Businesses with any level of remote work in their environment SHALL produce and distribute a Remote Working Policy that outlines security procedures and requirements for remote work activities.
Ever since the COVID-19 pandemic of 2020–2023, organizations across the world have embraced remote work options within their environments. Businesses that perform a large portion of their workflows digitally may decide that a fully remote or hybrid structure is best suited for their operations.
Remote working introduces several security risks to a business. This stems mainly from the fact that employees are using company resources across various networks with uncertain security postures. Since the networks and systems employees use may not be under the IT governance of the business, it can become difficult to assert control over the use of company data on those systems.
Businesses that utilize any level of remote work must develop a comprehensive policy addressing security governance for remote workers. The policy should mandate a series of security procedures that employees must follow when initiating a session with business resources.
Organizations may choose to issue remote employees company devices that are fully configured and managed by corporate IT. Alternatively, some businesses may allow employees to use their personal devices for remote work. In such cases, the business should require the installation of a Mobile Device Management (MDM) profile and mandate that it is used for all company workflows.
If a business chooses to allow employees to use their personal devices without full device control, it can instead implement Mobile Application Management (MAM) technology. MAM places business-specific applications under organizational control, typically supplemented with additional safeguards such as Data Loss Prevention (DLP).
In either scenario, some form of centralized governance must be enforced on personal devices to prevent the leakage of business data to unsecured resources.
Additional controls are recommended to protect data in transit as it moves from the company network over the internet to the employee’s network. A remote access Virtual Private Network (VPN) solution is a standard technology used for this purpose. VPN profiles are distributed to employees, allowing them to connect securely during work sessions. The VPN creates an encrypted tunnel over the internet to the business network, making it appear as though the employee’s device is operating within the physical corporate environment. VPNs also enable access to critical resources such as network file shares and application or database servers.
Usability of VPN technology can be enhanced by implementing an always-on VPN, which activates automatically and effectively makes the secure tunnel the employee’s default internet connection.
In addition to outlining security controls, a remote work policy should incorporate the organization’s Acceptable Use Policy (AUP), adapted for a remote context. The policy should clearly state the organization’s rights to manage remote work sessions, including monitoring and logging activity, patching applications, and revoking access when necessary.
Contact information for appropriate IT personnel and governance teams should also be provided.
Once the remote work policy has been reviewed and approved by senior management, it should be distributed to all remote employees. Employees should be required to formally acknowledge and agree to the terms outlined in the policy. Ongoing security awareness training focused on remote work risks and best practices should also be provided.