Executives: Security Awareness for the Disaster Recovery Scenario
With a distributed workforce there are a lot of moving parts executive management may be currently considering. First thing to consider, is the risk of exposure of confidential information that exists at a remote setting. At home,or at a remote location, there is a long list of external factors that can result in the exposure of confidential information. Furthermore, some employees will not follow recommended protocol, thus increasing risk substantially. This article was created to help remind the decision makers of the risks associated with working remotely.
Remember, it is good to give employees tips and tricks on how to further secure their home network, their routers, and their Wi-Fi. Make sure employees have the resources to make their devices secured and to connect to VPNs.
Remembering Audit And Internal Controls
Sometimes we forget in the middle of a disaster that we will still have the audit that will validate all of our controls are working as intended. The problem is, when you are in a disaster recovery scenario your frequency might be off. Make sure the decisions the decision making committee decides are in the risk management processes and all decisions have been properly documented (i.e. the IT remote help desk has broader powers because you have to open up the number of resources that have to be primary and backup). As long as you are walking through those decisions,evidencing,and being very clear about it,your audit will be able to support your decisions.
Think about the disaster recovery plan. At some point, you probably did a business impact assessment, went through each business function, and prioritized it. The auditor will want to see the disaster recovery plan. He or she will want to see your scenario, how you executed it,and how you come back to normal operations. Make sure exceptions to any of your controls are tracked, monitored, reported, and authorized how your outstanding risks are being managed. Keep this in mind and you will not have a surprise at the end.
Getting Back to Normal Operations Difficulties
Sometimes you can find getting back to normal operations will be difficult because employees do not cooperate. You need to consider the impacts to employees accessing data from unsecured devices and holding back normal operations.One exposure that often gets overlooked,is when developers use their non-authorized devices to do development.This creates an issue because the codes are now on a personal device rather than your organization’s device. Meaning, you will not be able to scan the personal devices to find vulnerabilities. Working remotely means you will not always control how information is being downloaded or uploaded, as you can control in an office environment.You might want some additional over sight to review code and control it.
Plan For a Long Term Disruption
What if your organization is forced to work remotely for longer than a week or two? How about if this disruption lasts for over a month?You might want to take some of the pressure off your team and cancel, or move, things to later date.It is a chaotic disruption to go off prem and then come back on prem. You may want to think about how you want to re prioritize things. This will be a good time to assess the key business functions that have the greatest impact. It will also show which applications, software, and services you are most dependent on for compliance. During this time, remember to constantly update the plans when you are actually living the plan in real time.
Employees need to know their roles and responsibilities on how they access information, how they separate personal and professional files, and what the consequences are. During disasters, there is confusion that can happen over time in and ambiguity can still be there. You should think about how you are communicating the cyber security requirements for your organization. Not just the protection of the WIFI, encrypting, and 2FA; but also remember that each individual employee is working out of a whole different environment. Their neighborhoods are different and they may act different under stressful situations. You must help them realize they must take the precautions. Not only how to protect data when they’re working from home, but also how to navigate asking questions and how to report problems.