IM.

The risks I foresee for now (together with the intended preventive measures) are:

theft of the laptop/disk -> the HD is encrypted with luks (except for the boot partition)
inadequate/dangerous use -> enabling {acct, auditd, incron, afick...}
accessing the internet from an insecure access point -> iptables, maybe a home-phoning script in the background?, etc

As you can see, this is a very rough outline, and I'm probably missing some important measures that I may need to take.
I will appreciate if any of the good folks out there could correct/complete this initial list of tools/techniques to implement, for security/integrity.

Well, as you consider your assistant to be reliable, I will assume you have reasons to think that way and that she is not going to play dirty. My position is "Trust nobody", but you should know better than I...

You are vulnerable to:

Cold boot attacks.
-- The Enemy captures your assistant soon after she has turned the computer off, takes the RAM out, freezes it, takes it to a lab and leaks information from it in order to find your encryption keys. Extremely unlikely to happen

Evil Maid attacks.
-- Your Enemy captures the computer while your assistant is far from it, installs some kind of malware in the unencrypted /boot and returns the computer after the assistant knows it has been seized. When she boots the computer, the malware is launched... which can result in a keylogged password or other horrible effects. Extremely unlikely to happen.

Rubber Horse attacks.
-- Your assistant gets captured and tortured until she tells the passwords to the Enemy.

Hmmm... give her no root access or permissions to launch dangerous daemons or applications. A fine grained permission control (such as GRsecurity) might be useful. As she has physical access and knows the LUKS password, she could bypass your measures, but as you have said she is reliable...

You may want to set an SSH tunnel or VPN. This works as follow:

You set a server in the office.

When the assistant wants to access Internet from an unsecure place (an open Wifi network in McDonalds, maybe) she connects to the server through an encrypted tunnel, so an Enemy placed between the server and the laptop will see encrypted traffic only. The office server proxies or redirects the laptops activity, asks for websites, etc. So, the server basically acts as a repeater, asking information from the Internet and sending it to the laptop in a secure fashion as the laptop demands. Ok, I have oversimplified but I hope you get the idea. There are thousands of docs around about the subject.

1 members found this post helpful.

Laptops are cheap, security is expensive.

Get her a laptop, secure that. Better in all respects.

1 members found this post helpful.

I am going to take a different approach in my response to your question. One of the things that I have learned is that employees will rise or fall to the level of expectation that you set for them. If you treat this person with respect, make clear the expectations and responsibilities, in all likelihood they will meet them. If you treat this person in a manner that says that I expect you do do wrong, you will reap your just rewards in this regard too.

You need to evaluate exactly what you are trying to protect against and take reasonable precautions against the biggest threats.
Theft or loss, you've covered with encryption of the data portions.
Illicit Internet browsing. Why would they need or want to use work hardware for that?
Improper/inadequate/dangerous use? Why are you giving them a laptop to use in the first place?

It sounds like this employee is trying to find ways to do a better job and excel for you. If that were me and you responded like a totalitarian overlord, I would be inclined to tell you to go pound sand and never work as hard for you ever again.

3 members found this post helpful.

Interesting perspective.
I was employed early on a "need to know" basis - never affected my desire to excel.

1 members found this post helpful.

Apparently you don't or haven't had a boss that you want to work for because you respect them greatly.

You secure by arms length not trust length.

Any physical access is subject to greater risk. I'd set up a server that they log into by certificate that you change often. The means to use remote desktop then is minimized since you secured the connection and you secure access to files and programs. She could easily use a live cd like the DOD live cd or one that you set up or even a good flash drive she/he can boot to.

Might peek at the 2X.com stuff. There are other companies that offer secure access to linux by different means or you can recreate them. Some form of nx may be a better choice.

2 members found this post helpful.

Yeah, that's it.

It seems a good idea to me, but this approach means the assistant won't be able to work if there is no network available. Can be a problem, but otherwise is a recommendation worth considering.

1 members found this post helpful.

This post seems like paranoia. The only thing to worry about would be a man-in-the-middle attack to intercept data between the office and remote networks, which should not be a possibility if your network is secure. Set up a VPN so the only way for her (or anyone else on the outside for that matter) to gain access to the network is through a secure tunnel. Then the security risks are limited to the ones that occur as she sits at her desk in the office. If she was going to be malicious she would be doing it, whether or not she was sitting on her couch. Again, if your network is secure, your worries are VERY limited.

**EDIT**

I use pfSense for VPN/firewall in any network I set up, and I can't recommend it enough. Super easy to set up, the webGUI is really straightforward, and if you aren't running ESX (or something of that nature) you can use pretty much any old machine you have laying around with a spare NIC. I used to run it on a PIII 500mhz with 256MB of RAM and it was rock solid.

1 members found this post helpful.

Thank you guys for responding.
There's some precious information you have thrown in.
I'm starting to look into the resources/ideas you have suggested.