The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
The Government of India has announced its plan to extend the lockdown further. However, organizations have already begun to strategize the return of their workforce back to their respective offices when lockdown ends. The circumstances in offices will not be the same when employees return, and many CISOs imagine the return of full workforce to happen in phases, spread over next several months.
COVID-19 would require employees to stay cautious and adopt social distancing norms at all the time, be in seating area or in closed door meetings. Hand sanitizers and face masks have gained permanent place in procurement of office supplies. This phenomenon might stay for years to come.
Data Security Council of India (DSCI) has been organising special calls since mid of March 2020 and has recently concluded the series “CISO calls” after seven successful weekly discussions. The platform allowed CISOs from various sectors such as banking, public services, insurance, oil & gas, transport & tourism, and many more to come and discuss their strategies of dealing with the pandemic.
This paper focuses on the most pressing discussion of the hour – How should organizations roll-out their strategy for return to work from office under new circumstances? It presents the aggregated view from our weekly calls with the CISOs, and these views are equally applicable to large organisations as they are to the small and medium businesses, including start-ups.
No matter the level of scale and complexity of the organization and the sector it belongs to, the strategy for fighting such a humanitarian issue must include the basics of any organization – People, Processes and Technologies.
People – The most important element of any organization
Organizations will have to develop their own system to manage the workforce returning to the workplace. While doing so, they may consider their decisions ultimately falling under one of the two segments – strategical and operational level.
Risk classification or Data classification have always been critical in the first steps of cybersecurity, return to office under new normal should begin with People classification
Just like organizations do risk assessment and data classification across business units, they will have to develop strategical assessment model to identify the critical resources who can deliver critical project deliveries. Some CISOs referred this approach as people classification approach. Developing resource capability matrix is the first step in this direction.
Only once the BU heads have the exhaustive list of employees, mapped with the capabilities and business processes, they will be able to move to the next step, which is criticality assessment of business process.
Critical assessment of business process will involve assessing the overall impact on the business if the project deliveries are further delayed or hampered due to unavailability of the resources.
There are various approaches to people classification – some CISOs would like to classify employees based on the critical nature of their work, productivity while working from home. While some CISOs would classify their employees based on exposure of the individual with vendors and various other partners in the ecosystem. The second approach would then help CISOs to monitor the employees’ health and interactions accordingly. Below tables shows two such approaches:
Table 1: Segregation criteria to help organization to think about phased returnTable 2: Segregation criteria for employees to improve monitoring
Duration of each phase may vary from multiple weeks to months, depending on regular evaluation done by leadership and HR.
COVID-19 is a unique situation that has tested organizations’ agility and resiliency. The beginning of lockdown required organizations to adopt new processes that made at-scale work from home feasible. Similarly, once the lockdown ends, it will require organizations to re-visit these processes.
Certainly, the processes that were applicable for work in the office under usual circumstances or pre-COVID-19 situation won’t apply in post pandemic “new normal”. To many CISOs, COVID-19 has been like a zero-day attack on our lives, and hence it requires us to rethink about the processes and implications of these new processes on the teams.
Figure 1: 6-phase approach
The six-phase approach encompasses various technological and administrative controls. At the onset, it requires CISOs to identify the teams and business units that will be impacted.
COVID-19 is like a Zero-day attack on human lives. Hence there is a need for us to re-think and re-design our processes and think about the implications of those processes on the teams
Aware & Apt: Once the workforce planning is complete, as discussed in the previous section, CISO and his/her team must develop user awareness about best practices of switching the work environment (from home to office). To be impactful and relevant, the awareness must be tuned to the specific needs of the teams.
Prepare & Push: Since employees will be returning to office after prolonged lockdown, organizations need to develop controls to ensure infrastructure readiness, deployment of hardening standards, and baseline security.
Table 3 (below) shows some of the initial steps that organizations must take early-on, even before workforces return to office:
Table 3: Physical and administrative controls
Scan & Sanitize: This step requires CISO teams to develop plan for scanning machines before they get connected back to the office network, check for new vulnerability disclosure in past 7-8 weeks, check if plug-ins are available and have clear understanding of quarantining the machines. Only once this step is planned in detail, it makes sense for CISO teams to plan for “allow and admit” step.
