Group items tagged

An even greater number, 66 percent, would be prepared to work for lower pay if a job offered more flexibility, at least when compared with a better-paid job without such flexibility. Businesses are uncertain about the move to home working, mainly because of security. According to the Cisco survey, they should also factor in some of the advantages. Almost half of those employees who do work from home reckon they put in between two and three extra work hours per day as a result.

Employees' dislike of offices is nothing new but what has changed is that it is now technically possible to make an employee productive without asking them to travel to a building every day.

It seems just as likely that the death of the office, predicted many times in the last 40 years, might be as much about the changing economics of work than any desire of employees to escape to the back room and the VPN.

Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?

What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

There’s no point investing in and implementing an ethics and compliance program unless the time is spent integrating the program into every aspect of an organization. The need for companies to develop effective ethics and compliance programs has been acknowledged by several government agencies- examples are the SEC in the US and the government in the United Kingdom. Both groups have recently passed legislation or made amendments to existing guidelines, focusing heavily on the importance of ethics and compliance at all levels of an organization- especially at the top.

Employees at each level contribute to the success of a company’s ethics and compliance program. Integrating ethics and compliance at each level helps ensure the message from the top makes it all the way down to the lower levels of the organization. Training, messages and other ethics and compliance initiatives must be developed to evolve with employees as they move through the company. That being said, employees at various levels need to be prepared to address different ethical issues they may encounter based on the role they play in the organization.

Integrating Ethics in the Middle  In many companies, employees report that the middle level is where ethics and compliance commitments break down. Since many of the lower level employees report directly to those in the middle, a commitment to ethics and compliance from middle managers is equally as important as it is at the top.