安全有效地管理远程团队

更新日期:2023年4月17日

在2019冠状病毒病大流行开始多年后, 世界各地的组织仍在适应这一前所未有的事件. 许多公司被迫允许员工远程工作, which presented a variety of logistical and security challenges for information security professionals. Even after our society emerged from restrictive guidelines and returned to some sense of normalcy, 远程和混合工作方式在许多行业仍然很流行. Organizations will need to continue to embrace a hybrid working mindset while maintaining data security and enhanced management for this type of workforce.

多年来, employees within most professional businesses have had the capability to work from wherever they wanted. The rise in new technologies just over the past decade alone has continued to push this trend more mainstream. 然而, pre-COVID-19, 绝大多数员工都是通勤上班, 投入他们的时间, 通勤回家, 工作时间表几乎没有变化或变化.

显然，这一切在2020年都改变了， 当很大一部分劳动力被无限期地送回家时. Not only were employees trying to navigate drastic changes in their working environment, 但他们的个人生活也发生了许多变化, from continuous caring for school-aged children to the lack of personal interaction with extended family and friends.

这对员工和经理都造成了影响, 确保其努力的连续性的方法变得更具挑战性. 雇主应该明白，当它被正确地执行, 混合型工作环境有很多好处, 研究表明，这是可能的 比在办公室工作更有效率.

确保你在实现混合工作环境的轨道上, 您的组织应该考虑以下三个方面. 这将帮助你为所有员工建立适当的界限和指导方针.

1. 技术 -考虑一下你给员工提供了什么工作. 虽然他们手头的设备很重要, 看看他们履行职责所需的软件和应用程序. 重复的服务或产品可能是一个巨大的障碍. Outdated software that may work incorrectly across mobile mediums can lead to issues with unauthorized use of other applications or shadow IT concerns.
2. 过程 – You or teams within your organization may have discovered that some processes or policies that have been in place for years are woefully outdated in a hybrid working environment. Use this opportunity to allow organic change among your teams and ensure that remote employees can complete their work effectively. 这也是寻找提高效率的方法的好时机. This is the perfect opportunity to assess and adjust some things that “have always been done that way.”
3. 文化 – This is also a great time to take a step back and ensure the culture you want to foster is adequately reflected across the organization. This is a strategic decision that needs to be made by executive management to ensure that outdated ideals are pushed to the wayside for new mindsets to grow. 给员工更大的自主权，减少微观管理. 为适当的任务委派实现一个框架, 工作产品与生产力挂钩，而不是与工作时间挂钩.

Giving your user base the ability to work in this manner does not negate the need for security controls, 然而. This new mindset will create new challenges as your access and applications become decentralized. 只要计划得当, the following five areas can create an environment that supports your stakeholders while maintaining data security:

1. 访问需求 -确定查阅资料的需要和范围. 你无法管理你无法衡量的东西, 因此，确定谁需要具备某种能力是很重要的, 哪些访问要求是必需的, 以及用户如何访问资源. 通过评估这些领域, you can make thoughtful determinations of what controls should be implemented and how they will be managed. This can range from manual controls for a handful of users to fully centralized systems for entire organizations to help mitigate risks.
2. 可接受的使用 为已识别的资源定义可接受的使用策略. Your organization may allow personal devices to access business resources; therefore, procedures related to personal devices should also be incorporated into policies. 员工的责任和限制应该有充分的定义. Ensure details are included for lost devices or data removal when devices must be serviced for business purposes.
3. 安全控制 – Configure controls to support your policies for securing the applications and data that can be accessed, 以及访问它们的系统. 这包括但不限于强密码控制, 锁定的设置, 尽可能多因素身份验证. Limit retention of data across all storage means to minimize the impact of a potential breach. Ensure all devices utilized for business purposes are receiving proper patches and anti-malware updates promptly.
4. 国内技术 -随着家庭网络管理成为人们关注的问题, 考虑与家庭技术相关的不断变化的风险. 这些环境可以引入非托管技术, 比如其他家用电脑, 打印机, 扫描仪, and Internet of Things (IoT) devices that can all provide an avenue of exploitation. 如果没有正确保护或分段, these devices could affect the devices employees use to access your business resources. Employees need to understand these risks and acknowledge relevant security procedures within acceptable use policies. Consider having employees properly secure their internet access with appropriate encryption, 创建访客网络来对流量进行分段, 甚至对家庭网络进行漏洞扫描.
5. 最终用户培训 -很明显，终端用户是信息安全中最薄弱的环节. 必须确保对整个用户群进行充分的培训. 一旦员工远程办公, 您管理控件的方式发生了变化, 你在办公室里的那些层次可能不再适用了. Your employees need to be aware of the risks associated with the areas mentioned above. 和你的员工谈谈当前的威胁, 使用公共Wi-Fi的风险, and the heightened threat of malware when using computers for both business and personal use.

The shift to a hybrid workforce forces change across the entirety of our businesses. As leaders within our organizations, we must ensure that management adapts accordingly. To be successful, we must embrace the technology required to secure our end users and their devices. Organizations can no longer avoid this transference and should embrace the changes needed for end users to stay secure, 健康和适应能力强.

编者按: For further reading about reducing security vulnerabilities in a hybrid workplace, 拜访Timothy Liu ISACA杂志 网络独家文章 关于这个问题.

作者简介: Thomas在信息技术领域拥有超过十年的经验. 作为网络安全顾问, he performs information security assessments for numerous 非营利组织, provides guidance relating to data privacy and data security regulations and serves as an advisor on internal and external service and software strategies. 以前, Thomas has served as a state administrator and advisor for digital media and software development companies and has performed information security review engagements for financial institutions, 医疗机构, 注册会计师事务所, 以及其他许多行业. His work included regulatory reviews covering a variety of guidelines including FFIEC, GLBA, HIPAA, 和NACHA.

关于CapinTech: Capin技术, capincrow公司, 提供资讯保安服务, 包括网络安全评估, 咨询, 培训服务, 致金融机构, 非营利组织, 医疗机构, 专业服务公司, 以及其他组织. 该公司每年进行数百次评估, 咨询, and speaking engagements with a team of experienced professionals retaining numerous certifications, 包括注册会计师, CISSP, CISM, 中钢协, CITP, CGMA, 和CTGA. 每个项目都是根据组织的独特需求量身定制的, 信息和报告以清晰的格式呈现, concise manner intended for an audience with varying information systems (IS) knowledge.