KPMG has released a check list for CIOs and CISOs to ensure their organisations function in a COVID-19 world.
Professional organisation KPMG believes concern over the scale and impact of the COVID-19 pandemic has led organisations to consider their response and the actions they need to take now to maintain their business operations.
Gordan Archibald national lead, Cyber Security Services, KPMG Australia stated in an online article CIOs and CISOs must ask whether their business can function effectively through remote working?
According to KPMG the CIO and CISO must ensure their business can work remotely and flexibly, and that employees are confident in being able to do so.
This may require them revisit decisions on access rights, entitlements, and risk posture. They would also need consider the following questions:
- Have you scaled your VPN concentrators, portals, and gateways to handle many colleagues who will need to work remotely?
- Have you considered the potential key suppliers, contractors, and vendors, who will have to access and the additional scale that will bring in?
- Have you tested the infrastructure to find out whether it can handle the expected loading?
- Are there single points of failure in the infrastructure, and can you provide additional resilience?
- Do you need to relax access controls or provide additional remote login accounts or credentials?
- Is there enough help desk capacity to handle any queries from users who are unable to login, or unfamiliar with remote working?
- Where employees require access to laptops for remote working, is there a pool of laptops available or can more be procured and installed to meet demand, and how should allocation be prioritised?
- In cases where the pool of equipment is limited, have you considered essential services and splitting access to them via alternative access solutions (e.g., O365 and One Drive vs. in-house applications)?
- Have you considered the ability to whitelist only specific applications during this period and block all non-essential services?
- Do you have limitations on video and audio teleconferencing bridges, and can you do anything to scale that infrastructure?
- Do you need to consider alternate cloud-based conferencing and teleworking solutions?
- Do all members of staff have the necessary access numbers/links to allow them to access the bridges, is training material readily available, should you establish a helpline?
- Can you remote your help desk operations if the help desk staff have to work from home?
They should also prepare simple guides to be distributed to staff on key help desk related queries:
- How do I login?
- How do I change my password?
- How do I access key services?
- How can I get help from the help desk?
- Who are my key contacts if I have a crisis?
CIOs and CISOs must also consider how restrictions on travel and the spread of the virus may lead to new patterns of demand, and higher traffic on digital channels.
Have they considered:
- As more customers and clients may expect to transact with organisations through digital channels, are they able scale those systems and services to deal with changing demand?
- How would you monitor loading and performance, and who can make the decisions to scale capacity, or create dynamic choices on prioritisation if capacity is an issue?
- Are you clear which services you may need to shed, or how customer journeys may need to alter if systems are overloaded?
- Are you dependent on key call centres, and if those call centres are closed or inaccessible, can customers and clients interact with you through other channels?
- Is there the option to allow call centre staff to work remotely, or to transfer their loads to another call centre location?
- Have you considered the interactions between call centres and service/help desks and the impact of any outsourcing arrangements?
- Have you discussed the arrangements with key suppliers of those services, and how will they prioritise your needs against those of other clients?
Have they also considered the following:
- Whether or not they are dependent on key IT personnel?
- What would happen if disruption to a data centre occurs?
- Are you able to scale your cloud capabilities?
- Are you dependent on specific suppliers?
- What would happen if there is a cyber incident?
- What would happen if there is an IT incident?
- Are you making the best use of your resources?
- Are you setting an example?
According to KPMG the CIO and CISO have vital roles in making sure an organisation can function as pandemic containment measures are implemented.
