Image no found Image no found
Image no found
Image no found

Future-proofing WFH policy

13 July 2020 | Abhilash Govindaraj

Many organisations have not been comfortable with the notion of work from home (WFH) mainly due to their previously established work cultures and lack of documented policy and direction. Unfortunately, due to COVID-19 and the mandated WFH stipulations, many businesses and employees found themselves unprepared to effectively transition to the new WFH realities, either because it was inconvenient, against tradition, or because of not being provided with the right tools and technology to be productive.

There was a WFH survey conducted by GultTalent in March 2020 across six countries of the GCC, aimed at company executives, managers, and human resource professionals. The main objective of the survey was to understand their plans to enforce WFH for their employees, in the midst of the COVID-19 pandemic. A summary of the survey results is provided below, based on 1,600 responses:

Image Not Found

Reference: https://www.gulftalent.com/resources/employment-news/one-third-of-gulf-companies-planning-work-from-home-to-combat-coronavirus-threat-87

Why didn’t 54% of the respondents have any plans yet, and why did 11% of the respondents say that they definitely will not implement WFH, amidst a global pandemic? The reasons may vary, but a common contributing factor could have been the sense of uncertainty while venturing out into uncharted waters without proper management guidance and direction. We must appreciate the fact that the survey results were three months old at the time of writing this article. Many of the organisations that did not have any plans or did not intend to have any plans were eventually forced to follow suit with the rest of the world.

It would be interesting to learn and understand the thought processes that went into finally deciding to implement WFH.

  • Did they have relevant benchmarks or frameworks to aid in their decision-making?
  • Did they consider all legal and ethical responsibilities - both the organisations and the employees’?
  • Did they have the luxury of time to explore and leverage new technologies to maintain employee productivity?
  • Did they consider the information security risks that go hand-in-hand with WFH?
  • And last but not least, did they already have a WFH Policy, to help the management make an informed decision while ensuring legal and regulatory compliance?

What COVID-19 has taught us is that WFH is a concept that is no longer considered optional, but essential for relevant organisations to sustain and survive during a global calamity. Hence, to protect all stakeholders involved, it is essential that organisations develop, maintain, and implement a robust WFH Policy that addresses potential information security risks from a governance as well as operations standpoint.

Risk Assessment

Before developing the WFH Policy, a detailed risk assessment (across both governance and operations) should be first performed taking into consideration all potential threats, existing controls, and vulnerabilities faced by the organisation, that revolve around remote or home environments. “Availability” is one critical factor that is commonly overlooked during risk assessments. However, availability, capacity, and reliability of the underlying remote infrastructure play a vital role in ensuring continued employee productivity. Hence, the risk assessment exercise must delve deep into these areas. At the end of the risk assessment, the identified risks should be documented and prioritised for treatment in a detailed risk treatment plan with clear timelines for addressing each identified risk.

Policy Definition

A bonus outcome of the risk assessment is that the organisation will now gain a deeper understanding of their current capability (in terms of people, process, and technology), to provide secure and reliable remote work services to their employees successfully. Integrating the risk assessment results, and the existing control gaps, an organisation will be better equipped to define or enhance their WFH Policy.

Critical focus areas that need to be incorporated as part of developing or enhancing the WFH Policy are outlined below:

  • Defining the criteria (e.g. duration of remote work, levels of access required, the sensitivity of work carried out, etc.) that decide the approval process a potential remote worker must be subjected to, prior to commencing any remote or home office activities.
  • Providing references to defined workflows, request forms, etc. for the remote or home work approval process.
  • Capturing mandatory details as part of the approval request, such as the physical address of the remote/home site, contact numbers, duration of remote/home work, details of organisation’s IT assets that will be used at the remote/home site, required access to internal/corporate systems, etc.
  • Mandating security controls that must be in place to ensure a secure and seamless remote work experience, covering areas such as, but not limited to:
    • End-point security, e.g. hardening, end-point protection software, end-point encryption, anti-malware, Data Loss Prevention (DLP), patching, automated security compliance checks, etc.
    • Secure remote access/connectivity, e.g. Virtual Private Network (VPN), Virtual Desktop Interface (VDI), Multi-Factor Authentication (MFA), etc.
    • Direct communication channels, e.g. Use of SMS gateway for delivering critical messages during IT outages/downtimes.
  • Defining the roles and responsibilities of all support teams (e.g. Information Technology, Information Security, IT Security, etc.) with regards to provisioning and maintaining the mandatory security controls, including Service Level Agreements (SLA) / Operational Level Agreements (OLA).
  • Defining the remote worker's responsibilities at the remote or home environment in safeguarding the organisation’s information assets, while maintaining the expected levels of productivity such as, but not limited to:
    • Complying with the organisation’s acceptable usage policy, e.g. keeping the computing devices secured at all times from unauthorised access, physical damage, loss, etc.
    • Abiding by the communication routines and objectives agreed with their respective managers.
    • Ensuring the availability of a secure, safe, clean, and ergonomic workspace.
    • Ensuring availability of adequate network connectivity.
    • Ensuring access to emergency phone numbers, first-aid kits, fire-extinguisher, and any other equipment mandated by the organisation or the government.
    • Ensuring availability of surge protectors, alternate/backup power sources, spare batteries, power banks, etc.
    • Reporting security non-compliance, issues, incidents, etc. immediately to the concerned authority.

Implementation

Prior to selecting and finalising the remote/home work technologies for implementation, it is crucial to perform a rigorous evaluation of shortlisted technologies by involving key stakeholders; this ensures alignment with the organisation’s business and security requirements. Once the technologies are finalised, the organisation should establish a detailed implementation plan in coordination with all key stakeholders and at a minimum, must include:

  • Goals and objectives
  • Details of the pilot program
  • Roles and responsibilities
  • Schedules and timelines
  • Tasks and deliverables
  • Test plans
  • End user training plans

It is essential to run the selected technologies through a pilot program for a specific period, targeting a group of end-users that will use them per pilot stipulations. A successful pilot program provides stakeholders with a level of assurance on the technologies’ expected Return on Investment (ROI), by:

  • Testing and confirming features, capabilities, and use cases in alignment with business and security objectives.
  • Addressing potential challenges, problems, issues, etc. before full-scale implementation.
  • Gaining an in-depth understanding of all prerequisites and necessary technological changes.
  • Determining how and where time and resources need to be allocated and stream-lined.
  • Addressing feedback obtained from the target group.

Upon successful completion of the pilot program, the organisation should update the implementation plan based on lessons learned and commence full-scale implementation. This phase also involves the development of additional documentation (procedures, processes, guidelines, etc.) aimed at both administrators and end-users of the remote/home environment. For example, 1) Development of procedures for the installation and maintenance of respective remote/home work technologies/infrastructure aimed at IT administrators and, 2) Development of end-user guidelines for remote workers to assist them in effectively utilising the remote/home environment.

Before being rolled out to the end-user community, the remote/home work environment must go through rigorous testing as per the defined test plans to validate its security, usability, availability, and capacity. It is essential for all end users to undergo appropriate training, to ensure secure and effective use of the new remote/home environment.

Conclusion

An organisation’s information security journey involves traversing through a continuous improvement cycle of planning, implementation, review, and enhancement of information security controls. This cycle is critical in ensuring that the organisation’s information security efforts remain in line with their ever-changing threat environment, risk exposure, and business objectives. To learn more about how Digital14 can assist you in your information security journey, using our national and international standards-aligned risk-based approach, please visit https://digital14.com/protect.html.

We Are Digital14

Connect with us

© Digital14. All rights reserved.