Working from Home
Framework and Safeguards FAQs

What has VBP implemented to make arrangements for staff to Work from Home?

 VBP has always had a Work from Home Policy (WFH) as part of our Information Security Management System.
The ISMS framework requires that all staff, if WFH, should continue to adhere to Information Security policies and procedures.
To date, WFH had been restricted to support teams and management. Although the policies and standards were applicable to all staff, they had not been used for client-facing teams.
With the advent of the constraints and with a view as to the health and well-being of staff during the COVID-19 events commencing in February 2020, VBP activated a program to allow WFH capabilities across all staff. 
  • The outcome is that, in most cases, the teams of our clients are now 100% operable working from home. However, there are some known constraints, including: the risk profile and compliance requirements for some clients do not currently accommodate WFH capabilities. These are usual conditions that the team at VBP is working through with individual clients. Where possible, the staff do still work from the VBP offices.
  • The Philippines has a range of performance challenges inherent in the local 4G network. This has an impact on WFH as most hardware leverages pocket and home WiFi services rather than cable or fiber, although these are available in some locations. VBP is equipping staff with devices to offset where there are access issues and if there are particular infrastructure problems. 
VBP continues to develop our WFH capabilities, always within the context of our ISMS framework to ensure the protection of data, and adherence to necessary policies and processes.

If you need more specific details about our ISMS Framework

We do not publish vendor details or all of the processes involved in our ISMS framework for security reasons. We can arrange discussions with you to discuss specifics.

What if I don't want my VBP staff to work from home?

At the moment, the office is still open, as advised by the local government with a reduction in 50% capacity as at the 22 March 2020.

Is there a lockdown in Cebu?

The local government has implemented an enhanced community quarantine.  The latest update as at 22 March 2020 is that they have instructed businesses such as VBP to operate at 50% capacity in-office, and 50% from home.

Information Security Management System Framework

What is an Information Security Management System?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. 
It includes people, processes and IT systems, and requires the application of a risk management framework and processes.
Since the beginning of VBP, we made a commitment to Information Security being an integral part of our business.
Over the past 6 years, we have stood by this commitment and have gone through the numerous due diligence processed with various stakeholders, Information Security audits as well as continuous development and expansion in our systems.  
In 2018, we commenced the process of preparing the business for ISO 27001:2013 certification. ISO 27001 is a globally recognised international standard for information security management. 
In 2019, VBP successfully went through the certification audit process and the information security management system  is now ISO:27001:2013 certified.

Work From Home and Employees

What internet access do staff have working from home?

In the Philippines, internet connections for staff when working from home are a mix of pocket or home WiFi devices that rely on the carrier networks, also DSL and Fiber. 

There can be significant discrepancies between the performance of these networks, the main constraint is often the 4G network and its inherent lags. There are sometimes black spots and also areas where services become very congested at certain times of day.

We see a range of upload and download performance speeds from <0.5mbs upwards to 30mbs. 

Other challenges include power outages, localised and regional, that can be the result of system maintenance, breakdown or natural disasters. In many locations, there is generator back up and the power consumption of our hardware is relatively low compared to other devices (air conditioning and the like) so is readily able to be used on generator power.

What computer are staff using to work from home?

All WFH staff use the VBP issued work computer. In the case of client staff, this is a NUC device, monitor,  keyboard, headset, and mouse. 

Some staff have work-issued laptops, these though are management and support services. 

This ensures that the equipment remains protected by the same security controls that they do at the office, including encryption and endpoint protection.

Can staff use personal internet infrastructure?

Where our staff are utilising personal internet infrastructure, such as home fiber connection, we are reimbursing them any expenses both the set up of the WFH capability as well as any ongoing internet access costs.

Are staff members' activity still being monitored?

Yes, the monitoring software that we use is still active, which captures details of all websites visited, screenshots and login, logout times and so on. 

This monitoring software cannot be stopped or logged out without the administrator’s access.

How does the staff member get support from their Client Service Manager or Team Lead?

Managers are checking in with their teams at least three times per day, morning, middle of the day and afternoon to check on any support they may need.

What if the internet access is too slow?

There are a number of avenues that VBP has been exploring when the WFH set up is unable to secure sufficient operating speeds. 

First, we are speed testing to determine where we need to enhance the pocket WiFi, tethered smartphone or at home WiFi device. 

In some instances, the issue is the inherent latency on the cellular 4G network and the solution is to amend the time of day when the employee uses the network or where possible reallocate tasks amongst team members. For example to lower bandwidth activities, i.e. not using VOIP. 

The office is still open and if a suitable internet connection is not available to work from home, then the staff member can still report to the office.

Secondly, the VBP office remains operational and open to staff for whom WFH is not possible due to client policy constraints, of where connectivity is insufficient. Our office has >500mbs connectivity and as existing clients have experienced connection issues are rare.

How does the staff member access files we need them to work on?

All staff access files In the same way they do when operating from the VBP office.

Access control procedure is still in place for all files and data where access rights determine the level needed and type of restrictions required. These are managed via assessment of roles and responsibilities, client requirements and the necessities of specific tasks.

How do we provide IT support to staff members working from home?

