Working from Home
Framework and Safeguards FAQs

What has VBP implemented to make arrangements for staff to Work from Home?

 VBP has always had a Work from Home Policy (WFH) as part of our Information Security Management System.
The ISMS framework requires that all staff, if WFH, should continue to adhere to Information Security policies and procedures.
To date, WFH had been restricted to support teams and management. Although the policies and standards were applicable to all staff, they had not been used for client-facing teams.
With the advent of the constraints and with a view as to the health and well-being of staff during the COVID-19 events commencing in February 2020, VBP activated a program to allow WFH capabilities across all staff. 
  • The outcome is that, in most cases, the teams of our clients are now 100% operable working from home. However, there are some known constraints, including: the risk profile and compliance requirements for some clients do not currently accommodate WFH capabilities. These are usual conditions that the team at VBP is working through with individual clients. Where possible, the staff do still work from the VBP offices.
  • The Philippines has a range of performance challenges inherent in the local 4G network. This has an impact on WFH as most hardware leverages pocket and home WiFi services rather than cable or fiber, although these are available in some locations. VBP is equipping staff with devices to offset where there are access issues and if there are particular infrastructure problems. 
VBP continues to develop our WFH capabilities, always within the context of our ISMS framework to ensure the protection of data, and adherence to necessary policies and processes.

If you need more specific details about our ISMS Framework

We do not publish vendor details or all of the processes involved in our ISMS framework for security reasons. We can arrange discussions with you to discuss specifics.

What if I don't want my VBP staff to work from home?

At the moment, the office is still open, as advised by the local government with a reduction in 50% capacity as at the 22 March 2020.

Is there a lockdown in Cebu?

The local government has implemented an enhanced community quarantine.  The latest update as at 22 March 2020 is that they have instructed businesses such as VBP to operate at 50% capacity in-office, and 50% from home.

Information Security Management System Framework

What is an Information Security Management System?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. 
It includes people, processes and IT systems, and requires the application of a risk management framework and processes.
Since the beginning of VBP, we made a commitment to Information Security being an integral part of our business.
Over the past 6 years, we have stood by this commitment and have gone through the numerous due diligence processed with various stakeholders, Information Security audits as well as continuous development and expansion in our systems.  
In 2018, we commenced the process of preparing the business for ISO 27001:2013 certification. ISO 27001 is a globally recognised international standard for information security management. 
In 2019, VBP successfully went through the certification audit process and the information security management system  is now ISO:27001:2013 certified.

Work From Home and Employees

What internet access do staff have working from home?

In the Philippines, internet connections for staff when working from home are a mix of pocket or home WiFi devices that rely on the carrier networks, also DSL and Fiber. 

There can be significant discrepancies between the performance of these networks, the main constraint is often the 4G network and its inherent lags. There are sometimes black spots and also areas where services become very congested at certain times of day.

We see a range of upload and download performance speeds from <0.5mbs upwards to 30mbs. 

Other challenges include power outages, localised and regional, that can be the result of system maintenance, breakdown or natural disasters. In many locations, there is generator back up and the power consumption of our hardware is relatively low compared to other devices (air conditioning and the like) so is readily able to be used on generator power.

What computer are staff using to work from home?

All WFH staff use the VBP issued work computer. In the case of client staff, this is a NUC device, monitor,  keyboard, headset, and mouse. 

Some staff have work-issued laptops, these though are management and support services. 

This ensures that the equipment remains protected by the same security controls that they do at the office, including encryption and endpoint protection.

Can staff use personal internet infrastructure?

Where our staff are utilising personal internet infrastructure, such as home fiber connection, we are reimbursing them any expenses both the set up of the WFH capability as well as any ongoing internet access costs.

Are staff members' activity still being monitored?

Yes, the monitoring software that we use is still active, which captures details of all websites visited, screenshots and login, logout times and so on. 

This monitoring software cannot be stopped or logged out without the administrator’s access.

How does the staff member get support from their Client Service Manager or Team Lead?

