SEVEN ESSENTIAL IT SECURITY POLICIES FOR THE REMOTE WORK WORLD A few months back, I was sitting in my home office. I glanced out the window and noticed a heifer about 100 yards away, trotting down the side of the road. I thought, “Ummm, that’s my cow!” I immediately threw on my boots and ran out after her. After some time and effort, I finally got the cow back into the pasture. I discovered that while replacing the corner posts on their fence, my new neighbors had cut my fence, breaking the tension in the line, which allowed the heifer to jump right over. When it comes to fences, tension is vital. Tension is also a business component that, if gone unchecked, could leave your “fences” – or in other words, your security – wide open. What kind of tension are we talking about here? The kind of mental or emotional strain (i.e., tension) that brings angst, eyerolling, and long, deep sighs. The kind of tension that results from talking about policies. When it comes to IT and security, good policy management is the kind of strategy that often gets overlooked or outright ignored. It is not enough to have strong IT security controls; you also must have policies and procedures around security and privacy and the use and confidentiality of customer information. That has been true for a while, but when COVID came, that landscape changed along with everything else. With many employees working from home now, your data is not just located in the bank but also on devices, networks, and systems that might not be as secure as the ones in the office. Thus, new policies, or modifications to existing ones, are needed. Here are seven important IT security policies that encompass remote and hybrid workers. 1. Remote Access Policy The remote access policy should state who can work remotely, then define how to work while being remote. Specifically, it should define how data is supposed to be accessed, what security controls are required for remote access, what kind of data is synced, and generally anything that covers the security and HR controls for anyone working remotely. 2. Sensitive Information Policy The sensitive information policy should explain how data is to remain secure, or in other words, what the organization and the employee are required to do to keep the data secure. This policy will discuss passwords, what data is considered secure, and how to secure data when it needs to be transferred. It should also cover how to destroy sensitive information as well as explain what is allowed to be printed as a physical copy and how to secure information to be printed. This policy will even cover the cleanliness of one’s workspace and include guidance on speaking about business matters in public places. 3. Computer Tampering Policy This policy is unnecessary for many people, but the idea is data could be extracted or a computer compromised if an employee were to tamper with their computer and/or modify it in a way that introduces problems. Additionally, allowing employees to do so is bad practice, as warranties could be voided. This policy could be a stand-alone policy or included in the code of conduct or another policy. 4. Bring Your Own Device (BYOD) Policy A BYOD policy should state the controls around employeeowned devices used to perform company work. This policy includes smartphones, tablets, and computers. These devices perform many different functions, and companies need to decide what work processes or actions are allowed and how data and information on employee devices will be securely managed. Continued on page 16 By Todd Nielsen, JMARK April 2022 | 15
RkJQdWJsaXNoZXIy ODQxMjUw