Working from home is not new in some countries, but it is in some.
Some companies took long to implement a working from home strategy as part of business continuity.
Working from home was looked at as being unproductive, but it has proved to have some positive impact on some organisations in terms of productivity and cost saving.
Some companies have continued to encourage their staff to be working from home.
Working from home requires employees to use computing devices including the internet.
The exchange of information is what becomes critical and the type of information being shared.
It is from there that appropriate technologies, tools, policies and standards are applied to provide information security assurance.
To improve security, you need to identify both your data and your physical assets and classify them according to their importance or sensitivity, so you can specify procedures for handling them appropriately based on their classification.
Data classification
Organisations classify their data using labels. You might be familiar with two government classification labels – ‘Secret’ and ‘Top Secret.’
Non-Governmental Organisations (NGOs) generally use classification labels such as ‘Public’, ‘Internal Use Only’, ‘Partner Use Only’, or ‘Company Confidential.’
However, data classification can be more granular; for example, you might label certain information as ‘Human Resources Only.’
Asset classification
You also need to identify and classify physical assets, such as computers, smartphones, desks and company cars.
Unlike data, assets are typically identified and classified by asset type.
Often, asset classification is used for accounting purposes, but it can also be tied to information security.
For example, an organisation might designate a set of special laptops with particular software installed, and assign them to employees when they travel to high-risk destinations, so their day-to-day assets can remain safely at home.
Classification labels help users disseminate data and assets properly.
For example, if Sue has a document classified as ‘Partner Use Only’, she knows that it can be distributed only to partners; any further distribution is a violation of security policy.
In addition, some data loss prevention solutions can use classification data to help protect company data automatically.
For example, an email server can prevent documents classified as ‘Internal Use Only’ from being sent outside of the organisation.
People with the right clearance can view certain classifications of data or check out certain types of company equipment (such as a company truck).
While clearance is often associated with governments or the military, it is also useful for organisations.
Some organisations use it routinely throughout their environments, while some organisations use it for special scenarios, such as a merger or acquisition.
When studying for this section, concentrate on understanding the following concepts:
Clearance:
Clearance dictates who has access to what.
Generally, a certain clearance provides access to a certain classification of data or certain types of equipment. For example,
‘Secret’ clearance gives access to secret documents, and a law enforcement organisation might require a particular clearance level for use of heavy weaponry.
Formal access approval: Whenever a user needs to gain access to data or assets that they do not currently have access to, there should be a formal approval process.
The process should involve approval from the data owner, who should be provided with details about the access being requested.
Before a user is granted access to the data, they should be told the rules and limits of working with it.
For example, they should be aware that they must not send documents outside the organisation if they are classified as ‘Internal Only.’
Need to know:
Suppose your company is acquiring another company but it has not been announced yet.
The CIO, who is aware of the acquisition, needs to have Information Technology (IT) staff review some redacted network diagrams as part of the due diligence process.
In such a scenario, the IT staff is given only the information they need to know (for example, that it is a network layout and the company is interested in its compatibility with its own network).
The IT staff do not need to know about the acquisition at that time.
This is “need to know.”
Determine data security controls
You need data security controls that protect your data as it is stored, used and transmitted.
Understanding data states
The industry identifies three data states:
•Data at rest is data stored on a storage medium (disk, UBS drive).
•Data in motion is data moving from a source (such as a computer) to a destination (such as another computer).
•Data in use is data that is actively being worked on (for example, a person editing a spreadsheet).
Scoping and tailoring
Scoping is the process of finalising which controls are in scope and which are out of scope (not applicable). Tailoring is the process of customising the implementation of controls for an organisation.
Standards selection
Standards selection is the process by which organisations plan, choose and document technologies and or architectures for implementation.
For example, you might evaluate three vendors for an edge firewall solution.
You could use a standards selection process to help determine which solution best fits the organisation.
Vendor selection is closely related to standards selection but focuses on the vendors, not the technologies or solutions.
The overall goal is to have an objective and measurable selection process.
If you repeat the process with a totally different team, then they should come up with the same selection as the first team.
In such a scenario, you would know that your selection process is working as expected.
Data protection methods
The options for protecting data depend on its state.
Data at rest – You can encrypt data at rest.
You should consider encryption for operating system volumes and data volumes and you should encrypt backups, too.
Be sure to consider all locations for data at rest, such as tapes, USB drives, external drives, and optical media.
Data in motion – Data is in motion when it is being transferred from one place to another.
Sometimes, it is moving from your local area network to the internet, but it can also be internal to your network, such as from a server to a client computer.
You can encrypt data in motion to protect it.
For example, a web server uses a certificate to encrypt data being viewed by a user, and you can use IPsec to encrypt communications.
There are many options.
The most important point is to use encryption whenever possible, including for internal-only websites available only to workers connected to your local area network.
Data in use – Data in use is often in memory because it is being used by, say, a developer working on some code updates or a user running reports on company sales.
The data must be available to the relevant applications and operating system functions.
There are some third-party solutions for encrypting data in memory, but the selection is limited.
In addition to keeping the latest patches deployed to all computing devices, maintaining a standard computer build process and running anti-virus and anti-malware software, organisations often use strong authentication, monitoring and logging to protect data in use.
Working from home may have the risk that needs to be managed.
Risks – lost or stolen devices, malware, multi-communication channel exposure, weak authentication.
Multi-tenant deployments, security of cloud computing deployments, third-party risk, data breaches, denial of service, and malicious insiders.
Countermeasures – meeting mobile security standards, tailoring security audits to assess mobile application vulnerabilities, secure provisioning, control and monitoring of application data on personal devices.
Cloud computing security assessment, compliance-audit assessment on cloud computing providers, due diligence, encryption in transit and at rest, and monitoring.
The author is a speaker, mentor, educator, trainer, professional and community leader, IT and cybersecurity leader. For comments email:ICTMatters@kingston.co.zm; www.kingston.co.zm.