Managers are checking in with their teams at least three times per day, morning, middle of the day and afternoon to check on any support they may need.

What if the internet access is too slow?

There are a number of avenues that VBP has been exploring when the WFH set up is unable to secure sufficient operating speeds. 

First, we are speed testing to determine where we need to enhance the pocket WiFi, tethered smartphone or at home WiFi device. 

In some instances, the issue is the inherent latency on the cellular 4G network and the solution is to amend the time of day when the employee uses the network or where possible reallocate tasks amongst team members. For example to lower bandwidth activities, i.e. not using VOIP. 

The office is still open and if a suitable internet connection is not available to work from home, then the staff member can still report to the office.

Secondly, the VBP office remains operational and open to staff for whom WFH is not possible due to client policy constraints, of where connectivity is insufficient. Our office has >500mbs connectivity and as existing clients have experienced connection issues are rare.

How does the staff member access files we need them to work on?

All staff access files In the same way they do when operating from the VBP office.

Access control procedure is still in place for all files and data where access rights determine the level needed and type of restrictions required. These are managed via assessment of roles and responsibilities, client requirements and the necessities of specific tasks.

How do we provide IT support to staff members working from home?

Our staff can submit a support request via an email to our dedicated IT support staff. The support team can still remotely access the staff member’s computer to address diagnosis and fixes. 

We sometimes use remote access for support staff in the VBP office as our premises are in the same building but over two separate floors and this is an efficient way to resolve problems.

Work From Home
Security and Data Protection

How do you ensure staff remain alert and attentive to Information Security as there may be more spam email (e.g. phishing attempts) at this time?

As part of our Information Security Management System we provide ongoing security training and awareness courses, we will be rolling out a refresher to all staff to ensure that they remain alert and attentive to information security policies and procedures.

How is data encrypted on the staff member's computer?

VBP uses a security feature to encrypt hard drives and any files on it can not be accessed without the encryption.  This ensures the integrity of the system and in securing data on desktop (NUC) and laptop computers. 

The encryption requires the staff to input two passwords when they login to their computer.

What if a staff member’s computer was stolen?

If a desktop (NUC) or laptop was stolen, the equipment is protected by hard drive encryption so that neither the drive nor any data on it can be accessed. 

The only thing that the thief could do is reformat the hard drive and in so doing erase anything that was on it. The client data would be gone other than the backups on VBP servers.

How do you manage passwords working from home?

VBP uses the same password management software when staff are WFH, as we do when the staff are in the office. 

Further, there is a  personal dashboard for the deployment and management of passwords. All sensitive information stored in the password manager is encrypted to ensure complete security and strong password generation for web and software applications.

For all accounts, a password shall need to meet the IT security requirements stated under VBP’s password management policy.

How does the staff member get support from their Client Service Manager or Team Lead?

Managers are checking in with their teams at least three times per day, morning, middle of the day and afternoon to check on any support they may need.

Do you have a documented procedure for backing up data while employees are WFH?

VBP has an established backup and restoration procedure. This is to minimise the risks associated with data loss by defining a backup regime for all centralized VBP data services. This will ensure the safety and security of IT system resources and supporting assets. 

There are different backup methods used for different data depending on the source of data and information’s importance. An established schedule of backup is done by the IT outlined in the procedure. 

We test backups to ensure they are recoverable, not to review all information contained in the backup, they are recoverable for the past 7 days. 

VBP’s backup and restoration are completed by a commissioned technology supplier and stored in a different location from VBP’s office.

Is the staff member's computer still protected against virus, malware or other attacks?

Yes, the all VBP issues desktop (NUC) and laptops are equipped with the same anti virus / end point / firewall protection software as when the team is in the office.

Can staff members access the USB ports when they are WFH?

No, these are still disabled, just the same as they are when the staff are working from the office.

Are there procedures governing the printing of documents containing personal information?

To print staff would require drivers to be installed, this also required administration access. So unless authorised is not possible.

Can staff members install any software they want onto their computer while working from home?

No, software installation requires an administrator password, just the same as while at the office. 

