On April 15, amid the first lockdown to combat the spread of Covid-19, the Personal Data Protection Authority announced several extremely important guidelines for telecommuting security measures.
These guidelines are important for all business organizations under the General Data Protection Regulation (GDPR), whether they operate by ISO 27001 and ISO 27701 or not.
In a teleworking environment with an Information Security Management System (ISMS) under ISO 27001 and/or a Privacy Information Management System under ISO 27701, we must remember the following:
1. The organization/company (hereinafter referred to as the body) must define and support specific procedures for teleworking. These procedures must take into account, in each case, the nature and seriousness of the risks to the protection of personal data resulting from remote work.
2. The organization must adequately inform, train and assist its employees in the implementation of these procedures, taking into account that many users are unfamiliar with the technologies that support teleworking and the associated risks. For this purpose, the contribution of the Data Protection Officer (DPO) where it has been appointed is valuable.
3. It is particularly pointed out that the obligations of the institutions regarding the protection of the personal data of their employees acquire special weight in the case of teleworking. This is because the employee since he is at home has a higher expectation for the protection of his privacy.
Teleworking procedures are recommended to include measures such as the following:
Network access
1. Ensure that there is no possibility of insecure remote access to resources of the operator’s information systems, such as internal computers and internal files. A secure connection can, by way of example, be achieved through a virtual private network in which data is encrypted and authenticated by users (eg IPSec VPN).
i. Defining and limiting the resources to which remote access is allowed to the necessary, depending on the tasks performed by the teleworker.
ii. Connection to the operator’s computer systems through a “Remote Desktop Protocol (RDP)” service, only if it is done through a secure virtual private network (VPN).
2. Use a secure WPA2 protocol with a strong password when the teleworker’s device is connected to the Internet via wireless network (Wi-Fi). This is true even when after connecting to the Internet, a secure connection is made to the carrier’s network e.g. using a VPN.
3. Avoid storing files with personal data in internet storage services (eg Dropbox, One Drive, google drive), unless there are appropriate guarantees, such as e.g. it is a service provided, with appropriate security measures, by the operator or the data is stored exclusively in a properly encrypted format.
Use messaging email applications
Avoid using personal e-mail (eg Gmail, Yahoo, Hotmail) to send or receive messages for teleworking purposes related to personal data. Instead, the professional email address provided by the provider should be used. If this is not technically feasible (eg inaccessibility of internal e-mail from outside the network), then the content of the personal data messages should be encrypted appropriately (eg either the entire message or only the attachments).
2. Avoid using messaging applications (text and/or video) for teleworking purposes, when these messages contain personal data, the leakage of which would be dangerous. If necessary, prefer services whose security features (encryption, data protection settings) are rated as strong.
Use of storage terminal device
1. Installation and regular updating of antivirus program and “firewall” in the device (eg computer, laptop, etc.) through which the telework is performed.
2. Install the latest updates of the application software and operating system of the employee device.
3. Use Internet browsers (eg Firefox, Chrome, etc.) with their latest releases. Failure to keep a history (anonymous browsing) or delete from the history of those telework-related links at the end of the job.
4. . Separation of files containing personal data, which are related to the work, from personal files kept by the employee on the device (eg in clearly distinct folders, with an appropriate identifying name). Use a “virtual machine” exclusively to provide teleworking, when possible.
5. Support by the provider of procedures for proper encryption of files containing personal data, especially when stored on a portable/removable media (eg USB stick). In each case, the possibility of encrypting the files should be considered in the main device from which the teleworking is performed (H / Y, laptop, etc.), especially for high-risk data.
6. Support by the organization of backup procedures for files with personal data, which are processed in the context of teleworking activities. Copies must be observed for the backups as described in point 5.
7. “Lock” of the device from which the telework is performed (eg screen saver, with deactivation code) if it remains, for some reason, unattended.
Conducting teleconferences
1. In the case of teleconferencing, platforms that support security services (encryption) should be used. For example, video conferencing software that does not provide end-to-end encryption should be avoided.
2. In case of a scheduled teleconference, protection of its link (e.g., not publishing it on a social network).
3. Careful study of the terms of use and the terms of personal data protection when choosing the teleconferencing solution.
