Скоро материал придет на указанную электронную почту. Также подписывайте на нас в Facebook
Mass Remote Work: Raising Information Security Awareness of Employees
ICL Services has traditionally put particular emphasis on raising employee awareness of IS issues. Under current conditions, when the majority of the team members are working from home, it is crucial for them to know and understand the general and specific requirements for data processing, storage and transfer. In many cases, ICL Services customers, contractors and partners may also impose special requirements for information security within the framework of cooperation. In the course of the IS events held within the company, the team members are explained why it is essential to comply with the information security requirements of both our company and our partners.
Adhering to the IS rules established in the company helps to preserve the privacy, integrity and availability of the data of all the parties concerned. Employees possessing a high level of maturity in terms of IS are more likely to identify risks and incidents and propose improvements not only to the company’s but also to the customer’s business processes. ICL Services provides a wide range of IT services to large Russian and foreign businesses, therefore, immediately after formal employment (and sometimes even before it), all the employees familiarize themselves with the IS requirements established in the company. In cases where a preliminary opinion on a candidate is required, the IS service specialists are invited to interview the prospective employees. All the employees hired for a remote job position undergo information security risk assessment, and those who, while fulfilling their job duties, decide to make the switch to full-time remote work, receive a personal phone call reviewing the critical elements. The call is aimed at checking whether the employee has all the contacts of the support services and has access to business continuity plans, as well as the employee’s level of knowledge of the rules of sensitive data storage and transfer, etc.
Regardless of their work mode (remote or in-office), all the ICL Services employees, in order to perform their duties competently, to preserve the privacy of the information about the company, a partner or a customer, as well as to avoid reputational and other risks, need to comply with the following rules:
1) promptly respond to phishing emails;
2) ensure the protection of sensitive information in accordance with the existing laws;
3) prevent unauthorized access to sensitive information and corporate devices;
4) promptly notify the appropriate services of information security incidents;
5) promptly inform about the inability to provide the service to the customer (BCP incidents);
6) dispose of confidential documents beyond recovery;
7) avoid unauthorized repair of corporate equipment;
8) immediately inform the concerned services in the event of a loss/theft of the devices containing sensitive information;
9) comply with the clear desk and clear screen policy.
ICL Services has also introduced the practice of holding events where IS officers tell their new colleagues about the IS management system within the company, explain the basic requirements of the information security policies to them, analyse particular cases of security breaches in order to prepare the employees to handle similar situations at work. The event is called Security Induction and is obligatory for every employee on probation. The purpose of the event is not to «drive» the IS rules into the employees, but to raise their level of information security awareness/general competence.
In the course of the event, both real-life company cases and cases from the professional experience of information security officers are examined. It also covers the information security incidents that occurred outside the company, but received widespread coverage (for example, the «Star Wars Episode IX» script listed on eBay; the Rambler and Nginx developer confrontation). During the discussions, the Security Induction attendees themselves discern the connection between the incidents and the IS rules and come up with the «correct» solution that could prevent the incident.
Focusing on case studies helps to explain the requirements of the company’s IS policies in as much detail as possible and enables the employees of various departments to match them to their job responsibilities. Answering the questions posed during Security Induction — «how to destroy sensitive information correctly», «why is it important to transfer information via secure channels», «how information about the partners disclosed to third parties can damage the concerned parties», and others — «untangles the knot» of causal relations and demonstrates the safest and the most sensible course of action in challenging situations.
Due to the mass shift to remote work, Security Induction has become particularly relevant. Working from home has updated the primary educational vector «Which information policy rules need to be observed in our Company?» with the question «Why is it crucial to adhere to all the information policy rules when working remotely»?. Particular emphasis is placed on the fact that while working from home, the employee needs to be even more scrupulous about complying with the rules, since maintaining the company’s information security is the task of each and every staff member.
With the majority of staff working remotely, the format of the event has been changed. Whereas previously the meeting was held in person and was limited by the capacity of the meeting room, today the event is held in the form of a webinar, involves more people and enables the employees to connect in convenient ways (via a PC, a smartphone, etc.). However, despite the new format, the training includes a lot of interactive activities with the employees: surveys, discussions of the best course of action, storytelling by other participants, etc. Since it is harder to hold the audience’s attention during an online event than at an in-person event, Security Induction materials have been redesigned to facilitate the perception of information: a part of the presentation is now designed using memes and short funny videos.
At the end of the event, the employees receive a newsletter containing useful links to corporate resources on information security. The employees are also assigned training courses in information security that supplement and expand the already known information. The employee feedback helps to update and improve the content of the awareness-raising event, which is beneficial for the learning process.
In addition to Security Induction, the new employee also reads the access control regulations, the rules for obtaining permission to take the equipment off the premises, explores the scope of the Information Security Management System, undergoes testing on the Password Policy, on handling sensitive information, on the non-disclosure agreement and workaround solutions, on Media Relations Policy. All the company employees take part in these activities, including those who work remotely.
Thus, by the end of the probation period, the employee can fully engage in the work processes and form part of the Information Security Management System. The employee who has acquired this knowledge will be able to detect and prevent potential IS incidents both in work issues and in everyday life. This, in turn, is one of the basic guarantees of the protection of sensitive information of the company, its partners and customers.
All the ICL Services activities aimed at raising the IS awareness of the employees help to keep the company’s team on the alert, whereas the customers can be sure that their systems and their data are managed by the specialists who are knowledgeable in information security.
- 30 April
On May 29, ICL Solutions company held a webinar called «CRM — key to new opportunities for a power supply company contact center.»
- 3 September
Our expert Dmitry Kashtanof continues talking about the services in the IT field. In this article we will focus on real projects.
- 27 April
The demand for cloud computing in Russia is real.
- 19 August
Talking about three ICL Services innovations in the service delivery process