I have been thinking about whether there are are any risks unique toremote facilities when it comes to a company's IT security design. This could be locations in different cities, near-shoring, off-shoring,etc.

From the article Bad Communication Can Create Risk, the author lists four risks mitigated by effective communication:

• Increased employee resignations
• Decreased employee productivity
• Overt employee subversion
• Inability to achieve company goals

From an IT security perspective, I will add:

• Back doors
• Data leakage
• Malicious behavior (unintentional or otherwise)

The knowledge of being observed is itself a deterrent to bad behavior.  There is the Observer (or Hawthorne) effect,which "refers to changes that the act of observing will make on thephenomenon being observed."  Distance or separation from the companycould reduce efficacy of this control, and may embolden a subversivecontractor or employee.

Also, with a lack of proximity to the end users, you have no choice butto make assumptions to fill in the gaps during the requirementsgathering phase.  Like in Jurassic Park where the  geneticists filledgaps in the DNA with frog DNA:  we know how that turned out.  If thedesign proceeds on incomplete information, mistakes will undoubtedly bemade.  Architectural and security decisions should not be based on whatis "believed" to be the environment and usage behavior of a distantlocation.  The risk is that you may proceed with a false sense ofsecurity because the design and implementation are based on a false setof premises. 

There are also language and translation challenges, as well as timezone differences.  These factors can add layers of confusion andmisinformation, and can be additional challenges to effective security(see the four risks above).  Miscommunication could also lead users tounintentionally break security rules because they are not fullyunderstood, and because monitoring is not in full effect, the behaviorgoes on unnoticed.

Distance and communication challenges should inform the securitydesign.  Assumptions, due to lack of communication or sheerexasperation, should be kept to a minimum.  This may require a fewtrips to the distant location, as well as establishing a mechanism tovirtually visit (e.g. WebEx, video conference) the location on aregular basis.  The first step to good security is to candidly identifythe differences between a remote and home location, and to designaccordingly.




More...