The COVID19 pandemic and necessary decisions by business to ensure employee safety and business continuity is a timely reminder of how important is to ensure each business has a documented and regularly tested business continuity plan.
First and foremost, employee safety is a number one priority. This is a recurring theme for information security certifications such as CISSP®, CCSP®, CISM®, and CRISC®. You cannot guarantee the long-term viability of your business and meet minimum service delivery objectives (SDO) unless you have the minimum number of employees defined in your Business Impact Analysis (BIA) for each critical business process.
Secondly, each business will need to make sure that a decision to allow employees to work remotely from home isn’t just a snap decision. Again, employee safety is a primary consideration. During normal times, i.e. no pandemic, employees wishing to work remotely would require their Workplace Health & Safety (WHS) officer to inspect the home office of the employee to ensure it meets minimum ergonomic requirements.
Once that is passed, data sensitivity and the appropriateness of allowing remote work activities from home, needs to be risk-assessed. Employees using their own devices are effectively engaging in a Bring Your Own Device (BYOD) programme, in which case, because the employee’s own device is being used, it must meet minimum security standards to satisfy data handling and privacy concerns.
This will often necessitate ensuring, as a minimum:
- Not logging in as a privileged user; ensure all work activities are carried out as an unprivileged user
- Ensuring an up-to-date endpoint detection and response (EDR) application is installed from a reputable source and is being maintained and updated as frequently as possible. Some well known brands for virus protection software currently available are: MacAfee, Kaspersky, Norton and Trend Micro just to name a few.
- Ensuring employees DO NOT download sensitive data onto their home office system, but if they do, work from a removable device that is encrypted
- Ensuring that all applications are patched and up-to-date
- Ensuring that the operating system is patched and up-to-date
- DO NOT use home or personal email to conduct business
- DO USE a Virtual Private Network (VPN) to connect into your workplace systems
If this seems hard, it is also hard and time consuming to clean up after a data spill or privacy breach. Rather than an employee providing an asset, another consideration is a laptop or desktop provided by their employer.
The COVID19 pandemic has presented a challenge, but business does not have to stop. At ALC, we have seen this as an opportunity to bring forward our plans to offer virtual classroom training.