Software installation still follows the existing procedure and should undergo an approval and testing process.

Can staff members use web based applications via their computer while working from home?

No, use of any web based application that has not been formally requested, tested and approved is not allowed. URL tracking and screen shots alert any variances.

Are there any Physical Security controls in place?

The physical security for staff who are WFH is, as can be expected, different to the VBP office. 

While we do not have physical security controls in the homes of employees, as we do the office (biometrics, CCTV, etc), we nonetheless have protections in terms of:

  • Theft – If a computer were to, for example, be stolen, this is a financial risk that is borne by VBP.
  • Data – If a device was stolen or a third party sought to access we have encryption in place so the data is protected and could not be accessed.

In addition, we are directing employees to follow SOPs on how to protect data at work while they are WFH. This is stated in the Work From Home Policy.

Work From Home and Managing Change

How are changes being handled by the organisation?

Changes in the organisation shall be identified based on the needs of the business. Whenever the need for a change, a change owner shall be appointed. Those affected by the change shall be identified, recorded and notified of the proposed change by the change owner. Any changes within the organisation shall undergo a review and approval process.

Do you conduct a risk assessment prior to conducting a change within the organisation?

Yes, the change owner shall ensure that a risk assessment is conducted considering the nature, timescale, and scope of the change.

The risk assessment shall consider the impact of the change before, during and after the change and include consideration of the potential for:

  • Effects/Stop in operation
  • Damage to equipment
  • Loss of data information
  • Adverse effects to the process being changed, any upstream and downstream processes and any supporting processes.

Consideration is given to the technical merits of undertaking the change. Where appropriate, the change owner shall ensure the proposed change is reviewed and approved by IT from a technical perspective.

Is education/training given to provide staff with an awareness of information security? How often is this education given? Is the training targeted to specific audiences?

VBP provides ongoing education about information security to all employees. 

New employees are required to finish information security training upon starting. They need to complete and pass our online learning management systems courses on privacy and information security. During new hire induction, their immediate head walks them through and explains the company policies relating to privacy and information security. 

Tenured employees are enrolled in an online course at least annually. In addition, frequent information security reminders are cascaded via email monthly.

All employees are completing updated ISMS training as part of WFH deployment in March 2020.

Work From Home – Security Matrix

Security MeasurePolicyPolicy LinkApplied on SiteRemarksRisksGeneralVBP Risk AssesmentVulnerabilityConsequence
Security MeasurePolicyApplied on SiteCan We Apply this RemotelyRemarksRisksGeneralVBP Risk Assesment
Lastpass/ Password Management"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
Lastpass/ Password Management"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
YesYes (without IP restriction)We can do it remotely (without IP restriction)Unrestricting the IP address would mean employee can open their lastpass account wherever they wanted - for example at a cafe where network is not securedIs there anyway to ping the ip address of them at home and do random audit of access in lastpass to ensure same address. If using HUC would be hard to transport to coffeeshopLow level risk
Bitlocker for Files, Workstation, Database and ServerVBP-PRO-005 Cryptographic Procedure (REV 2)
"Firewall for Network System and
Security of network services/Segregation in networks"
"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
Bitlocker for Files, Workstation, Database and ServerVBP-PRO-005 Cryptographic Procedure (REV 2)YesYes (provided using VBP workstation or laptop)Provided they are using their workstation ie NUC, or laptop, Bitlocker will still be appliedNUC or laptop could be stolen, however without password, the files will not be accessible due to encryptionLow level Risk
"Firewall for Network System and
Security of network services/Segregation in networks"
"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
YesNoOnly applicable to office networkThere is no restriction on sites the employee can access, there is less protection against malware, bloatware and the computer being hacked
Endpoint Protection (Anti Virus)"VBP-PLN-001 ISMS Plan (REV 1)


VBP-PRO-005 Cryptographic Procedure (REV 2)"
Computer Activity Monitoring"VBP-POL-001 ISMS Policy (REV 1)


