Remote Working and Considerations for Information Security
The concept of remote working is associated with higher information security risks than the traditional office environment. Consequently, organizations with teleworking employees should consider integrating adequate security safeguards to minimize the susceptibility of their systems, networks, and data (Greene, 2014).
Where workers discharge their responsibilities outside the traditional office settings, organizations are continually struggling to implement effective security features due to the increased susceptibility of organizational systems, networks, and data (Chapple et al., 2018).
For instance, an organization cannot certainly determine that the workers are using the provided devices exclusively for work purposes. Similarly, it is significantly challenging to establish if the employees are using personal devices to official purposes and the security features installed in such equipment.
Threats to be Considered and Applicable Preventive Mechanisms
Phishing emails, accessing company systems and networks using unauthorized devices, utilizing open Wi-Fi networks, and unencrypted file sharing are high-priority threats that should be considered by an organization with remote workers. They account for the largest avenues through which remote workers expose an organization to vulnerabilities and data breaches. For instance, a significant proportion of database compromises are executed through email-based phishing and ransomware (Jampen et al., 2020; Ghazi-Tehrani & Pontell, 2021).
An organization with remote workers can minimize its susceptibility by training employees, issuing company-owned devices, and installing anti-phishing security tools on such devices and systems.
Additionally, it can impose mandatory file encryption requirement before such files are transferred over an external networks. Such a protocol is an effective mechanism for enhancing data security.
IT Security Policy Document for Remote Workers
This IT Security Policy provides the protocols, measures, procedures, and controls pertaining to the safe and secure collection, application, usage, and access of company’s computing resources, data, networks, and systems. The policy’s scope applies to all employees working remotely and whose functions relate to handling of company information and data.
The objective of this policy is to promote the safe, secure, ethical, and responsible handling of all data. It also seeks to establish adequate safeguards to mitigate risks and threats to the company data and systems.
The policy has been established to ensure the company meets the statutory, regulatory, and legal obligations regarding the handling of all data as envisaged by the data protection laws.
Remote workers whose duties do not involve handling data or sensitive company information are exempted from the applicable provisions of this policy. The organization will administer appropriate disciplinary measures where violations of the policy occur.
Applicable ISO 27002:2013 Domains
The applicable ISO 27002:2013 domains and sections for this policy include the compliance with the legal requirements, the management of information security incidents and applicable improvements, and information transfer and network security management.
Further, it will incorporate access control and such operational security responsibilities and requirements as backup, protection from malware, regular system audits, and technical vulnerability management. These domains will cumulatively foster the security and safety of data and information accessed and used by teleworkers.
References
Chapple, M., Stewart, J., & Gibson, D. (2018). (ISC)2 CISSP Certified Information Systems Security Professional official study guide (8th ed.). Sybex.
Ghazi-Tehrani, A., & Pontell, H. (2021). Phishing evolves: Analyzing the enduring cybercrime. Victims & Offenders, 16(3), 316-342.
Greene, S. (2014). Security program and policies: Principles and practices (Certification/Training) (2nd ed.). Pearson IT Certification.
Jampen, D., Gur, G., Sutter, T., & Tellenbach, B. (2020). Don’t click: Towards an effective anti-phishing training. A comparative literature review. Human-Centric Computing and Information Sciences, 10(33), 1-41.