Remote Work Policy

Last modified on Thursday, April 25, 2023

Purpose

The purpose of this policy is to establish the rules and conditions under which short and long-term telecommuting may occur in order to maintain acceptable practices regarding the use and protection of Lazar & Company LLC and or the Principal client’s Information Resources.

Audience

The Remote Work Policy applies to any individual connecting remotely to Lazar & Company LLC and or the Principal client’s information resources.

Policy

General Requirements

  • Personnel must be approved by their manager and IT prior to remote access or teleworking. Under no circumstance is a person permitted to work remotely without prior permission.

  • Personnel are responsible for complying with Lazar & Company LLC and or the Principal client’s policies. If requirements or responsibilities are unclear, please seek assistance from Lazar & Company LLC and or the Principal client.

  • All inventions, intellectual property, and proprietary information, including reports, drawings, blueprints, software codes, computer programs, data, writings, and technical information, developed on are the property of Lazar & Company LLC and or the Principal client.

  • The team member is responsible to ensure that non-employees do not access Lazar & Company LLC and or the Principal client’s data, including in print or electronic form.

  • The team member will be required to maintain a regular schedule. All hours of work must be recorded using Clockify. Overtime and time off must have advance approval from Lazar & Company LLC and or the Principal client.

Internet Connection

  • Personnel must not connect to an unsecured Wi-Fi network.

  • Wi-Fi connections must be secured with strong encryption (WPA2) or better. The use of WPA or WAP is not allowed.

  • The use of split-tunnel VPN is prohibited.

  • For long-term or home office networks:

    • A high-speed Internet connection is required. Personnel will provide the Internet service at their own expense. The internet connection must be of sufficient bandwidth to allow the team member to efficiently perform their regular job functions.

    • Wireless networks must be secured with a strong password consisting of 16 or more characters.

Equipment

  • Computing devices must be secured:

    • Active and up-to-date antivirus software

    • Active local firewall

    • Full-disk encryption

    • Automatic screen lock

  • Personnel are responsible for regularly rebooting their device in order to allow software patches and updates to be installed.

Printing

  • The printing of any non-public information must be preapproved by the Information Owner.

  • The printing of any non-public information to a public printer is prohibited.

  • Personnel must be preapproved by IT Technology and their manager for printing at a remote location. Personnel approved to print must have (or be supplied with) a shredder.

  • All non-public information must be secured when not in use and shredded when no longer needed in accordance with Lazar & Company LLC and or the Principal client’s policies.

  • The printing of Confidential information at a remote location is not permitted.

Telephone

  • When other people are present in the remote work location, a headset or wireless earbuds must be used to safeguard the conversation.

Office Requirements

  • The use of personal video surveillance on home entrances and exits is encouraged.

Definitions

Cloud Computing Application: Cloud computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Common examples of cloud computing applications are Microsoft Office 365, Dropbox, Facebook, Google Drive, Salesforce, and Box.com.

Confidential Information: Confidential Information is information protected by statutes, regulations, Lazar & Company LLC, and or the Principal client’s policies or contractual language. Information Owners may also designate Information as Confidential. Confidential Information is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only. Disclosure to parties outside of Lazar & Company LLC and or the Principal client must be authorized by executive management and approved by the Principal Client and/or General Counsel or covered by a binding confidentiality agreement.

Examples of Confidential Information include:

  • Customer data shared and/or collected during the course of a consulting engagement

  • Financial information, including credit card and account numbers

  • Social Security Numbers

  • Personnel and/or payroll records

  • Any Information identified by government regulation to be treated as confidential or sealed by order of a court of competent jurisdiction

  • Any Information belonging to a customer that may contain personally identifiable information

  • Patent information

Critical Vendor: a vendor with a specialized skillset, mandatory safety certification, or proprietary product whose discontinuation of service would have a significant negative impact on the company’s operations.

Impact: The extent of the damages resulting from an adverse event (i.e. realized threat) affecting Company Information Resources.

Incident: A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with Information Resources or operations; or a significant violation of policy.

An incident may have one or more of the following characteristics:

  1. Violation of an explicit or implied security policy

  2. Attempts to gain unauthorized access to an Information Resource

  3. Denial of service to an Information Resource

  4. Unauthorized use of Information Resources

  5. Unauthorized modification of information

  6. Loss of Confidential or Protected information

Information Resource: An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can be stored in many forms, including hardware assets (e.g. workstation, server, laptop) digital form (e.g. data files stored on electronic or optical media), material form (e.g. paper), as well as unrepresented information in the form of knowledge of the employees. Information may be transmitted by various means including courier, electronic or verbal communication. Whatever form information takes or the means by which the information is transmitted, it always needs appropriate protection.

Information Resource Custodian: the person, department, or entity responsible for supporting and implementing controls over Information Resources.

