It’s More of a Guideline Than a Rule…

April 3, 2020
809 Views

Lessons Learned

There is no shortage of COVID-19 related articles from organizations seeking to take advantage of the crisis to sell something. And putting their motive aside, much of what has been written contains useful information. But I want to take this a bit further and share some actual lessons learned. And if you’re wondering how I might already have gleaned insight from such a new and novel experience, the answer is that, fundamentally, there is nothing new here. As a CISO working for healthcare organizations since before the passage of HIPAA, or the publication of the security, privacy, and breach notification rules, I have long since taken to heart the obligation that we are to “…identify and protect against reasonably anticipated threats…” What that means is that the arrival of COVID-19 is neither new, nor is it the first time we have had to prepare our organizations to respond to a possible pandemic. Starting in 2009 with novel influenza A (H1N1), and then Swine Flu, SARS, MERS, and as recently as 2016 with Ebola, we have faced this possibility numerous times. And it is from the development, maintenance, and execution of associated preparedness response plans that I have accumulated the following firsthand experience from which I am hoping you can benefit:

  • Scope of Program Applicability – Maybe your organization allowed for remote access or telecommuting prior to the COVID-19 outbreak, but perhaps it did not. Either way, your job as CISO is to ensure that everyone within your organization to whom you afford physical or logical access to your facilities, systems, networks, and data understand that they are equally subject to your security and privacy policies and procedures at home as they are in the office. In other words, you should be telling everyone that your organizational policies apply wherever there is covered data. This means in all forms and formats, at all stages of the lifecycle, in all locations, on all devices, and with respect to all parties who might be privy to it. However, if this assertion is not something that you have already made abundantly clear, you need to take active steps to do so immediately. NOTE: A formal modification of your enterprise security/privacy policy may take time, in which case I highly recommend adoption of a remote access and/or telecommuting-specific policy focusing on the following points:

    Subject Guidance
    Acceptable Use Users are no freer to engage in inappropriate behavior at home while using company assets than they are when in the office.
    Intellectual Property The organization retains the same exclusive rights to intellectual property developed or conceived of while a worker is attending to company business at an alternative work site as it does as when personnel are in a company facility.
    Ownership vs. Possession Advise workers that if you supply them with software, hardware, furniture, information, or other materials to perform company business remotely, the title to as well as all rights and interests to said items remain with your organization, and that possession by a remote user neither conveys nor implies ownership.
    Reporting Loss or Damage Physical protection measures are no longer “inherited” from your onsite premises, so make sure to advise personnel that they are to report any damage to or loss of assets entrusted to them in a timely manner so that you may take the appropriate actions.
    Workspace Liability Seek input from your counsel on whether remote work locations may be considered an extension of your company workspace and, if so, set expectations for personnel safety, reporting requirements, and limitations on liability.
    External Personnel Convey that remote workers must not allow others in the home to use any company assets and that said equipment should be positioned to preclude unwanted shoulder surfing.
    Hard Copy Management Counsel personnel that they should avoid printing hard copy unless necessary. To the degree that hard copies of sensitive information are produced, remember to obligate personnel to your storage, retention, and destruction policies. Most importantly, such items should not be put into regular home trash/recycling; instead, if users do not possess suitable shredders, they should retain hard copy securely until it can be brought back to the office for proper disposal later.
    Backup When working in the office, most personnel work with files from shared storage locations where backups are regularly performed on an automatic basis. You therefore need to advise personnel that while working remotely and/or offline, sensitive and important work product is never to be stored solely on their endpoints as those are not backed-up. Provide instruction on where to place items so that they can be backed-up as needed.
    Skepticism Beyond your regular training and awareness exercises, you would do well to foster a healthy level of skepticism on the part of your personnel, reminding them of the need to verify the identity of those with whom they’re interacting before exchanging sensitive information and to be wary of the new wave of phishing scams designed to take advantage of the current crisis.
    Maintenance In most organizations, users do not have to do anything in particular to support the routine maintenance of their endpoints as things like vulnerability scanning, patch deployments, and updates to malware tools and software happen transparently. Depending on how your organization delivers such things, you may need to train workers (perhaps adding a calendar reminder) regarding the need to log into the network, for example, if VPN connectivity is required to receive patches. Conversely, if you rely on a cloud-based solution for such needs, you may need to remind personnel to log out but keep their computers online during your regular maintenance window.
    Dogs and Daycare Advise personnel that remote work is not a substitute for dependent care. You expect personnel to make family-care arrangements as needed and that such obligations will not interfere with work and safety obligations required. You should also explain that personnel are expected to take positive steps to ensure that phone conversations, conference calls, and related collaborative communications do not suffer from undue interruptions associated with other inhabitants of the home (including children or pets) and that the remote work environment remains free of noise.
  • Single Point of Failure – To make good on the “Availability” portion of the “CIA” triad security model, most organizations design and deploy their company voice and data networks with enough capacity and redundancy to meet the resiliency needs of their business. Unfortunately, in adopting a work from home strategy as part of a pandemic response plan, most organizations have little choice but to accept the reintroduction of several potential single points of failure in their worker’s home power system and internet service provider.