Our staff can submit a support request via an email to our dedicated IT support staff. The support team can still remotely access the staff member’s computer to address diagnosis and fixes. 

We sometimes use remote access for support staff in the VBP office as our premises are in the same building but over two separate floors and this is an efficient way to resolve problems.

Work From Home
Security and Data Protection

How do you ensure staff remain alert and attentive to Information Security as there may be more spam email (e.g. phishing attempts) at this time?

As part of our Information Security Management System we provide ongoing security training and awareness courses, we will be rolling out a refresher to all staff to ensure that they remain alert and attentive to information security policies and procedures.

How is data encrypted on the staff member's computer?

VBP uses a security feature to encrypt hard drives and any files on it can not be accessed without the encryption.  This ensures the integrity of the system and in securing data on desktop (NUC) and laptop computers. 

The encryption requires the staff to input two passwords when they login to their computer.

What if a staff member’s computer was stolen?

If a desktop (NUC) or laptop was stolen, the equipment is protected by hard drive encryption so that neither the drive nor any data on it can be accessed. 

The only thing that the thief could do is reformat the hard drive and in so doing erase anything that was on it. The client data would be gone other than the backups on VBP servers.

How do you manage passwords working from home?

VBP uses the same password management software when staff are WFH, as we do when the staff are in the office. 

Further, there is a  personal dashboard for the deployment and management of passwords. All sensitive information stored in the password manager is encrypted to ensure complete security and strong password generation for web and software applications.

For all accounts, a password shall need to meet the IT security requirements stated under VBP’s password management policy.

How does the staff member get support from their Client Service Manager or Team Lead?

Managers are checking in with their teams at least three times per day, morning, middle of the day and afternoon to check on any support they may need.

Do you have a documented procedure for backing up data while employees are WFH?

VBP has an established backup and restoration procedure. This is to minimise the risks associated with data loss by defining a backup regime for all centralized VBP data services. This will ensure the safety and security of IT system resources and supporting assets. 

There are different backup methods used for different data depending on the source of data and information’s importance. An established schedule of backup is done by the IT outlined in the procedure. 

We test backups to ensure they are recoverable, not to review all information contained in the backup, they are recoverable for the past 7 days. 

VBP’s backup and restoration are completed by a commissioned technology supplier and stored in a different location from VBP’s office.

Is the staff member's computer still protected against virus, malware or other attacks?

Yes, the all VBP issues desktop (NUC) and laptops are equipped with the same anti virus / end point / firewall protection software as when the team is in the office.

Can staff members access the USB ports when they are WFH?

No, these are still disabled, just the same as they are when the staff are working from the office.

Are there procedures governing the printing of documents containing personal information?

To print staff would require drivers to be installed, this also required administration access. So unless authorised is not possible.

Can staff members install any software they want onto their computer while working from home?

No, software installation requires an administrator password, just the same as while at the office. 

Software installation still follows the existing procedure and should undergo an approval and testing process.

Can staff members use web based applications via their computer while working from home?

No, use of any web based application that has not been formally requested, tested and approved is not allowed. URL tracking and screen shots alert any variances.

Are there any Physical Security controls in place?

The physical security for staff who are WFH is, as can be expected, different to the VBP office. 

While we do not have physical security controls in the homes of employees, as we do the office (biometrics, CCTV, etc), we nonetheless have protections in terms of:

  • Theft – If a computer were to, for example, be stolen, this is a financial risk that is borne by VBP.
  • Data – If a device was stolen or a third party sought to access we have encryption in place so the data is protected and could not be accessed.

In addition, we are directing employees to follow SOPs on how to protect data at work while they are WFH. This is stated in the Work From Home Policy.

Is there a Work From Home Security Matrix available that illustrates the extension of Policy and Security measures to the Work From Home setup?

Yes, the Work From Home Security Matrix is available upon request to VBP.

Work From Home and Managing Change

How are changes being handled by the organisation?

Changes in the organisation shall be identified based on the needs of the business. Whenever the need for a change, a change owner shall be appointed. Those affected by the change shall be identified, recorded and notified of the proposed change by the change owner. Any changes within the organisation shall undergo a review and approval process.

Do you conduct a risk assessment prior to conducting a change within the organisation?

Yes, the change owner shall ensure that a risk assessment is conducted considering the nature, timescale, and scope of the change.

The risk assessment shall consider the impact of the change before, during and after the change and include consideration of the potential for:

  • Effects/Stop in operation
  • Damage to equipment
  • Loss of data information
  • Adverse effects to the process being changed, any upstream and downstream processes and any supporting processes.

Consideration is given to the technical merits of undertaking the change. Where appropriate, the change owner shall ensure the proposed change is reviewed and approved by IT from a technical perspective.

Is education/training given to provide staff with an awareness of information security? How often is this education given? Is the training targeted to specific audiences?

VBP provides ongoing education about information security to all employees. 

New employees are required to finish information security training upon starting. They need to complete and pass our online learning management systems courses on privacy and information security. During new hire induction, their immediate head walks them through and explains the company policies relating to privacy and information security. 

Tenured employees are enrolled in an online course at least annually. In addition, frequent information security reminders are cascaded via email monthly.

All employees are completing updated ISMS training as part of WFH deployment in March 2020.