Table 4: Basic checks before allowing access to the corporate network
Allow & Admit: This is the step where IT team plan to provision access to the network and allow employees’ laptop and desktop back on the corporate network. But before this is achieved, the IT team must understand the distribution of employees in the office premise, as well as those at home. The IT team should plan for provisioning the access to the network zones.
Track & Trace: Till now, the approach allowed all devices to re-connect back to the corporate network. Track & trace is all about monitoring the network behaviour and re-configure rules based on use-cases and indicators of compromise observed and developed over the last few weeks.
CISOs across Indian sectors agree that there is fair amount of “noise” in the network, and hence monitoring needs to be fine-tuned and there is a need for proactive monitoring, may be on daily basis.
Comply & Conclude: Given that in weeks following lockdown, many devices will be back on corporate network; hence the need for continuous tracking and compliance. From our CISO community, one thing that came out very clearly for zero tolerance to non-compliance, irrespective of the criticality of the alert. Continuous information sharing among IT personnel and business is needed at this stage.
Technology – A need for re-calibration
CISOs agree that there should bezero-tolerance to non-compliance irrespective of criticality
While four out of the six-phased approach provides good understanding of the expectations from IT and cybersecurity team in any organization, CISOs agree that technology needs to be seen from a different lens altogether.
Among the very initial steps, IT and cybersecurity team must re-evaluate the security baseline across the organization. Soon after the baseline assessment, the team must ensure that all devices and endpoints across the organization, adhere to it.
If there was a unanimous agreement during the CISO meetings, it was on how IT teams should handle patch management, importance of phishing drills across organization and managing BYOD (Bring Your Own Device). Given the rise in cyberattacks through unpatched vulnerabilities, IT teams must ensure the all known vulnerabilities must be remediated, irrespective of the threat they pose. BYOD needs more policy level intervention as level of threats have increased significantly.
Audit and compliance teams have important roles in the “new-normal” environment. It is highly likely that audit may have taken backseat in the last 5-6 weeks, and hence organizations should re-prioritize efforts towards audit and compliance.
As many employees will continue to work from home for many weeks or months, the IT team should keep supporting various technology means of accessing corporate network such as VPN and Virtual Desktop Infrastructure (VDI). As many corporate applications have moved to the cloud, provisioning access to the cloud application will continue to play a very significant role in handling the post-pandemic situation. IT teams should also continue to explore advanced options like Software (or Blockchain) Defined Perimeter that will reduce dependencies on VPN.
Table 5: Additional aspects to be noted
Summary
Organizations across sectors in India have shown their resiliency and agility as they were quick to respond to the lockdown. However, the pandemic has increased the workload of CISOs and cyber teams, given the threat landscape has changed significantly. If pre and during the pandemic required IT teams to focus on employees who were either connected through corporate network formerly or now through VPN, the post-pandemic situation will require their focus on both kind of traffic as employee base will be divided between work from home or work from office.
Another key aspect that was highlighted during our CISO engagements was the need for increased information sharing within organizations, as well as with Government agencies such as CERT-In.
Until vaccination for COVID-19 becomes a reality, organizations will have to focus on not just technical controls, but also administrative and physical controls such as thermal scanning and frequent building sanitization.
Acknowledgement
DSCI would like to extend its gratitude and thank the entire CISO community, who made these conversations enriching. Representation from various sectors – banking, insurance, healthcare, travel & tourism, oil & gas and public sector – over seven weeks ensured that the learnings could be adopted across sectors. These meetings also encouraged each CISO to not only share the best practices that they have adopted in their respective organization, but also answer specific questions raised by other CISOs.
Special mention
We would like to especially thank and mention that this paper would not have been complete without the valuable inputs and best practices shared by Mr. Kalpesh Shah, CISO, Cipla, and Mr. Manikant R. Singh, CISO, DMI Finance.
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
The current context of global Coronavirus pandemic or more relatively known as COVID-19, has forced Governments, businesses and other institutes globally to take necessary precautions, and impart health guidelines and advisories such as social…
As the world is grappling with the Coronavirus Pandemic, it has led to massive lockdown in most parts of the world. While the COVID-19 scare has upended lives and led to major health concerns, it has also pushed organizations to adopt a full-scale…
Due to the global pandemic of COVID-19, the home has become the new office!Work from home (WFH) has become the need of the hour and the utmost priority is to keep the workforce safe and ensure productivity. In light of these conditions,…