    Whether power is an issue for your personnel will vary based on the geography in which they live, the age of the infrastructure on which they depend, and the demands being put on their local system. By all accounts, the increased demand for residential power should be no more than what most systems see on weekends as opposed to weekdays when more people are at home. However, some workers may encounter problems ranging from intermittent brownouts to full power outages. Apart from portable generators, the best thing to do is have personnel use laptops with fully charged batteries to avoid unwanted loss of data.

    Of course, there is also the question of connectivity, and a laptop battery can’t help with that. And even if someone has a generator or battery backup on their home router/modem, that won’t help if their provider goes down. So, what can organizations do to address the reliance on home internet connectivity? First, although there are variations among Internet Service Providers (ISPs), residential internet plans are typically limited in their upload speeds and are for “entertainment purposes only,” meaning that the provider is only obligated to provide best-efforts. On the other hand, business-class services typically deliver faster upload speeds and come with service-level guarantees. Upgrading may not be for everyone and may or may not be an expense you wish to incur, but it may be worth considering for those supporting your more critical business functions.

    For most of us, a wireless connection is probably sufficient. However, depending on the age of the equipment involved, protocols in use, and the presence of electronic interference, your users may experience a meaningful degradation in performance when using wireless connections. In such cases, they should consider using wired connections instead (many wireless access points/routers are equipped with ethernet ports for this purpose). Lastly, tell your personnel to turn off anything that is not needed. Their business needs are competing with the internet demands of all the other devices in the home. By disabling and/or intelligently managing such services, they may see improved performance.

  • Wireless Network Configuration – On the subject of home internet connectivity, I would be remiss if I didn’t take a moment to remind organizations of the need to educate their workers and obligate them to suitably harden their wireless access points. Although there are many makes and models of home wireless gateways, in most cases you can access the admin console by opening a browser on a connected device and entering the address http://10.0.0.1. Minimally, you’ll want to advise your personnel of the following:

    ­ 1. Change the default network name (referred to as SSID)
    ­ 2. Remove/reset the default admin password (often referred to as network key)
    ­ 3. Enable an appropriate encryption protocol (WPS/WEP prohibited, WPA or WPA2 required or recommended)

  • Remote Site Inspection – As previously alluded to, remote access/telecommuting is a privilege, not a right, and as such you must condition the access you provide on acceptance of your policies. Further, because of the responsibility you have as an organization for both your own data as well as that entrusted to you by third parties, you should establish that as a condition of being permitted to access your systems and networks remotely, users grant permission to conduct inspections of remote access/work locations so you may examine computers containing, or thought to contain, information belonging or entrusted to your organization. However, because the home is generally the domain of the worker, it is critical that the right to inspect must be clearly communicated and agreed to in writing. Moreover, to maintain an appropriate culture and balance, you should address the concerns of personnel worried about an unwarranted invasion of their privacy by documenting and sharing the terms and conditions under which and the process by which remote worksite inspections may take place. Lastly, it is a good idea to have personnel designate a workspace to define the boundaries of any inspection that you might need to conduct.
  • Dedicated Security Support Line – Many organizations have integrated their IT and Security Operations, which means that they likely rely on the same service desk and team to field security-related matters as they do for routine IT issues. In the current situation, the service desk is likely inundated with connectivity-related issues and you do not want that to get in the way of your ability to receive, analyze, and promptly respond to security-related matters that remote workers properly report. You may want to establish a dedicated call-in number or email address specifically for security reporting, if you don’t already have one. Ample evidence demonstrates that bad actors are already attempting to take advantage of this crisis for their own untoward purposes, so this is especially important given the substantial increase in the size of your attack surface that comes from having as much of your workforce who can work remotely.

The guidance and insight shared here are not meant to be exhaustive, nor are they intended to make the crisis we’re all facing worse. The intent is simply to give organizations some things to think about before, during, and following the current COVID-19 outbreak, help them gain awareness of some risks they may not have considered, and provide a carefully reasoned and defensible basis for managing such exposures. After all, we’re all in this together.

Read More: 1 2

You may be interested

Improving the Throughput and Transparency of the HITRUST Assurance Program: April 2020 Update
Assurance
shares330 views
Assurance
shares330 views

Improving the Throughput and Transparency of the HITRUST Assurance Program: April 2020 Update

Lacy Deatrich - Apr 27, 2020

By Bimal Sheth, Vice President of Assurance Services Welcome back for the April update in our series on Improving the…

Inside Cybersecurity Interview with HITRUST Leadership Team
Leadership
shares372 views
Leadership
shares372 views

Inside Cybersecurity Interview with HITRUST Leadership Team

Lacy Deatrich - Apr 16, 2020

By Carl Anderson, Chief Legal Officer, Senior Vice President – Government Affairs In response to the COVID-19 outbreak, HITRUST is…

Addressing the Impact of COVID-19 on CSF Assessment Procedures
Compliance & Risk Management
shares2263 views
Compliance & Risk Management
shares2263 views

Addressing the Impact of COVID-19 on CSF Assessment Procedures

Lacy Deatrich - Apr 01, 2020

By Jeremy Huval, Chief Compliance Officer As COVID-19 continues to spread across the globe and affect the way we live…