As the country transitions to Modified Enhanced Community Quarantine, for Metro Manila and a few other areas, and General Community Quarantine for the rest, alternative work arrangements would still continue for extended periods of time. As a supplement to our earlier advisory on the privacy implications of a work-from-home arrangement (WFH), the following are NPC’s suggestions to those implementing the same:
Authorized Information Communication Technology (ICT) Assets. Organizations are responsible for making sure telecommuting employees are provided the proper ICT assets. In return, employees are accountable and responsible for the physical care of those assets.
1. Computers and other ICT peripherals. Employers should issue their staff with appropriate ICT resources to adequately perform their duties. Personal devices may be used if provision of organization-owned ICT resources is impractical. Such practice, however, must be governed by the organization’s Bring Your Own Devices (BYOD) policy.
2. Removable Devices. Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.) When using portable media, (such as disks or USB flash drives) to store or transfer data, the use of data encryption must be ensured.
3. Software. Only softwares authorized by the organization must be used and only for official purposes. Avoid storing the organization’s digital files, including those with personal data, on external services and softwares.
4. Proper configuration and security updates. Install security patches prior to and while WFH is enforced to prevent cyber security exploits and malicious damage, including the following:
o Automatic update & installation of operating system security patches
o Periodic scheduling & scanning of authorized antivirus software
o Automatic update, installation & configuration of web browser and its preferences
o Automatic update & installation of personal productivity softwares (i.e., word processor, spreadsheet processor, presentation software, etc.)
o Update and configuration of video conferencing software / platform
5. Web Browser Hardening. Ensure that your browser is up to date & properly configured.
6. Video conferencing. If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards.
When availing of free platforms, use only an up-to-date version, one that offers adequate privacy & security features, and is properly configured:
• Set your meeting ‘private’ by default. Do not reveal meeting IDs in public domains
• Require meeting participants a password upon joining
• Make sure the meeting host is notified when people join and verifies identity of each
• Carefully control screen sharing & recording
• Keep cameras & microphones turned off, unless when speaking
• Avoid transferring files
Acceptable Use. Organizations must have an Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. This may include:
• Personal emails
• Browsing of news and articles
• Social media/networking (can be defined in a separate organizational policy)
• Video streaming
While organization ICT assets should only be used for authorized purposes, the AUP must acknowledge that occasional personal use by employees may occur without adverse effect to the organization’s interests. The AUP should also define unacceptable and unauthorized uses
Access Control. Personnel access to organization data must only be on a “need-to-know-basis”, anchored on pre-defined user profiles and controlled via a systems management tool.
User Authentication. Require strong passwords to access personnel credentials and accounts. Passwords must be at least eight (8) characters long, comprising of upper- and lower-case letters, numbers and symbols. Prohibit sharing of passwords. Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.
Network Security. When organization ICT assets are connected to personal hotspots and/or home Wi-Fis, observe the following:
• Don’t visit malicious webpages. Always look for the “https” prefix on the URL to ensure it is encrypted. Also, inspect the site’s certificate manually to validate owner identity.
• As much as possible, ensure high availability and reliability of internet connection.
• Configure the WiFi Modem or Router. Review and configure the following:
o Current devices connected;
o Encryption/Security: Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) with a strong password.
• Avoid connecting office computers to public networks, such as coffee shop Wi-Fis. If left with no choice, use a reliable Virtual Private Network (VPN) when connecting.
Records and File Security. Set up policies to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access, including:
• A records management policy
• A policy against posting sensitive documents in unauthorized channels, such as social media sites
• A policy imposing the use of a file’s digital version instead of physical records, whenever possible
• A retention policy for processing sensitive data in personal devices.
Emails. When transferring sensitive data via email, encryption of files and attachments should be done. Also, ensure that personnel always use the proper “TO, CC and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.
Physical security. Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others.
• Lock away work devices and physical files in secure storage when not in use. Should there be a need to print documents, the personnel must ensure that physical and digital documents are properly handled and disposed of – in accordance with office policy.
• Never leave physical documents with sensitive data just lying around, nor use them as a “scratch paper”.
Security Incident Management. Personnel must immediately notify his or her immediate supervisor in case of a potential or actual personal data breach while working from home. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted.