First of all, the material will be useful to employers!
GENERAL SITUATION IN SEVERAL LINES
Across the world, accountants, sales departments, marketers, lawyers have moved to a home office. Tour operators transferred almost all employees to remote work. The sales centers of automobile centers switched to the standby mode, advising their customers exclusively by telephone, and the front offices stopped working these days.
Due to the coronavirus, state institutions (schools and universities, the Russian Post, military registration and enlistment offices), ministries and even international organizations, such as the UN, also switched to the remote mode of operation.
March 2020 was characterized by the explosive entry of the “WFH” mode – work from home, in Russian – “we work remotely from home”. IT giant – Microsoft has sent more than 80% of employees to work from home. Amazon, Facebook, Google, Uber were no exception: up to 76% of their employees began to work remotely. 12 thousand subordinates of Apple headquarters in California switched to remote work.
Russian business is a different planet. According to Forbes analytic data, only 25% of domestic companies worked with freelancers (developers, designers, sales managers, recruiters) before self-isolation. In the USA, by comparison, this figure is 43%.
Therefore, in the current situation of a pandemic and forced # to stay at home, the transition to remote work is especially “painful”. Companies simply were not ready for organizing and quickly building remote business business processes.
But if, nevertheless, the company managed to establish business processes, then the next step is to ensure the security of information. We bring to your attention a summary of the requirements of the FSTEC and the European Union Cybersecurity Agency (ENISA), compliance with which will reduce the likelihood of negative consequences for your company during remote work.
CYBER SECURITY REQUIREMENTS FOR REMOTE WORKERS
|EU Agency for Cybersecurity *||FSTEC of Russia **|
|Ensure that there are sufficient IT resources to support staff in case of technical problems.||Briefing employees of critical information infrastructure entities that provide remote access to critical information infrastructure objects about safe remote interaction rules with such objects|
|Provide employees with relevant information, such as contact details|
|Provide up-to-date security software and updates on access devices, as well as regularly remind users to check for updates. It is also advisable to provide a replacement circuit for failed devices|
|Provide, where possible, corporate computers / devices to employees for remote work||Determination of the list of computer equipment, including portable mobile computing equipment (laptops, tablets, mobile devices), which will be provided to employees for remote work|
|Determining the list of information and information resources (programs, volumes, directories, files) located on the servers of critical information infrastructure objects to which remote access will be provided|
|Assignment of minimum necessary rights and privileges to users during remote work|
|Identification of remote CBT by physical addresses (MAC addresses) on the servers of critical information infrastructure objects to which remote access will be provided, providing them access to the information resources of critical information infrastructure objects using the “white list & quot|
|Allocation of employees to a separate domain, which must be managed from the servers of the subject of critical information infrastructure, and assigning a network (domain) name to each remote CBT|
|Access to application portals must be secured using multi-factor authentication mechanisms||Ensuring two-factor authentication of remote CBT workers, one of the factors being provided by a device that is separated from the critical information infrastructure object to which access is made|
|Mutual authentication is preferred (for example, from client to server and from server to client)|
|All corporate business applications should be accessible only through encrypted communication channels (SSL VPN, IPSec VPN). Ensure your corporate VPN solution is scalable and capable of supporting a large number of concurrent connections||Organization of secure access from a remote CBT to the servers of critical information infrastructure objects using cryptographic information protection (VPN)|
|Antivirus / AntiMalware software must be installed and fully updated||The use of anti-virus protection tools for information on remote SVTs, ensuring the relevance of databases of signs of malicious computer programs (viruses) on remote SVT by updating them daily|
|BYOD devices must be verified from a security point of view using platforms that monitor security policies on the device||An exception to the possibility for an employee to install software on a remote SVT, except for software whose installation and operation is determined by official necessity, implemented by standard means of the remote SVT operating system or means of protecting information from unauthorized access|
|Ensuring security monitoring of critical information infrastructure facilities, including maintaining logs for registering the actions of workers of remote ATS and their analysis|
|Screen lock if you work in a common space||Blocking a user remote access session during inactivity, more than the time set by the subject of the critical information infrastructure|
|Ensure that policies are in place to respond to incidents related to security and leakage of personal data, and to properly inform employees about them||Providing the ability to quickly respond and take measures to protect information in the event of computer incidents|
|Providing secure video conferencing for corporate clients (as audio / video capabilities)|
|Ensure that any processing by the employer of personnel data in the context of telework (e.g. time tracking) complies with the EU legal framework for data protection|
|Exclusion of the possibility of exploiting remote ATS by unauthorized persons|
|Use corporate (rather than personal) computers where possible||The use of personal computing equipment, including portable mobile computing equipment, is not recommended.|
|Connect to the Internet through secure networks; Avoid open networks.|
|Avoid sharing sensitive corporate information (such as email) through insecure connections.|
|Use corporate intranet resources to share work files|
|Be careful with any emails that mention coronavirus, as these could be phishing attempts or fraud|
|Data on local media must be encrypted.|
|Do not post the virtual meeting URL on social networks or other public channels.|
**RECOMMENDATIONS of the FSTEC of Russia on ensuring the security of critical information infrastructure facilities when implementing a remote mode for the performance of official duties by employees of critical information infrastructure entities (Letter of the FSTEC of Russia dated March 20, 2020 N 240/84/389)
Tips for cybersecurity when working from home
The EU Agency for Cybersecurity shares its top tips for teleworking in times of Covid-19
Published on March 24, 2020