Lately, and for good reason, the top thing on people’s minds has been the COVID-19 Coronavirus. Our clients are worried not only for their own physical wellbeing and the wellbeing of their families, but also for their businesses as the economy has now been brought to a standstill. From security compliance perspective, often their normal operations have been altered, or are in flux, and a majority of their workforce is working remotely now.
Any change from normal operations will inherently be less secure, because often the processes are unfamiliar and have not been ironed out to the extent that a company’s normal operations have been. In a situation like we are facing now, with widespread teleworking, a company’s prime security concern should be the correct implementation of a strong teleworking policy.
What are key components of a strong teleworking policy?
All teleworking policies should have the following requirements:
- A designated remote access manager who is ultimately responsible for enforcing the teleworking policy.
- He or she should also be the person who decides on a case by case basis on who should have remote access.
- He or she should take into account all relevant factors, including the employee’s business role, the importance of his or her ability to connect remotely, as well as the level of responsibility, integrity and trustworthiness of the individual.
- Teleworking employees should only connect from devices approved by the remote access manager. These devices should have:
- Fully up to date software patches for all business related software including the operating system.
- In the case of a PC, a working firewall, and a fully licensed and activated antivirus application that runs full virus scans at least weekly, and partial scans at least daily.
- No existing malware of any kind.
- No installed software capable of monitoring activity, intercepting data, or collecting data.
- A Virtual Private Network (VPN) client installed that has been configured to connect to internal network resources.
- All teleworking should occur over the approved VPN connection.
- All remote connections should require Multi Factor Authentication (MFA). (Multifactor Authentication is a process where two or more sources of identification are used in conjunction with each other in order to provide a heightened level of confidence that a user attempting access is authorized to do so.)
- Employees should not copy, or transfer files from their teleworking devices to the internal network or vice versa unless approved by the remote access manager.
- Employees should be trained on secure computing, and should know what kinds of threats to watch out for.
The guiding principles here are that all external exposure to the internal network should be kept to a minimum, and that all remote access should be highly scrutinized and restricted to the extent possible. Remember, often the weak point of IT security is the employee. Make sure that connecting employees are trustworthy, and knowledgeable of the dangers that exist on the internet.