Horizons Fall/Winter 2020

Area of Interest 2: Personal Devices Connecting to Network Concern: Some organizations have been able to avoid purchasing new hardware by allowing employees to use their own devices (e.g., mobile devices, home computers). Personal devices bring a huge risk due to a lack of malware protection and failure to install operating system and security updates. It’s important to ensure that non-corporate devices only have access to certain portions of the network that are strictly controlled, so if the device becomes compromised, sensitive data will not be exposed. Recommendation: Understand what employee-owned personal devices can access your organization’s network and make sure that the correct security settings are implemented on those personal devices, including the use of a virtual private network (VPN), segmentation, end point management, etc. Concern: Changes that were made to stay operational during the initial stages of the pandemic might have put a company out of compliance with regulatory requirements or its own internal policies. Examples of those changes include increasing password age configurations, changes to firewall rules, changes to network layout, or the elimination of network segmentation. It is important to understand what changes were made in response to what the organization thought was a short- term solution and evaluate the impacts of those changes. Recommendation: Evaluate the infrastructure configuration changes made to start working from home and evaluate if changes need to be undone or redone to reduce risks identified. If a regulatory issue is identified, self-report the violation and the corrective actions taken. Area of Interest 3: Infrastructure Governance

Name of Article Here

16