Risk Mitigation in a Remote Environment: Practical Considerations

Introduction

Topic: Risk mitigation, maintaining compliance, security, and integrity in a remote environment
Moderator: Rick Jose, Director of IT Assurance
Objectives:
- Telework best practices
- Teleworking threat landscape
- COVID-19 impact on controls and compliance
Q&A: Use Q&A option on the webinar platform

Sara Lynn: Security advisory partner with over 30 years of experience
- Background: IT, information security, compliance, risk management, audit, business continuity, disaster recovery, technology engineering
- Industries: High-tech, banking, financial services, insurance, medical, telecommunications, retail
- Expertise: SaaS and IaaS platforms
David Tripp: Security assessment partner
- Background: Led over 1,400 penetration tests for various sectors globally
- Perspective: Provides hacker’s view on security
Ashwani Verma: Risk assurance and advisory services partner
- Background: 20 years of experience in internal audit, risk management, regulatory compliance, IT controls
- Expertise: Sarbanes-Oxley, enterprise risk management, fraud risk assessments, IT security, privacy strategy

Security and Privacy: Address security and privacy in home workspaces beyond just laptop and VPN
- Confidential paperwork handling, printing policies, workspace cleanliness, locking laptops
Home Workspace: Assess and manage workspaces; control and support as needed
Access Control: Ensure laptops are locked during breaks, consider who else can see the screen
Policy and Training: Update/write work-from-home (WFH) policies, update training materials
- Ensure policies are practiced and acknowledged by employees
- Enforce compliance and monitor network activity
Administrative Access: Maintain auditability of administrative/priviliged access from home

Compliance Projects: Some companies continue compliance projects remotely with proper support
Interim Support: Provide support for companies hiring interim security staff
Accelerated Projects: Some increased pace of projects like changing security architecture
Continuous Monitoring: Decision to implement continuous monitoring during the slowdown

Increased Attack Surface: Home devices outside company firewall, higher utilization of VPN, email services
Social Engineering Attacks: Impersonating IT, phishing, COVID-19 related scams
Home Network Security: Vulnerabilities in ISP-provided routers, home Wi-Fi, IOT devices
Examples of Attacks: Related to COVID-19: Phishing, fake authority emails, malicious attachments
Multi-Factor Authentication (MFA):
- Attacks target MFA systems through social engineering, help desk manipulation
- Importance of strong passwords and secure encryption

Username & Password: Ensure strong passwords, avoid common phrases
Network Authentication: MFA processes for VPN, remote desktops
Phone Security: Beware of calls claiming to be helpdesk/support
Public Wi-Fi: Avoid using unless necessary; prefer personal hotspots, use VPN

Enterprise Risk Management (ERM): Focus on fraud risk, reputational risk, supply chain issues, business continuity, revenue generation
Internal Controls: Maintain controls with a remote workforce; address segregation of duties, approval processes
Regulatory Compliance: Continuous necessity for SOX, GDPR, CCPA compliance, documentation of controls
Third-Party Risk Management: Audit and confirm third-party SOC reports
Financial Reporting: Adhere to SEC and regulator requirements

Update Risk Assessments: Document new risks presented by COVID-19
External Auditor Communication: Maintain ongoing dialogue with external auditors/regulators
Internal Audit Utilization: Leverage internal audit resources for consulting and compliance advice
Succession Planning: Ensure continuity plans include leadership contingency measures

VPN Security: Multi-factor authentication, logging controls, monitoring VPN access
Alternative Security Measures: Stronger passwords, secure file sharing methods, use of encryption
Home Network Security: Update router settings, enable WPA2/3 encryption

Emoji Summary: 🛡