Working from Home – Securing the “New Normal”
4th June 2020
As countries take tentative steps to re-open parts of society, popular media are reporting that the term “working from home” is fast becoming part of normal business culture for many. The COVID-19 lockdown, combined with the access and convenience provided by cloud services and applications, has raised questions about the need for physical office space, the time used for commuting to and from business premises, and whether virtual meetings are more productive than physical gatherings.
It’s reasonable to assume that some will transition to allowing more personnel to work remotely, and we trust that they will remember their corporate information security and data protection requirements if they do so. In this article, we’ll highlight some of these important considerations and hope that they will serve to support the identification of acceptable approaches to each subject.
Living Room vs. Meeting Room
Firstly, let’s compare the security of the home environment with the robust controls of the corporate office. The physical space of the employee’s home used for home working should be sufficiently isolated from other residents and allow for the secure storage of documents and media when not being used. Office-based practices of locking screens, and remote workers should use Virtual Private Networks (VPN) to secure network traffic transmitted via the internet. Whilst we are on the subject, it’s worth checking how many of your staff have changed the default password on their wireless and provide assistance if that presents a challenge.
We need to know that personnel are using approved corporate devices for their work. The growth of “shadow IT”, or the temptation to use privately-owned devices (perhaps a tablet for working in the sunny garden) must be challenged. These are unlikely to be monitored or protected by the antivirus and network protection of corporate assets, and there is the possibility of information being saved locally that may never be fully retrieved or deleted by the organisation. Clear guidance is needed here, including reminders about the mandatory requirements of data protection, acceptable use and asset management policies.
Cloud’s Silver Lining
The growth of cloud services has played a significant role in the success of home working during recent months and has transformed many a theoretical business continuity plan into something that works. A few important considerations – starting with the assessment of whether each cloud service has been approved for use by the organisation. There are contractual considerations, data protection clauses, geographic assessments, licensing models and let us not forget costs to understand, and every possibility that unapproved services may have crept in quickly as individuals sought to remain productive during lockdown. Personnel need to understand these risks, and organisations need to identify an approach to keeping informed about their cloud estate.
Cloud also presents us with questions. Where is the hosted data stored (especially if it is personal data requiring GDPR compliance), are there backup or snapshot copies which need to be accounted for, and is the cloud service provider contractually required to inform you of any security incidents or personal data breaches? Validate that the cloud service has sufficient capacity and resilience to serve peak demand – during COVID-19 some of the largest global providers were clearly challenged.
People: some employees are now starting (and ending) their employment virtually, and there are controls which need to be addressed. New starters need to be sent corporate assets (laptops, tokens, documentation etc) remotely, and supported with assistance in the form of information security training, data protection (GDPR) awareness, and help with setting up corporate IT assets securely. At the end of their employment, leavers need to have their assets collected promptly (don’t rely upon them to return them) and accounts closed off at the point of termination. This may be more complex than before when removing an Active Directory account may have sufficed … most cloud services use unique user credentials which may need to be updated individually. It’s important to keep records of users of cloud services, and to ensure that each cloud service is configured such that the organisation retains an administrative capability over its users.
Suppliers need our careful assessment too. You would like to trust that as a customer you will be promptly informed of any disruptions, challenges or incidents that they experience whilst working through a lockdown situation, but that is rarely the case and often shortcomings are only discovered when already affecting product or service delivery. Lightly worded COVID-19 preparation statements are unlikely to satisfy all your questions, so a review of your Supplier Capability Assessments on a regular basis is one approach to staying better informed.
InfoSaaS Helping Hands
Over the last few months, the InfoSaaS Team have remained fully operational and supporting customers with their ongoing compliance and assurance responsibilities. Our secure, cloud-based risk assessment, document management, supplier assessments and GDPR workflows have enabled ready collaboration between remote colleagues, and it’s been great to see that as audit and certification bodies have quickly migrated to conduction ISO27001 assessments virtually, these capabilities have supported them in achieving positive audit outcomes.
Looking a little deeper, our risk assessments are part of a framework which considers how the controls from ISO27001 Annex A might mitigate the numerous threats and vulnerabilities which are associated with remote working. Using extended control sets aligned to ISO27017 (security of cloud services), comprehensive risk assessments for both cloud service providers (suppliers) and cloud consumers (customers) can be easily completed, with any findings informing timely decision making. If you’re moving personal data into third-party cloud services, our Data Protection Impact Assessment workflows help in delivering compliance with Article 35 of GDPR. The Supplier Management module is frequently being customised to include specific sections about supply chain business continuity and resilience, which can be integrated into each supplier’s overall capability review.
Reassuringly, there are many ways in which credible GRC solutions such as InfoSaaS continue to help responsible businesses to evolve and operate effectively whilst staying in control of risks, contractual compliance and the regulatory landscape as essential elements of securing the “new normal”. Please contact the InfoSaaS Team to find our more.