Future-proofing WFH policy13 July 2020 | Abhilash Govindaraj
There was a WFH survey conducted by GultTalent in March 2020 across six countries of the GCC, aimed at company executives, managers, and human resource professionals. The main objective of the survey was to understand their plans to enforce WFH for their employees, in the midst of the COVID-19 pandemic. A summary of the survey results is provided below, based on 1,600 responses:
Why didn’t 54% of the respondents have any plans yet, and why did 11% of the respondents say that they definitely will not implement WFH, amidst a global pandemic? The reasons may vary, but a common contributing factor could have been the sense of uncertainty while venturing out into uncharted waters without proper management guidance and direction. We must appreciate the fact that the survey results were three months old at the time of writing this article. Many of the organisations that did not have any plans or did not intend to have any plans were eventually forced to follow suit with the rest of the world.
It would be interesting to learn and understand the thought processes that went into finally deciding to implement WFH.
What COVID-19 has taught us is that WFH is a concept that is no longer considered optional, but essential for relevant organisations to sustain and survive during a global calamity. Hence, to protect all stakeholders involved, it is essential that organisations develop, maintain, and implement a robust WFH Policy that addresses potential information security risks from a governance as well as operations standpoint.
Before developing the WFH Policy, a detailed risk assessment (across both governance and operations) should be first performed taking into consideration all potential threats, existing controls, and vulnerabilities faced by the organisation, that revolve around remote or home environments. “Availability” is one critical factor that is commonly overlooked during risk assessments. However, availability, capacity, and reliability of the underlying remote infrastructure play a vital role in ensuring continued employee productivity. Hence, the risk assessment exercise must delve deep into these areas. At the end of the risk assessment, the identified risks should be documented and prioritised for treatment in a detailed risk treatment plan with clear timelines for addressing each identified risk.
A bonus outcome of the risk assessment is that the organisation will now gain a deeper understanding of their current capability (in terms of people, process, and technology), to provide secure and reliable remote work services to their employees successfully. Integrating the risk assessment results, and the existing control gaps, an organisation will be better equipped to define or enhance their WFH Policy.
Critical focus areas that need to be incorporated as part of developing or enhancing the WFH Policy are outlined below:
Prior to selecting and finalising the remote/home work technologies for implementation, it is crucial to perform a rigorous evaluation of shortlisted technologies by involving key stakeholders; this ensures alignment with the organisation’s business and security requirements. Once the technologies are finalised, the organisation should establish a detailed implementation plan in coordination with all key stakeholders and at a minimum, must include:
It is essential to run the selected technologies through a pilot program for a specific period, targeting a group of end-users that will use them per pilot stipulations. A successful pilot program provides stakeholders with a level of assurance on the technologies’ expected Return on Investment (ROI), by:
Upon successful completion of the pilot program, the organisation should update the implementation plan based on lessons learned and commence full-scale implementation. This phase also involves the development of additional documentation (procedures, processes, guidelines, etc.) aimed at both administrators and end-users of the remote/home environment. For example, 1) Development of procedures for the installation and maintenance of respective remote/home work technologies/infrastructure aimed at IT administrators and, 2) Development of end-user guidelines for remote workers to assist them in effectively utilising the remote/home environment.
Before being rolled out to the end-user community, the remote/home work environment must go through rigorous testing as per the defined test plans to validate its security, usability, availability, and capacity. It is essential for all end users to undergo appropriate training, to ensure secure and effective use of the new remote/home environment.
An organisation’s information security journey involves traversing through a continuous improvement cycle of planning, implementation, review, and enhancement of information security controls. This cycle is critical in ensuring that the organisation’s information security efforts remain in line with their ever-changing threat environment, risk exposure, and business objectives. To learn more about how Digital14 can assist you in your information security journey, using our national and international standards-aligned risk-based approach, please visit https://digital14.com/protect.html.
Connect with us