Focus: Security and Compliance
In my previous post, I highlighted some of the considerations and challenges for IT teams as people return to the office. This time, I want to focus on the specific issues of security and compliance.
During the pandemic, you may have temporarily relaxed or suspended your normal security provisions to maintain productivity. Flexible working, often introduced at pace and maintained on a fluid and open-ended basis, has seen files being shared differently and BYOD increasing. This in turn has changed how many organisations think about and enforce data and device security, but in many cases, the underlying policies themselves have not been adjusted accordingly.
That discrepancy needs addressing as people return to the office, and you gain a clearer picture of what your ‘new normal’ is, or will look like. For example, will people now be formally permitted to access files and systems using their own, non-corporate devices? You may have been fine with BYOD in these exceptional circumstances; is it something you’re happy to see continue in future?
This policy gap is especially important if you’re subject to external audits, for example, if you are ISO-accredited, CE/CE+ certified or PCI compliant. Many audits were delayed or perhaps delivered differently due to the pandemic, but when they restart, auditors will want to see that your policies have either been updated or reintroduced in full. If they observe practices that violate your own stated policies, the ‘temporary relaxation’ defence is likely to get short shrift at this stage.
To ensure your security, compliance processes and policies are ready to cope with your new normal (whatever that looks like) there are three mains areas you need to review and examine:
- The changing ways people are accessing and interacting with IT services. As I mentioned above, your policies and systems may need to be either:
- Permanently updated to allow ways of working that have become normalised, having been frowned upon before the pandemic; or
- Returned to their previous state, which will then require reviews and actions to ensure people understand and comply with them again.
- The management and distribution of end user assets.
- Many assets that once were in the office every day and directly connected to the LAN are now remote for most of their time. This is likely to have increased the mean time between vulnerability scans and implementing configuration policies, leaving them potentially at risk.
- As result, you may need to improve your mechanisms both for deploying configuration policies for both the OS and applications, and for auditing compliance.
- Your identity and authentication services.
- Users who were previously office-based are now working from home and may continue to do so more often. Make sure the appropriate licenses for features such as conditional access, risk-based logon analysis and MFA are assigned according to your security policy
- New ways of working may have led to the rapid implementation of new software or services, such as Box.com or Teams. Authentication and governance of these new services should be inspected to ensure they comply with security policies and are appropriately integrated – for example into your CASB solution.
Protecting data and systems is absolutely central to our role as CIOs. These issues may already have been discussed and decided at the senior level. If not, it’s up to us to ask the business what it wants. Because if we don’t pose these vital questions, others almost certainly will.