COVID-19- WFH- Security Issues

iluom · ‎04-01-2020

Hi all,

Hope most of you WFH and are safe and secure.

Here is a question to get some opinions.

for COVID-19 emergency there could be a situation where some changes requested for Agent Desktops to allow Member Service Agents to work from home.

The changes allows the identity to be confirmed without the caller speaking their SSN, DOB, etc... and without the agent being able to view the callers SSN, DOB, etc..

I think one of them is OTP. The way the change works involves new APIs that create a 10 digit 1 time password that the caller tells the agent over the phone to confirm the identity

any better way of doing it with 2F authentication

any suggestions /opinions

Thanks

Chandra Mouli, CISSP, CCSP, CSSLP

denbesten · ‎04-04-2020

I think you first need to ask yourselves why the agent working from home is raising new PII concerns. Identifying the underlying reason for concern will help you identify the appropriate mitigation.

If you do not trust your agent to have PII access in the first place, you need to consider measures like you are suggesting even when they are in the office.

If you do not trust the house, you need to figure out how to enhance that trust (e.g. send corporate laptops home; use VDI solutions; enable MFA on your corporate mobile-VPN solution; provide corporate network assets; purchase home shredders, etc.).

If you can not trust agents to work with less supervision, it is time for staffing changes.

PII protection is also a concern of risk management, public relations and legal departments. You might consult with them regarding the appropriate protective levels for your organization.