Information Resource Owner: the person, department, or entity responsible for classifying and approving access to an Information Resource.

Information Security: the practice of protecting information by mitigating risks to the confidentiality, integrity, and availability of information by means of administrative, physical, and technical security controls.

Internal Information: Internal Information is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage, or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Information is information that is restricted to personnel designated by Lazar & Company and or the client, who have a legitimate business purpose for accessing such Information.

Examples of Internal Information include:

  • Employment Information

  • Business partner information where no more restrictive confidentiality agreement exists

  • Internal directories and organization charts

  • Planning documents

Jail Breaking: (also known as ‘rooting’) the process of modifying a mobile device to remove restrictions imposed by the manufacturer or operator, e.g. to allow the installation of unauthorized software.

Least Privilege: in a computing environment, requires that every module (such as a process, user, or program) be restricted to access only the information and resources that are necessary for its intended purpose.

Likelihood: the chance of something happening. With respect to information security, the chance of a threat or negative impact happening.

Mitigating Control: Existing or potential controls to be implemented to reduce the impact or likelihood of the risk from occurring.

Mobile Device: Computing devices that are intended to be easily moved and/or carried for the convenience of the user and to enable computing tasks without respect to location. Mobile devices include but are not necessarily limited to mobile phones, smartphones, tablets, and laptops.

Mobile Device Management (MDM): security software used by the organization to monitor, manage, and secure mobile devices.

Multi-factor authentication: an authentication control requiring the use of two or more pieces of evidence to an authentication mechanism.  This evidence generally consists of something you know (knowledge), something you have (possession), and or something you are (inherence). Examples include a physical security key, digital security certificate, security token, fingerprint, or possession of a mobile device.

Need to Know: a term used to describe the restriction of data or systems which are considered very sensitive. “Need to know” is used to describe the requirement that a person has a legitimate purpose for accessing data or systems regardless of their clearance level or access permissions.

Overwrite: see Secure Erase.

Penetration Test: A highly manual process that simulates a real-world attack situation with the goal of identifying how far an attacker would be able to penetrate into an environment.

Personally Identifiable Information (PII): Any information that when used alone or with other relevant data can identify an individual. For example full name, social security number, driver’s license number, passport number, and bank account number.

Personally owned:  Systems and devices that were not purchased and are not owned by Lazar & Company LLC and or the Principal client.

Protected Health Information (PHI): health information in any form, including physical records, electronic records, or spoken information which includes identifiers allowing it to be linked to a specific individual.

Public Information: Public Information is information that may or must be open to the general public.  It is defined as information with no existing local, national, or international legal restrictions on access or usage.  Public Information, while subject to Lazar & Company LLC and or the Principal client disclosure rules.

Examples of Public Information include:

  • Publicly posted press releases

  • Publicly available marketing materials

  • Publicly posted job announcements

Remote wipe: a security feature that allows a network administrator or device owner to send a command that deletes some or all data located on a computing device without having possession of it.

Removable media: Portable devices that can be used to copy, save, store, and/or move Information from one system to another. Removable media comes in various forms that include, but are not limited to, USB drives, flash drives, read/write CDs and DVDs, memory cards, external hard drives, and mobile phone storage.

Residual Risk: risks or risk levels remaining after mitigating controls have been accounted for.

Risk: the likelihood and resulting impact of an adverse (harmful) event.  Risk is sometimes noted as the Likelihood x Impact of an adverse event. A higher Risk Level indicates a higher potential likelihood and impact on the organization. A lower Risk Level indicates a lower likelihood and impact.

Risk Assessment: a method of identifying and evaluating risks to the organization. A risk assessment typically identifies the applicable threats and vulnerabilities that exist (or could exist), compared with existing controls, to determine the potential likelihood and impact of an adverse event.

Secure Erase: more commonly referred to as a “wipe”, is a way to overwrite all existing data on a media device with at least one set of binary zeroes ( 0 ) or ones ( 1 ) so the data cannot be read.

Security Awareness: the knowledge and perception members of an organization possess regarding the protection of the physical and informational assets of that organization.

Security Controls: (also known as “Mitigating Controls”) safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Signature Card: a document that a service provider keeps on file with the identity and/or signatures of all the authorized people on that account.

Technical Controls: See Security Controls.

Threat: any circumstance or event with the potential to cause harm to an Information Resource or the organization. Common threat sources can be natural, human, or environmental.

Two-factor Authentication: a type, or subset, of multi-factor authentication. See the definition above.

Vulnerability: a flaw or weakness that could be exploited or triggered by a potential threat.

Vulnerability Scan: an automated tool run against external and internal network devices and servers, designed to expose potential vulnerabilities that could be found and exploited by malicious individuals.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of the contract(s), and related civil or criminal penalties.