Following recent developments in the spread of COVID-19, many companies and organizations are facing exceptional logistic challenges that can go as far as invoking their business continuity plan.

 
Such measures can potentially cause security and compliance elements to be put on hold for reasons of understaffing, the need to stabilize the IT infrastructure, or logistical difficulties related to the lack of mobility of key personnel.

 
PCI SSC issued a memo on March 12, 2020 regarding remote audits as part of a PCI DSS compliance assessment (see article here). The council stated that an assessment which would normally require to be on site, can exceptionally be conducted remotely if the QSA takes the necessary measures to ensure the verification made remotely is done with a sufficient level of assurance to confirm that the controls are in place. This could mean, for example, that the QSA will be doing additional checks to ensure that the people interviewed and the systems observed are the same as if the QSA had visited the site.

 
In the same article, the council announced that it is well aware these exceptional circumstances could delay the completion of compliance processes. The council suggests companies and organizations contact their acquirer or the applicable payment brands to confirm if the present situation is likely to impact their compliance program.

 
For any situation that could negatively affect the level of risk, we recommend that you document all changes and carry out a risk analysis before reducing or suspending a process or a control related to security or compliance. Before any change, try by all means to limit the risks for your environment and to your compliance against standards such as PCI DSS.

 
If, for example, the installation of patches has to be suspended to limit the risk of disrupting an essential service, increased monitoring could be implemented to reduce the risk associated with malicious activities. Also, if an organization does not have enough licences for its multi-factor authentication system to allow all of its employees to connect remotely, user accounts with minimum privileges could be set up with single-factor authentication. However, a password policy with a high level of complexity and the inability to log in outside of office hours should be enforced. Again, make sure that any reduction in controls during this exceptional period is fully documented in preparation for your next audit. Your next assessment documentation will have to reflect all changes and compensating controls that have been made and put in place.

 
If you need advice on setting up exceptional measures that would not negatively affect security or conformity, do not hesitate to contact us.

 
We wish you all health and safety in these turbulent times.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

24/7 Emergency – (888)-287-5858