Remote Work Security Policy

Purpose and Scope

The Remote Work Security Policy specifies the requirements for protecting assets and their data via physical and virtual controls and safeguards in a fully remote environment. Physical security remains an important aspect of information security; however, in a remote setting, virtual protections become paramount. Sord maintains reasonable steps to ensure that its remote work environments, information systems, and data are accessed only by authorized personnel to prevent unauthorized access, damage, theft, and interference. All security requirements are applicable to remote work environments. Key aspects of remote work security include: home office security, access controls, visitor management, equipment protection and maintenance, awareness and training, and risk management.

Home Office Security

Employees must ensure their home offices are secure. This includes locking doors and windows when the office is unattended, using shredders for sensitive paper documents, and securing any physical access points to the work area.

Visitor Management

While working remotely, employees should be cautious of visitors to their home office.

Employees must ensure that visitors do not have access to any sensitive company information or equipment. Any unauthorized or suspicious visitors should be reported to the security team immediately.

Restricted Areas

In a remote work environment, restricted areas refer to digital access rather than physical spaces. Only authorized personnel should have access to sensitive systems, databases, and information. This includes:

• Company VPNs

• Cloud storage and databases

• Internal communication tools

• Sensitive documents and files

Access should be controlled via digital access controls such as passwords, MFA, and access logs.

Equipment

Employees must ensure the protection and maintenance of the following equipment:

• Company-issued laptops and desktops

• Home network security (e.g., firewalls, encrypted Wi-Fi)

• External storage devices

• Any physical documents containing sensitive information

Equipment should be protected from physical threats (e.g., theft) and virtual threats (e.g., malware). Regular maintenance and security updates should be conducted to prevent failures and vulnerabilities. Any third-party access to equipment or systems must be approved by management and follow all applicable security policies.

Awareness and Training

Sord includes remote work security as part of annual security awareness training. This training covers best practices for securing home offices, recognizing phishing attempts, and maintaining secure communication channels.

Risk Management

Sord includes remote work security within the annual risk assessment scope. This involves evaluating potential risks specific to remote work environments and implementing measures to mitigate those risks.

Exceptions

Sord business needs, local situations, laws, and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who are requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally, and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.