.st0{fill:#FFFFFF;}

Compliance

What Devices Should Be Managed?

 May 6, 2020

By  Anton Kiorolgo

Businesses often must follow regulatory compliance requirements, and even choose to voluntarily follow industry-standard requirements to prevent issues when it doesn’t fully pertain to their course of business. If your business is required to comply with a regulatory compliance standard, or if your internal IT policies and procedures state that your organization must follow a specific standard, keep reading, as this article will answer many of the most common questions related to what machines should be compliant.

Simplified: If a computer is used for even the most basic work, such as word processing in Office 365 or editing photos in Photoshop, the device should be managed.

“I’m sure people check their work email on their home computers sometimes, or log into our document storage server from the same places. Does that mean we have to monitor all of those devices?”

Answer:

If employees are working from home, and you do not want to have to manage both their home (personal) device as well as their work device, there are two options:

Option one: Give them a laptop. Laptops have come a long way since their first iterations in the early 2000s. Most users will not discern any processing power difference between a mid-range business laptop and a desktop computer.

Two: Utilize a remote access tool. While it is the often-picked solution, it isn’t necessarily the best. It all goes back to your regulatory requirements. Some requirements do not allow for remote access to a machine unless the device used to access is also managed and secured in the same way. Note, though, that the vast majority of the time managed devices on both endpoints are usually required to meet security requirements.

“I’m afraid I would never get everyone to tell me everywhere they log in from.”

Answer:
White listing is recommended. In a whitelist environment, only specific devices can access data, providing an extra layer of protection past user permissions. Think of a whitelist as user permissions for devices.

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #devicesecurity #cellphonesecurity #devicesecurity #security #mobiledevicesecurity #iotdevicesecurity #cybersecurity #computersecurity

“If they have a personal computer at work, they are likely doing something work related. Some of our employees use a Mac at home and bring into the office. Does that qualify as being of our systems that needs to be monitored?”

Answer:

If employees, clients, and guests are bringing their own personal devices but not accessing important data, it is advisable to set up a guest network. The guest network should be a highly gated and well-regulated network that does not allow for any access to corporate devices. Follow the name “guest network” literally. Devices connected to the guest network should only be able to access the internet and at most a printer dedicated to the guest network, if necessary.

If work is being performed on a device, including corporate or client data is being stored, viewed, or manipulated on that device, it must be secured to the same standard as all other devices.

“We have contractors that come by our office and use various machines – none of them are monitored inside our network.”

Answer:

The good news is that this is a common issue for businesses that reply on contract workers.

The answer is the creation of a minimum use standard for contractors to comply with. If they’re accessing the same data as employees, then the devices that they are using must be secured to the same standard.

The leadership or IT team must decide if contractors will be provided with company devices, or if contractors will be expected to apply necessary security on their own personal devices.

If you use a Managed Security Services Provider (MSSP), such as Security First IT, this is an area we can certainly assist with. Many of our clients require contractors to work with an MSSP firm, and to certify that the systems they are using are compliant. If the contractor doesn’t have a MSSP that they work with, we open a dialog between our client, the contractor, and ourselves about what it would mean for the contract to become a client in order to become compliant. 

One major advantage of using the same MSSP, (using Security First IT as our example) is that we already have the requirements that our clients have to comply with, so when their contractor is brought on as a new client, their requirements can simply be adopted over. 

“What about iPads? We routinely use an iPad that probably isn’t monitored.”

Answer:

Unfortunately, iPads are just as susceptible to cyber security threats as any other computer and so should be managed and secured if they are accessing corporate data. While it is true that infections on apple devices are lower, the urban legend that they are impervious to attacks as viruses for them are rarely developed is just that – an urban legend.

Still Wondering?

In conclusion, the difficulty involved with implementing safeguards for regulations and requirements do not change the regulations and requirements themselves. If a requirement states that in order for a machine to access company data the machine must be managed, then that is the requirement, no matter how difficult to implement.

Word of caution:
It is very common for businesses to create a standard for contractors, and then not enforce the policies. This is risky, as not enforcing the policies leaves the network open and vulnerable to attack – leaving data to be a sitting duck, and the window to litigation open.

Having trouble finding trustworthy IT support?

Please contact us to schedule a consultation.

Subscribe to our newsletter now!