Remote work & technology

As with all credit union processes, a written policy establishing a set of guidelines for the safe and productive digital work by employees should be written and board approved. It should include requirements for users. These policies should be rigid in their expectations, but fluid and customizable as the needs of your credit union change.

The laws and regulations affecting remote employees of the state in which the employee has set up their remote office must be followed as opposed to the laws and regulations of the state where the credit union is located.

In order to accommodate employees in remote work settings, not everyone has properly maintained an accurate record of the items provided for remote use. Unfortunately, some items may have left without proper authorization, not been accounted for despite offices reopening, or returned damaged.

Remote workers should be provided with all the equipment needed to do their jobs. Your policy should state that equipment needed will be offered to remote workers. If you choose not to offer equipment to your remote employees, be sure that is clearly outlined.

Employees who have not received authorization in writing from credit union management and who have not provided written consent should not be permitted to remove equipment and supplies. Failure to follow any established policies and reporting protocols should result in disciplinary action, up to and including termination of employment.

An asset tagging system, especially for expensive items, makes it easy for you to keep track of assets. It’s imperative to know where assets are located, how they are being used, and whether there have been changes made to them.

Require anyone who uses their computer on home networks to use a Virtual Private Network (VPN). In addition, you should set classification levels for data based on data confidentiality and criticality levels and define acceptable use of data by your employees. Common data levels include:

• Public data = available to anyone
• Limited access = available to special groups
• Restricted = controlled by compliance or legal mandates

Multi-factor authentication or out-of-band authentication typically leverages the use of one-time-passcodes (OTPs) or tokens and can be used to authenticate employees attempting to sign into the host system.

Transmitting one-time passcodes via email is best to be avoided due to email’s inherent risks (i.e., email accounts can be hacked). In addition, transmitting OTPs via SMS text message can be defeated if an employee's mobile phone is fraudulently ported to a new carrier. Carefully assess these risks when considering out-of-band authentication method.

Monitoring should be proportionate to legitimate business needs. Poorly adopted flexible work plans can lead to increased risk around employment practices and management controls. Always tell employees about any new or increased monitoring measures and the reasons behind monitoring to avoid violating the law. Consider updating your privacy policy and don’t begin monitoring without first letting employees know in writing that you are monitoring.

You may also consider restricting access involving applications for social media browsing, replacement email applications, VPNs or another remote-access software type. You may consider the use of technology for preventing downloads of questionable apps and copyright protected media.