Information Security Tips when Working from Home (gathered from our ISMS ISO 27001 policies).
Connection & Access
Avoid connecting to unsecured Wi-Fi / networks for internet.
Use only company provided VPN / Citrix connection. Avoid use of any other utility for accessing applications / data.
Check & ensure latest antivirus updates on our laptop regularly.
Strictly avoidsharing our usernames and passwords to others.
Data sharing & Collaboration
Adopt all proper & sensible precautions when handling Company data.
Save & share data from Company O365 One Drive.
Use Company O365 Teams to conduct meetings, to share information, screens etc.
Avoid use of social media like WhatsApp while discussing / sharing sensitive business information.
Do not give PRINTs at default printer of office, where the print-out may remain unattended (in absence of secure print) & may be misused.
Ensure adequate security provisions of your mobile phones to protect Company information being accessed.
Ensure that Company confidential information is not shared with unauthorised users, vendors, family, friends or members of the public.
Phishing Emails and Websites
Strictly avoid opening e-mails, URLs & file attachments received from unsolicited or unreliable sources.
Fake emails are sent by hackers about Corona virus. Do not open such mails / URLs / attachments. Forward suspicious mails to _____ ID
Also avoid the use of various maps / graphics showing the spread of Corona. There are incidents of computer hacking through them.
Physical protection
Avoid eating or drinking in the vicinity of our laptops / computers.
Avoid exposing the laptop / computer to sudden impacts or shocks, humidity, sunlight, water etc.
Do not repair, configure or change of system settings of the laptop / computer. Report to IT.
Lock laptop / computer screen when left unattended, to prevent alteration / deletion of data.
Ensure the physical protection of our laptops / computers.
Other important points
Do not install any software on any Company computer. Do not download / copy any type of unauthorised / pirated software.
Do not access Internet sites containing foul / obscene / illegal / unethical / adult / violence / rumours related content from Company computers
Do not use external, web-based e-mail services (e.g. gmail.com, yahoo.com, hotmail.com) for Company business communication.
Ensure to have written approval from Business authorities, prior to transferring the business information to anyone.
Do not copy Business data on removable media like USB storage.
Do not access others’ emails directly by using their passwords.
IT continuously monitors the technical & security usage of the IT Resources, to prevent & correct any performance issues & any misuse.
If you come across any misuse of Company information / asset, then bring to the notice of our business authorities, Functional Risk Officer (FRO), IT & HR; or mail to _____ email ID.
Use our IT resources in a legal, ethical & responsible manner. Do not use them for unauthorised commercial activities or unauthorised personal gain.
Report the Security incidents through IT tool / sending mail to _____email ID.
While companies are encouraged to use VPN connections, VPNs also have security risks.
One aspect is that of a split tunnel where traffic to the corporate network travels over the VPN while the traffic to general Internet exits the user's home network. The danger here is the corporate entity will have difficulty managing the Internet traffic. For example, if a user visits a malicious website, they could end up downloading something to their device that could then be uploaded to the corporate environment. If bandwidth allows, it is best to have a whole tunnel for VPN access.
The use of a VPN does not create a secure environment. Many other factors, as noted below in other comments, are required to create a holistic security process.
Based on your security policy and BCP plan you can enable the users to work from home. most of the companies are using VPN to enable the access with secure.
As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cyber security and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cyber-security.
The following are cyber-security considerations regarding telework.
As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cyber-security tasks.
Is anyone doing anything relating to communications related to pivots related to Social Engineering? Thinking attackers using increased phishing for crednetial theft/malware delivery (already seen that from Krebs/Forbes) but also increasing awareness around calls potentially pretending to be the company's helpdesk e.g. attack calls "Hi, I'm from the Service Desk - you would have recieved a code and we need it to verify our email systems are working correctly" etc.?
Replies
Information Security Tips when Working from Home (gathered from our ISMS ISO 27001 policies).
Connection & Access
Data sharing & Collaboration
Phishing Emails and Websites
Physical protection
Other important points
Zero Trust model is much secure as well as scalable in today's scenario. VPN isn't cutting enough in 2020.
Moved one of my client to complete zero trust infrastructure and they are happily achieving 98% WFH.
While companies are encouraged to use VPN connections, VPNs also have security risks.
One aspect is that of a split tunnel where traffic to the corporate network travels over the VPN while the traffic to general Internet exits the user's home network. The danger here is the corporate entity will have difficulty managing the Internet traffic. For example, if a user visits a malicious website, they could end up downloading something to their device that could then be uploaded to the corporate environment. If bandwidth allows, it is best to have a whole tunnel for VPN access.
The use of a VPN does not create a secure environment. Many other factors, as noted below in other comments, are required to create a holistic security process.
Yogesh Mugoderya
Use VPN
Use laptop lock to secure your laptop
Avoid going out of home
Avoid data intensive tasks like streaming if not is for business purpose
Zero trust solution will be a good option to run the WFH for critical application.
Based on your security policy and BCP plan you can enable the users to work from home. most of the companies are using VPN to enable the access with secure.
Hi
As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cyber security and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cyber-security.
The following are cyber-security considerations regarding telework.
More reference available at
https://www.us-cert.gov/ncas/alerts/aa20-073a - Enterprise VPN Security
https://www.cisa.gov/sites/default/files/publications/20_0306_cisa_...
https://www.us-cert.gov/ncas/tips/ST04-010 - Using caution with mail attachment.
https://www.us-cert.gov/ncas/tips/ST04-014 - Covid-19 Phishing mail awareness.
Is anyone doing anything relating to communications related to pivots related to Social Engineering? Thinking attackers using increased phishing for crednetial theft/malware delivery (already seen that from Krebs/Forbes) but also increasing awareness around calls potentially pretending to be the company's helpdesk e.g. attack calls "Hi, I'm from the Service Desk - you would have recieved a code and we need it to verify our email systems are working correctly" etc.?
Agree with Ashish...