A network compliance checklist for remote work
This network compliance checklist for remote work provides best practices on establishing remote policies and procedures, help desk support and data backup, among other steps.
Remote work is a compelling alternative to in-person work, and it's also an important capability of organizations when disasters that could disrupt operations strike. Being able to transition employees from in-person to remote work quickly is part of an organization's resilience strategy.
The success and acceptance of remote work have been made possible largely through improvements in network technology, such as VPNs, the internet and improved network security. Network connectivity is the glue that makes remote work possible. This shift with remote work necessitates continued improvements in network compliance, especially with the challenges of maintaining secure and resilient networks.
This article explores compliance issues network professionals face regarding remote work and offers insights into relevant network security and regulatory strategies.
Challenges resulting from remote work
As remote work has increased, traditional network perimeters have had to contend with connectivity from diverse locations. As such, network managers must deal with home-based network devices, the use of personal and possibly unsecured computers and the increased potential for security breaches when remote connections are insufficiently protected. Network management teams now navigate connectivity issues based on various standards and frameworks.
But network management teams have many different products and services available to establish secure remote work environments. Network protocols and devices used in enterprise networks are applicable to remote work. The challenge is to establish stable, enforceable policies and procedures for managing remote devices.
Network connectivity and security compliance checklist
Current network standards and protocols apply to remote work, so network teams must then decide which configuration for remote connectivity makes the most sense. It's also necessary to consider the resources employees have access to when working remotely.
In a remote work environment, the following elements must be part of an overall strategy and program. Additional elements are described in the associated checklist.
- Security. Security is perhaps the No. 1 issue when maintaining a remote work infrastructure.
- Scalable network infrastructure. Remote communications require a scalable network infrastructure. This scalability includes sufficient bandwidth to handle video, email, voice, messaging, wireless and remote system access.
- Remote access policies. Network teams must establish policies for remote access. These policies include the use of personal equipment, type of communications resources at the remote site, accessing company resources, types of technology to be used (e.g., routers, VoIP, collaboration tools), network management and diagnostics, ensuring data protection, and prevention of cyberattacks and other security breaches.
- Remote work procedures. Enterprises must also establish procedures for remote work, such as how to access resources remotely, report problems to a help desk, configure and test personal devices and respond to suspicious activity.
The following checklist addresses the key network compliance issues for remote work environments.
Checklist item |
Actions to take |
|
□ |
Remote work program management. |
Establish a remote work program with senior management approval. Establish teams to manage it, such as IT and HR. |
□ |
Establish remote work policies for employees and nonemployees. |
Prepare remote work policies that address the following areas:
Also, schedule periodic policy reviews. |
□ |
Establish remote work procedures for employees and nonemployees. |
Develop, approve and document procedures for the following areas:
Schedule periodic procedure reviews. |
□ |
Remote network services. |
Consider the following areas:
|
□ |
Primary network security. |
Consider the following areas:
|
□ |
Remote network security |
Consider the following areas:
|
□ |
Network performance management |
Review network performance 24/7 if possible, considering the following factors:
Ensure that device patching is up to date. Also, check that sufficient licenses are in place if VPNs are used. Review carrier disaster recovery plans in case of an outage. |
□ |
Patch management |
Ensure that patching is completed when needed. Establish a patch management program to ensure patching is performed. |
□ |
Endpoint security |
Ensure that devices have the most current security software installed, including the following:
|
□ |
Use of personal equipment (BYOD policies) |
Ensure that IT staff reviews devices and that security apps are installed to comply with company security policies. Run tests to confirm the security is set up correctly. Periodically conduct penetration tests to ensure compliance. |
□ |
Use of company equipment |
Configure devices for remote use (e.g., laptops) with the proper security and access control software and policies. Run tests when devices are installed to verify controls. Periodically perform penetration tests to ensure that company devices have not been compromised. |
□ |
Remote access controls |
Ensure that remote access is based on company policy that includes the following:
|
□ |
Encryption |
Deploy encryption based on company policy, such as end-to-end encryption, encryption for data at rest and encryption for data in motion. Enable security provisions for devices used remotely. |
□ |
Collaboration resources |
Ensure that the following tools are installed correctly and have security enabled:
|
□ |
Data protection |
Ensure that data can be stored in a secure environment, so only individuals with proper authorization can access it. Establish data protection and data management policies to support this. |
□ |
Data backup and recovery |
Back data up to secure local or remote storage facilities, especially personally identifiable information. The data must be easily recoverable and retrievable in an emergency where data might have been stolen or damaged in a cyberattack. |
□ |
Incident detection and response |
Remote users must be able to contact a help desk or other resources if they experience system or network problems, or if they suspect a security breach. Establish formal incident response and help desk protocols and include them with remote work policies. |
□ |
Employee and nonemployee training and awareness |
Regularly send information to remote workers about technical or other developments. Establish training programs for remote workers who use company devices and employee-owned devices on how to access company resources. Diagnose any problems that emerge from training. Incorporate training as part of employee onboarding and update them periodically or when technology changes occur. |
□ |
Audits |
Coordinate with internal or external auditors when scheduling remote work audits. Gather evidence using the following tools:
Identify controls to be audited and examine the following areas:
|
□ |
Testing |
Run tests on company and employee devices to ensure proper operation. Test all new network resources before deploying to remote workers. |
□ |
Incident response |
Establish a process for responding to remote workers who report problems with a device, access to network services or access to company resources. Coordinate with a help desk or other trouble-reporting service. |
□ |
Disaster recovery |
Establish a protocol for communicating information to remote employees about disruptions at the main company location or data center. Provide guidance on steps to take when it's safe to resume normal operations. Tell remote workers to contact the help desk to report any problems with remote locations. Document procedures for remote workers to respond to a local disruption, similar to technology disaster recovery plans for headquarters and other major office locations. |
Remote work continues to be an important part of the current business landscape. This checklist should help ensure that network teams address all aspects of remote working to provide a secure environment for employees.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.