A lot of these articles are basic re-hashes of official guidance so I avoid publishing them. I’ve also avoided sending shameless “Product XYZ protects you against COVID-19 scams” emails as, like with GDPR previously, my mailbox is clogged with this stuff. This summary is from a law firm and has more details about non-technical controls that you should take a look at…:
The Massachusetts Institute of Technology defines administrative controls as “the human factors of security.” In other words, administrative controls refer to the policies, procedures, or guidelines that determine which employees have access to network resources and assets, what level of access those employees have to those network resources and assets, and how to manage security within your business’ framework.
- Review your current policies regarding working remotely and using personal devices (BYOD or “bring your own device”). If your current policies lack specificity, consider sending guidelines on best practices to your employees to address security.
- Consider implementing information classifications to reduce access to confidential assets. Remote entry points increase your information technology (“IT”) security risk footprint. Limiting access to confidential information to only those having a “need to know” helps reduce this footprint and risk.
- Review your procedures on how to contact your employees quickly, in the case of an emergency, including during a security breach. Your response plan needs to include communication methods outside of the computer network should the network become compromised. Update contact lists to take into account your remote workforce.
- Communicate with your employees often to maintain risk awareness. Outside of the normal work environment, an employee’s work habits are altered and the normal office rigor may be relaxed. Remind employees about security policies and procedures and the increased risk of phishing attacks. The World Health Organization (“WHO”) and the Federal Trade Commission (“FTC”) have active websites reporting on trends in scams capitalizing on the COVID-19 pandemic and provide helpful tips:
Physical controls describe those tangible practices used to protect unauthorized access to physical areas, systems, or assets. A remote workforce must guard confidential information just as if they are in the office.
- Procedures requiring shutting down a computer or closing out programs when they are not in use should still apply at home. Laptops and other mobile devices should not be left unattended in cars or public areas. Work devices should not be used by other family members. Employees should be reminded to be aware of their environment and not work on sensitive information in public areas where their papers or screens may be viewed or their conversations may be heard.
- Remind employees that company information should never be downloaded onto their personal devices or cloud services. Consider disabling drives that enable copying company information to removable media, such as USB devices.
- Institute regular monitoring of your premises and assets. Make sure server rooms and other confidential information repositories are locked and secured from physical access. Where necessary, monitor heating, ventilation, air conditioning, and humidity controls (e.g., in server rooms) to ensure your server rooms and network closets are operating in an optimal environment.
Technical controls describe the hardware and software used to protect assets. These controls are typically managed through IT, such as implementing firewalls, antivirus software, intrusion detection, and encryption protocols.
- Verify you have, or implement now, “oversight” technologies for additional security, such as:
- requiring two-factor authentication;
- using a VPN (Virtual Private Network) and prohibiting access to company systems from public Wi-Fi connections (if a VPN is not possible, identifying how employees can better secure their home network); and
- requiring security software on employee devices, including anti-virus software and mobile device management software (which permits remote wiping of devices, strong password enforcement, data encryption enforcement, and limitations on software and app installation).
- Additionally, make sure your IT group is available to handle the increased load that corresponds with more employees working from home.