Compliance, Privacy, Security in a Work From Home (WFH) environment, oh my!

The concept of working from home (WFH) is not a new concept. Prior to the vast spread of COVID-19 nearly 50% of U.S. businesses offered remote work schedules to employees. With today's technology, it is relatively easy worldwide to work from anywhere as connecting to the internet is not a challenge. But trying to maintain compliance with regulation, security of systems, and privacy of data certainly is.

Let us take for example maintaining Payment Card Industry (PCI) Compliance. When a call center agent is working from home, they are no longer in a corporate controlled environment that is overseen by call center managers, team leaders, corporate cameras, and area access controls.

PCI Security Standards Council (PCI SCC) acknowledged this issue in the information Supplement "Protecting telephone Based Payment Card Data." So, what should a business be doing for WFH workers? Evaluate the risk of each home environment. It really is a satellite office - extension of your network. What does that look like?

• Validate the designated area that they will be using every day. Is it an isolated quiet area? Is it a coffee shop?
• Conduct additional training explaining what is acceptable behavior and use of corporate assets while in the home. For example, who is a trusted person in the home? What is the expectation (and how) to protect assets once the workday is over?
• Enforce the use of Virtual Private Network (VPN).
• Enforce multi-factor authentication.
• Ensure that maintenance times for updating systems is known and the expectation of the user e.g., do they need to click on update.
• Ensure that employee privacy policy is updated to reflect the work from home constraints and signed by the employee e.g., a child may be seen during a video call.
• Control (the best you can) from someone else overhearing a telephone or web conference meeting e.g., mandated use of a headset instead of on speaker, door to room needs to be closed, IoT devices with listening capabilities disabled and if possible, removed from the work area.
• Ensure firewall is installed and operational with URL restrictions e.g., block browsing to personal email, personal cloud storage devices.
• Ensure the latest version of the corporate anti-virus/anti-malware protection is installed with the latest updates.
• Ensure the latest security patches are installed (system and software).
• Ensure that users cannot disable security controls.
• Block the ability to boot from USB or alternate source.
• Block the ability to connect storage device.
• If taking credit card information, ensure the employee knows their responsibility for keep the consumer and credit card information secured – try to avoid the employee from even knowing the credit card information e.g., have the consumer key in their credit card information with the tones audibly and visually masked from the call center agent.

What device will employees use for remote work? Is it company-owned or personal? If possible, require all personnel to only use company-approved hardware devices. Mobile phones, telephone handsets, laptops, desktops, and systems should all be company-owned and approved. Due to cost or other related business issues, employees may be using their own networking equipment. If an employee must use their own equipment, be sure to have a Mobile Device Management (MDM) solution in place and have the compliance/privacy/security setting enabled.

How do you have employees secure their home WiFi network?

• Mandated change of the default username and password;
• Enable wireless network encryption - WPA3;
• As mentioned earlier use a VPN (do not use a free version – nothing really is free).
• Set up a Service Set Identifier (SSID) solely to use for work and hide it.
• Ensure that router software is up to date.
• Turn on the built in WiFi router firewall.
• Enable MAC address filtering.
• Disable remote administration.

In Summary, even with this very high-level overview, my goal is for the reader to see that physical and networking security measures that are routine in hardened delivery centers cannot fully nor easily be duplicated in a WFH environment. During times, such as we saw in the early days of COVID-19 (during the global mass exodus to WFH), compliance/privacy/security teams put in place their “best available” solution and worked with clients on understanding what that meant. Teams took into account regulatory and legal guidance – such as PCI SCC – during this world crisis.

As we move forward, a WFH model will continue to be the normal. Remember to always do an assessment on call center operations to ensure that they are following best business practices and following frameworks such as NIST CSF, PCI DSS, HIPAA, FFIEC, and Shared Assessments. Third Party Risk Management (TPRM) is always critical and even more so as companies who never worked from home shifted their workforce quickly home. As the upstream entity, it is your responsibility to not just take your downstream word for it but that you verify that the security, privacy, compliance, and risk management are in place. There are many great independent 3^rd party assessors out there that you can use to augment your staff in order to get the assessments completed in a timely fashion.