A few months back, I was sitting in my home office. I glanced out the window and noticed a heifer about 100 yards away, trotting down the side of the road. I thought, “Ummm, that’s my cow!” I immediately threw on my boots and ran out after her. After some time and effort, I finally got the cow back into the pasture.

I discovered that while replacing the corner posts on their fence, my new neighbors had cut my fence, breaking the tension in the line, which allowed the heifer to jump right over. When it comes to fences, tension is vital.

Tension is also a business component that, if gone unchecked, could leave your “fences” – or in other words, your security – wide open. What kind of tension are we talking about here? The kind of mental or emotional strain (i.e., tension) that brings angst, eye-rolling, and long, deep sighs. The kind of tension that results from talking about policies.
When it comes to IT and security, good policy management is the kind of strategy that often gets overlooked or outright ignored. It is not enough to have strong IT security controls; you also must have policies and procedures around security and privacy and the use and confidentiality of customer information.

That has been true for a while, but when COVID came, that landscape changed along with everything else. With many employees working from home now, your data is not just located in the bank but also on devices, networks, and systems that might not be as secure as the ones in the office. Thus, new policies, or modifications to existing ones, are needed.

Here are seven important IT security policies that encompass remote and hybrid workers.

1. Remote Access Policy

The remote access policy should state who can work remotely, then define how to work while being remote. Specifically, it should define how data is supposed to be accessed, what security controls are required for remote access, what kind of data is synced, and generally anything that covers the security and HR controls for anyone working remotely.

2. Sensitive Information Policy

The sensitive information policy should explain how data is to remain secure, or in other words, what the organization and the employee are required to do to keep the data secure. This policy will discuss passwords, what data is considered secure, and how to secure data when it needs to be transferred. It should also cover how to destroy sensitive information as well as explain what is allowed to be printed as a physical copy and how to secure information to be printed. This policy will even cover the cleanliness of one’s workspace and include guidance on speaking about business matters in public places.

3. Computer Tampering Policy

This policy is unnecessary for many people, but the idea is data could be extracted or a computer compromised if an employee were to tamper with their computer and/or modify it in a way that introduces problems. Additionally, allowing employees to do so is bad practice, as warranties could be voided. This policy could be a stand-alone policy or included in the code of conduct or another policy.

4. Bring Your Own Device (BYOD) Policy

A BYOD policy should state the controls around employee-owned devices used to perform company work. This policy includes smartphones, tablets, and computers. These devices perform many different functions, and companies need to decide what work processes or actions are allowed and how data and information on employee devices will be securely managed.

5. Incident Reporting Policy

You might find it odd the incident reporting policy is on this list, but with a distributed workforce, it is likely that instances may happen offsite that could affect other company resources. Employees need to know the controls and procedures for reporting a problem and feel comfortable doing so even if they are the ones that initiated a security breach (for example, by clicking a link in an email that they should not have).

6. Data Storage and Backup Policy

Data storage and backup policies should state how data is stored and backed up, which is very important for remote employees. Are they allowed to put files on their Windows desktop, or does the company have automation that only backs up the Documents folder? Or perhaps the data must be put on a company storage server through a remote desktop connection or mapped drive. Whatever the policies, make sure they are clear, so data is not lost if someone’s home is burglarized or another unfortunate event occurs to a device holding company data.

7. Acceptable Use Policy

An acceptable use policy is a broad policy that can contain much of the information we have listed so far, but generally, the acceptable use policy describes what users may and may not do when accessing the company network. This policy should include email use, internet use, social media use, and any actions an employee needs to take to ensure they do not do something illegal that could harm the company.

Summary

While this is not an exhaustive list, it is a good start to ensure that your participation in the new era of a distributed workforce is performed efficiently and securely. Please keep in mind that remote employees are valuable employees, and provided they have the right tools and security infrastructure, they can perform their work every bit as securely as in-office team members. Likewise, an on-premises employee at a company office can just as easily cause an incident that releases the “tension” holding your security together. And regardless of where it begins, any breach or vulnerability scenario will have you wishing your only problem was a loose cow!