With predictions that home working, at least in part, is here to stay for many employees, many businesses and organisations are updating policies. This includes information security policies. With ISO 27001 providing the basis for many information security policies, how will you update it to take into account the challenges of remote access and remote working?
Home or remote working became a challenge that many British businesses had to balance along with other operational challenges during the recent pandemic. Many businesses and employees were surprised to find just how well it worked and as a result, have decided to continue with this new status quo.
There will be bumps in the road that need ironing out with one concern being how remote or home working affects the obligations in law that you, as a business, have towards the use, processing and storing of data.
Can remote workers access information from home?
There is nothing in ISO 27001 or laws governing data protection that say home working should be stopped or prevented but, when people are working in an office or another work setting, the security of data and information is crucial. Updating policies will be something many businesses will be seeking to do but what needs amending?
- Physical security – how secure is the physical location of employees? With people working from home, as a business you need to be confident that your employees understand the sheer importance of looking after information, minimising the possibility of unauthorised people accessing it. Physical security is important and should not be underestimated. There will also need to be consideration made as to what should happen if the physical location is broken into, for example:
- Overall security of information – from others in the household inadvertently glimpsing at confidential information to the theft of sensitive material, your policy needs to be updated highlighting responsibilities on employees as to safeguarding information and what should happen if this happens.
- Remote access – it is not uncommon to find that different employees have different levels of information security access. In other words, your policy may state what people can access depending on their level of seniority in the business or dependent on the role that they do. When it comes to remote working, you may want to amend your policy so that when people work from home, their access is also tiered.
- Levels of sensitivity – grading information as to their level of sensitivity can also help to safeguard information, how and where it is accessed.
- Monitoring – no one likes to think that they are being watched but the sensitivity around information, the safe storage and use of it are such that as a business, you cannot afford to allow it to be open to abuse. There are times when leaks or sharing of this information is not intended as a criminal act but clearly, you will want to ensure that should data theft happen, it needs to be recognised and stopped quickly. Strengthening your ISO 27001 policy around monitoring access to data will be key.
The benefits of working from home…
… are many and varied but it comes with many challenges too. There needs to be caution, especially around information security. Updating your ISO 27001 policy is one means of mitigating the risks.