Get best of the week

How implementing security processes helps transition to remote work

The article describes how we used the security infrastructure to transfer our entire team of managers and developers to remote work during the period of quarantine events and self-isolation.

Reasons and background


In 2020, from the very beginning of the year, there was a lot of news about a new pandemic threatening to destroy the whole world. Many companies and organizations took this seriously, introducing self-isolation rules and remote work practices.

We in the company, as representatives of the field of intellectual work, primarily concerned ourselves with the observance of WHO requirements, namely:

  • self-isolation of employees who have been on a business trip outside their home region;
  • isolation at the first symptoms in family members;
  • transition to remote work.

If with the first two points everything is more or less obvious, then the third requires additional explanations.

Stage One: Needs Research


To organize a workplace at home, in addition to the office room itself, an employee will also need access to corporate systems, a VPN to the office network and some equipment. To collect data on the equipment of employees, you can conduct a survey by the heads of departments, or send the survey form to Google Forms or Survey Monkey to everyone (or what exactly you use there). In our case, the method of sending out survey forms throughout the company, individually to each employee, was more suitable.

Part of the team can be equipped with first-class equipment at their own expense (if the employee is also a fan of computer games or is conducting his own project at home), but we do not consider it right to abuse it. The company must provide a workplace in any case.

After collecting the data, we examined the number of new users in our corporate VPN and conducted its load testing, so as not to find out that the network performance is insufficient at the moment when all the people are already working from home.

Security processes have helped us in this phase, making it quick and easy:

  • accounts and the logical access control process made it possible to find out that not all employees had the necessary accounts, generate the necessary applications and connect employees and system administrators;
  • The collected knowledge about the personnel, their existing equipment and status in the process of personnel control allowed us to determine the scope of the changes.

Second stage: home equipment delivery


It is worth remembering that equipment is understood not only as a computer or peripherals, but also furniture, office equipment, document accessories (folders and holders) and the like. To account for equipment handed to us, we use our corporate JIRA and a process previously built to move equipment between cabinets and offices.

Each employee creates an application with a list of their needs. Either the leader, manager, or even the security officer does it — the one who owns all the information. If there is a building security post, it is also necessary to prepare service notes on the removal of equipment for each employee.

The personnel should be warned that unauthorized dismantling of the workplace is undesirable and not allowed, in cases where the information still did not reach someone and the workplace was dismantled without authorization - it is necessary to conduct an investigation of incidents, explanatory work and warn of responsibility.

It is also necessary to organize the delivery of equipment to your home using transport companies, since in-house delivery of personnel, although cheaper and more convenient, there is a risk of equipment damage.

The company's security management processes have helped us in this phase as follows:

  • physical access control made it possible to establish that the equipment was not stolen or damaged during transportation;
  • , ;
  • “” .

:


At some point, the very day X is announced, on which an instruction will be issued to switch to remote work. At this point, jobs should be moved. It is good to ensure that before day X there is a day off or a shortened day so that employees can take equipment at home.

All communication between employees from now on will be through email and instant messengers. If earlier the program code could be stored locally, then after the transition it will be stored in repositories (online or on a corporate server). It is important that the ticket system is sufficiently automated and configured to work with a large number of applications. Artists should be aware of their roles. The process of ensuring business continuity from the ISO27001 stack, if you implemented it, will perfectly help here.

The security management system brought the following benefits:

  • logical access control process for managing the rights of user employees in communication systems and distributed work;
  • the incident management process will identify vulnerabilities and investigate incidents related to loss of access rights, data corruption and other violations;
  • a security officer or an appropriate unit becomes a kind of hub that routes requests from employees and helps to cope with non-standard problems.

Additional risks


The main additional risk is the dependence of the quality of employees on access to the Internet. It often happens that in places of residence, Internet access from consumer market operators is very different from that provided by telecom operators for the b2b market. In addition to speed issues, your team will also have to use VPNs or static addresses. Also, you will not be able to manage the risks associated with the failure of electricity, communications, engineering systems and other things depending on the location of employees. The risk-taking strategy will be applied regardless of the wishes of the business, because there is no choice.

The second risk is to reduce the effectiveness of the team. A lot of literature has already been written about this and, in general, qualified project managers know how to manage it. This includes both a decrease in the effectiveness of communications and the lack of a working environment on the ground.

Know-how


We have been practicing the distribution of our teams in our company for about 10 years, having offices in Russia, Europe and the USA. To improve business efficiency, we also implemented the ISO27001 business security management system two years ago, so the transition took place for us within 2 business days. We applied the following techniques:

  • JIRA ServiceDesk – , . , , , .
  • Slack, Zoom Skype – , , .
  • GIT-. BitBucket, Atlassian, JIRA, GitHub .
  • Health monitoring teams. Team managers know what difficulties each member of the team has and together develop solutions to overcome difficulties.

There were tricks that should be applied, but we didn’t succeed for various reasons:

  • equipment delivery centrally by transport companies, which would take more time than delivery by the employees themselves, but would minimize the risk of equipment damage;
  • mass transfer of development to laptops for organizing more mobile development; re-equipment will take time and quite expensive.

In addition to elementary truths, it was precisely the precise management and controls introduced in the ISO27001 security management process that allowed us to make the transition not only possible, but also more comfortable for both business and company personnel.

We saw from our own experience: the introduction of ISO27001 processes allows you to better manage your business in times of crisis, emergency and dangerous situations and helps to maintain the level of company services at the required level.

The transition of an entire company to remote work creates a huge number of risks, from the loss of equipment to the violation of the company's business processes. The implemented security standard, be it ISO27001 or something else, will help to prevent risks, develop strategies for working with them and, ultimately, minimize them.

If a security management system has not yet been implemented in your company, the period of remote work may be an excellent time for its implementation, especially in terms of physical security and protection of information assets. It is also possible to use the best practices used in this field right now, without waiting for implementation and certification.

Safety standards are developed in the industry precisely so that atypical and unexpected situations do not create damage to doing business. Their use creates a collective immunity in the corporate environment: the more market participants implement security techniques or standards, the less threats from intruders. And the development of strategies to counter any threats is much faster, due to the presence of guidelines in the form of practices of other organizations.

We hope that the article was useful in terms of finding solutions, or confirming the correctness of already adopted tactics and strategies.

More articles:


All Articles