ControlCase follows 3 main principles for Continuous Compliance Management – People, Technology and Processes. Below are Key Aspects your organization should be considering to ensure continuous compliance while working remotely.
PEOPLE
– The only way assessments will maintain value when done remotely is to adopt a partnership approach with assessors and implement continuous compliance solutions as an organizational cultural shift.
– Assessors should maintain their structure for an onsite audit; but instead use video calling and screen sharing to provide evidence and conduct interviews as a part of the assessment.
– Management must review user access privileges, including printing reports at home computers.
TECHNOLOGY
– Organizations should engage with vendors who have the infrastructure and expertise to provide remote testing (vulnerability assessment / penetration testing/ application security testing) capabilities for meeting the continuous compliance monitoring requirements.
– Sensitive data should only be accessible via secure encrypted channels like VPN and include additional security measures such as two-factor authentication.
– Implement additional controls that ensure sensitive data cannot be copied into or transmitted from local systems.
– Organizations hosting their environments in the cloud should consider working with vendors who can provide tools to directly connect with their cloud infrastructure and automatically collect evidence. This will reduce time in interviews to only the necessary questions and gaps.
– Organizations should ensure implementation of strong end-user security and access control architecture for remote end-users.
PROCESSES
– Controls specific to remote management and remote access need to be assessed with additional sampling and checks; this ensures integrity and confidentiality of sensitive data (e.g. card data) accessible to employees working from home.
– Review and conduct risk assessment process for remote employees.
– Automated evidence collection tools and scripts to be provided to customers during assessments to ensure that evidence can be remotely collected. A centralized evidence collection dashboard helps ensure all remote evidence is collected and stored properly.
– It is crucial to remotely enable other security business as usual activities such as; internal/external scans and tests, firewall reviews, card data discovery, SIEM, log monitoring, periodic user reviews etc.
Email Kimberly Simon at ksimon@controlcase.com to schedule a demo of our methodology for PCI DSS compliance in the remote working environment.