VBP-PRO-013 Incident Response and Investigation Procedure (REV 2)"
Endpoint Protection (Anti Virus)"VBP-PLN-001 ISMS Plan (REV 1)


VBP-PRO-005 Cryptographic Procedure (REV 2)"
YesYes (provided using VBP workstation or laptop)Provided they are using their workstation ie NUC, or laptop, Endpoint Protection will be appliedNot applicable, the same Endpoint Protection will be in placeN/A
Computer Activity Monitoring"VBP-POL-001 ISMS Policy (REV 1)


VBP-PRO-013 Incident Response and Investigation Procedure (REV 2)"
YesYes (provided using VBP workstation or laptop)Activity will still be monitored and recorded if using their workstation ie NUC or laptopNot applicable, the same activity monitoring will be in placeN/A
Teleworking Policy"VBP-POL-001 ISMS Policy (REV 1)


VBP-POL-002 Teleworking Policy (REV 0)"
Teleworking Policy"VBP-POL-001 ISMS Policy (REV 1)


VBP-POL-002 Teleworking Policy (REV 0)"
YesYesThis policy encompasses the use of all VBP IT equipment, including but not limited to, computer systems, software, network equipment, voip, electronic storage of a Teleworking employee (remote)Less control of employees on the adherence of the policies than if they are onsite in the officeMain issue is slow internet speed and lower productivity as not being supervisedLow risk.
Information Classification (including encryption of files attached to emails)VBP-PRO-007 Information Classification and Asset Handling Procedure (REV 2)
Management of Removable Media"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
Information Classification (including encryption of files attached to emails)VBP-PRO-007 Information Classification and Asset Handling Procedure (REV 2)YesYesThis policy can still be followedFiles attached to emails containing confidential details can still be encryptedN/A
Management of Removable Media"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-005 Cryptographic Procedure (REV 2)"
YesYesOur Endpoint Protection will ensure this is still in placeSome employees got the acvcess to flash drive. Marketing Department for them to access the backup drive
Access Control"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-003 Access Control Procedure (REV 1)"
Clear Desk and Clear Screen Policy"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-003 Access Control Procedure (REV 1)"
Access Control"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-003 Access Control Procedure (REV 1)"
YesYesIf using NUC or laptop and logging in via terminal server, same access control and permissions will applyNot applicable, same controls will applyN/A
Clear Desk and Clear Screen Policy"VBP-PLN-001 ISMS Plan (REV 1)

VBP-PRO-003 Access Control Procedure (REV 1)"
YesNoThe Clear Desk and Clear Screen Policy applies however we cannot practically control or audit thisWe cannot control/check the employees from time to timeneed to get statement from staff that they will operate in an area where they can limit the viewing of screens (maybe take a photo) and ensure they understand the importanceMedium level Risk
Restrictions on Software Installation"VBP-PLN-001 ISMS Plan (REV 1)
VBP-PRO-012 Software and Hardware Request Procedure (REV 2)"
IT Remote Support"VBP-PRO-003 Access Control Procedure (REV 1)

VBP-PRO-001 Teleworking Procedure (REV 1)

BP-POL-002 Teleworking Policy (REV 0)"
Restrictions on Software Installation"VBP-PLN-001 ISMS Plan (REV 1)
VBP-PRO-012 Software and Hardware Request Procedure (REV 2)"
YesYesNothing can be installed without Administrator loginN/A
IT Remote Support"VBP-PRO-003 Access Control Procedure (REV 1)

VBP-PRO-001 Teleworking Procedure (REV 1)

BP-POL-002 Teleworking Policy (REV 0)"
YesYesEmployees will still have access to remote support working from homeUnauthorized use of remote applications.This depends on the internet connection of the employee at home.Medium Risk Level
Physical SecurityVBP-PLN-001 ISMS Plan (REV 1)
Physical SecurityVBP-PLN-001 ISMS Plan (REV 1)YesNoWe cannot control Physical Security outside the officeWe can't control who has access to the employees computer they are working fromwould require staff to breach VBP policies of sharing passwordsMedium Risk Level