Hi,
Here are some suggestions I wanted to share with you regarding Work from Home (WFH) capabilities. I would first make sure the vendors that you're examining are providing services that are in scope – meaning those that require human activity (as opposed to system operations only). This will enable the right population of vendors to be examined.
Preliminary questions to consider:
- Inherent risk: First, make sure that people are involved (staff availability) and that people affect operations.
- BC Tests: WFH tests for VPN, virtual desktop that are involved in Business Continuity plans and test specifically for WFH.
- Contract clauses: Business Continuity should be specifically listed, but the WFH clauses may not be. However, the WFH functionality may be available. Contractually, a vendor may have Cyber risk captured in their provisions for Business Continuity (operational availability). This would encompass system availability. Look at the contract's BC language.
- Does a vendor have BC controls for validation?
Here are some thoughts regarding my approach to Vendor WFH oversight, specifically for Due Diligence and Ongoing Monitoring:
Policy
- Request a vendor's policy and program documentation regarding their WFH program.
Information Security
- Does a vendor have a WFH notification/escalation system for the employees if the system were to go down?
- Is there a formalized work around process? These are helpful to ensure management has considered incidents like this off company premises.
Access Management
- Request documentation as evidence (screenshots, lists, flowcharts) of a vendor's implementation and ongoing monitoring of their WFH policies.
I hope you find this helpful, but I'd love to hear what other members are doing as well.