Work From Home: ISO 27001 Controls for Tele-Working
Though WFH and tele-working has become ubiquitous and though most companies, by now, have settled on their Work-From-Home (WFH) and tele-working techniques, tactics and procedures (TTP) there’s still some confusion amongst stake holders about this new work environment norm. I decided to pen down this primer on the controls that are deemed necessary from an ISO 27001 (ISMS) perspective for tele-working and WFH. WFH and/or tele-working has significantly increased information security risk for organization of all stripes and sizes. Information Security Management System (ISMS) controls, as suggested in ISO/IEC 27001 can be implemented to mitigate WHF/Tele-working risk significantly.
First off, let us review what is tele-working? There are several definitions out there defining tele-working. All definitions seem to have two things in common: a) The employee is working from outside of the organization’s physical environment and b) The employee is using some kind of information and communication technology to stay connected to the office’s technology environment. Given these two common attributes, tele-working could refer to the following scenarios: a) Employees are either working from home (referred to as WFH) or are working from any location other than home or office (e.g. Coffee-shop), b) Employees are using either a non-mobile desk-top computer or a mobile device (e.g. Mobile phone, tablet or a laptop computer) to connect to the corporate network and c) Employees are using either a private network or a public network to connect.
Each of the above mentioned scenarios have specific risk associated with them and knowing the exact scenarios will help in identifying controls one needs to implement to control risk. Having said that, and generally speaking, risks associated with tele-working could be enumerated as follows:
- An unauthorized person (e.g. a family member or a friend) may use the device used for regular access of the organization’s system and may unintentionally (or intentionally) access sensitive information from organization’s systems.
- The device itself may be lost or stolen and with that all information it contains.
- Lost or stolen device maybe used for unauthorized access to organization’s system.
- If the access device is outdated and not maintained, there could be vulnerabilities in the system, which could be compromised and then device could be used to gain unauthorized access to organization’s system.
- The communication network between remote access location (e.g. home) and organization’s system may be breached leading to man-in-the-middle (MiTM) attack which in turn may lead to breach of sensitive information.
- Hardcopy information printed or downloaded at remote worksite may be compromised, lost or stolen. As also, unauthorized access may lead to unauthorized download/printing of sensitive information.
ISO 27001 Controls for tele-working: ISO 27001 provides a framework of controls for controlling risk associated with tele-working in its Annex A (detailed in ISO 27002). It provides the best practices to control various risks associated with tele-working. The primary relevant controls are A.6.2.1 (Mobile device policy) and A.6.2.2 (Tele-working Policy). The primary document encapsulating these controls is: Mobile device and tele-working policy. The organization, through this policy, can set the rules for implementing controls necessary to protect: access, store and/or process information while tele-working. The policy can help define:
- Who may tele-work (Sales staff, IT staff, Customer Service Agents etc)
- What applications / Systems are to be made available to the remote staff (e.g. Sales Tracking System, IT Development Environment, CRM etc)
- What information is to be made available to the tele- working staff. Information classification control should be implemented per ISO 27001 (A.8.2.1) and should be encapsulated in Information Classification Policy.
- What kind of Access Control Policy should be implemented per ISO 27001 (A.9)
- What kind of Network Security Control should be implemented per ISO 27001 (A 13.1)
- How remote work site and devices should be configured (e.g. shared rooms should not be used or should be avoided to be used if possible).
- What should be the policy for the use of cryptography for data/information maintained/kept at the remote site.
- What should be the backup policy.
In addition to the above policies, implementing security awareness, education and training within the workforce about the specific risks and controls associated with tele-working as per ISO 27001 (A 7.2.2) will go a long way in educating the workforce about all the perils associated with tele-work. Such training program may specifically include instruction on how to take precaution about opening emails and/or how to set strong passwords etc. Such programs should also specify disciplinary action on willful negligence on tele-working employee’s part.
In the current Covid-world that we live in, and even in the post-covid world, it is a general belief that WFH and tele-working is here to stay. Companies can safely adapt to the new norm by adopting the standard controls laid out in the ISO 27001 standard to keep their information and related assets secured. The framework’s robust set of controls secures all aspects and dimensions of WFH and/or tele-working setup.
