Remote Work and Information Security Policy Exceptions
There is a well-known metric included in risk assessments known as the Annualized Rate of Occurrence, or ARO. Risk events have varying AROs depending on the frequency with which they are expected to occur. Many risk events have AROs that are so low, meaning that the event is so unlikely to occur, that an organization may not have a formal, documented policy or procedure (such as Pandemic Response) that describes how the organization will react or account for the impact of such an event.
For many, COVID-19 is just such an event. As a result, various requirements of Information Security Policies and Procedures may be unable to be met based on the fundamental and rapid change in operations that has occurred over recent weeks. As a result of mobilizing a global remote workforce, changes to supply chains, and the general lack of availability of IT support personnel to focus on routine operational tasks, many have been left wondering how they are going to ensure compliance during this time.
One important action every organization should take as exceptions are identified is to document them.
Below are a few examples of common exceptions organizations may be experiencing.
Scenario 1: Exception
Information security policies state that all access requests are to follow a defined procedure, including the requirements that each request for remote access for each employee be documented, submitted by an appropriate employee manager, and approved by the Chief Information Security Officer prior to remote access being granted. However, for business continuity, remote access may have been granted to large numbers of personnel without following this policy as soon as standard security requirements were met.
Scenario 2: Exception
Information security policies state that capacity alerts generated by the organization’s systems monitoring tool are reviewed daily, and tickets are created and closed by monitoring personnel as evidence of remediation of alerts. However, the increased demand on IT support personnel and corresponding resources has decreased the organization’s ability to formally document the review of critical alerts for weeks, as large numbers of personnel are shifted to remote work.
Scenario 3: Exception
Various meetings are to occur periodically with meeting minutes documented as evidence for a number of relevant discussion topics, including due diligence, risk assessment, and business operations. However, standard weekly and monthly meetings have been put on hold as organizations attempt to gain an immediate foothold on operational changes.
How can you attempt to maintain compliance with so much going on? Documentation and communication.
Let’s run back through these scenarios and discuss general recommendations for each, noting the common trend.
Scenario 1: Recommendations
Document that, for a set period of time, standard procedural requirements for remote access are being restricted in the interest of ensuring business continuity, communicate it to appropriate management, and formally accept the risk.
Scenario 2: Recommendations
Document that, due to a lack of personal availability, formal reviews of system notifications and alerts are being moved to monthly (or cancelled indefinitely) until otherwise stated, communicate to appropriate management, and formally accept the risk.
Scenario 3: Recommendations
Document that all required company meetings (including the IT Steering Committee) are temporarily replaced by emergency or temporary meetings specific to Pandemic Response, communicate to appropriate management, and formally accept the risk.
General Trend –
- Document the Exception
- Communicate Appropriately
- Accept the Risk
Best Practices for Policy Exceptions
It is likely that many policy and procedural requirements and security activities were not designed with a remote workforce (or a months-long pandemic) in mind at the beginning of this 2020 fiscal year. However, it is still possible to ensure security was not forgotten:
Document the exception in as close to real time as possible, communicate it to relevant personnel through whatever medium is available, and formally accept the risk.