The COVID-19 pandemic has sent us all scrambling to ensure we protect our most valuable assets which includes ourselves, our families and our team members. By now most organisations have dusted off their business continuity plans (BCP) and have started execution. Others are trying to update their plan and still some are just trying to create one. Given the many precautions relating to COVID-19 and the possibility of some countries declaring a national disaster and prohibiting people movement, many employers are now contemplating how they can effectively facilitate their employees working remotely (work from home).
While it is
important to continue to turn the wheels of productivity, businesses have an
obligation, especially in a time of crisis, to do so responsibly. Therefore,
it is important that businesses be prudent in their decision-making processes
and assess the implications of any change in strategy. Before implementing a
strategy for employees to work remotely, businesses should consider the
What are the services that are critical to your operations?
What processes are important for the services to be effective?
Who are the people that are important to the process and service?
Can the services be offered remotely? (Cloud, VPN, Terminal Services, etc.)
Do the employees have devices to access the services remotely and are these company owned or personal devices?
If they are personal devices, do they meet your organisation’s minimum-security requirements?
Do the employees have adequate Internet access?
If services are not in the cloud can your infrastructure support remote connections?
If remote services are new to your organisation have you taken precautions to ensure that your implementation does not expose your organisation and its information assets?
Ensure that you understand the risks involved and be prepared to
mitigate, transfer or accept the risks.
Use qualified practitioners to assist, and while it may have cost
implications it may save you in the long run.
Develop a change management strategy with adequate what if
Identify a “what if” role, that person who will always challenge
the strategy, the fact that all persons are saying yes may not always be good
as it could lead to blind spots.
Test remote connections to ensure only what you plan to expose is
Ensure your Internet bandwidth and speed is adequate for the
Implement a “Defense-in-Depth” strategy – as this provides another
layer in the control chain should the previous layer be compromised.
Ensure that you consider controls relating to privacy (protection
of personally identifiable information).
Protect confidentiality and integrity of the information being
offered through the remote services.
Implement a communication and collaboration strategy between team
efforts, controls can and will fail due to errors and other security incidents;
ensure that you have a response strategy and plan.
I hope that you find these questions and tips helpful and a good start to your business continuity planning. In the end however, it is important to remember that while our information assets are important, human lives are more valuable. Let us ensure that we first and foremost secure the health and well-being of our people. Please stay safe and keep others safe by practicing good personal hygiene.
Andrew Nooks is a Director with Symptai Consulting Limited, a leader in information security assurance and advisory services. Nooks has over twenty-five years of experience in information systems administration, audit and security assessments, and is responsible for efficiency, growth, innovation and disruption at Symptai.