We hope you are all safely sequestered in your homes (whether your Governor has issued an order or not), and that you’ve successfully navigated the challenges of moving part of your PCI DSS Cardholder Data Environment to your home office.
Many of us have always had the potential to work from home in the evenings while some of us have run incident response from home in the middle of the night.
It’s a little bit different for most of us when the entire day is spent at home, with the family making demands, and the potential for little emergencies to distract us, all while compliance must be maintained. Connecting our laptops to our in-home Wi-Fi for an hour or two without a second thought, or running out to quell an argument between the kids and leaving the keyboard unlocked are two possible compliance problems.
There’s also the larger number of staff working from home, possibly using their home device to connect, and the cable company’s modem with no hardening and the default password written on the wall for all visitors to use.
Then there’s the problem of assessments in an era of residential lockdown and essential travel only restrictions. Normally, as much of the assessment as possible is required to take place on the premises. Thankfully entirely virtual companies and co-located data centers, and on demand services such as Kubernetes and Cloud Platform datacenters have persuaded the PCI council to give some guidance which we as QSAs can use to complete assessments in the current conditions.
Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?
What the council has not said, nor can it, is that compliance can take a break due to the extraordinary circumstances surrounding us. NOW is the time to reevaluate your risk assessment, threat surfaces, work from home policies, perimeter and penetration testing targets, and to ensure that
- Home connections are as secure as possible
- Those VPNs are being used rigidly
- Home firewall settings are as tight as possible
- Logging is occurring as it is supposed to
- Antivirus and FIM tools are running and updating
- Alerts are being produced by all devices, and responded to within acceptable timeframes
- Documentation about the CDE and the devices that can affect it have been updated to reflect the new normal
- Procedures have been updated to accommodate any new workflows
- Incident response plans have been updated to account for any new risks and sources of potential trouble
Let’s stay compliant and healthy in all the ways we can think of.