The upsurge of remote working during the coronavirus pandemic adds to the risks to IT and data compliance, but it doesn’t remove the likelihood of being assessed for compliance to various legal and regulatory frameworks.
We talk about how remote compliance assessments are carried out when assessors cannot be on-site and what organisations can do to be best prepared for them.
Antony Adshead: Why do we need remote compliance assessments?
Mathieu Gorge: Part of the reason we need remote compliance assessments is that in the current climate and as more and more people are working from home, assessors may not be in a position to go on-site and perform assessments that they would otherwise have completed at the company premises.
What that means is that interviews and observing what’s being done on-site can be done remotely, at least for the time being.
So, a number of assessors are putting out guidelines for their clients about what assessments can be done remotely and what cannot be done remotely.
And it is clear that if you look at any type of security framework – whether it’s PCI, ISO or NIST or any of the mainstream regulations and frameworks – there is an element of physical security in there and if you can’t be on-site, you need an option to remotely see what’s going on on-site.
What that means is that someone from the organisation might need to be on-site and they’ll need to use some technology that allows the assessor to remotely be there with them and see video evidence of what’s happening within the physical premises.
The evidence is not limited to video or audio. It is also providing copies of policies and procedures, copies of mapping of the ecosystem and also anything that has to do with data flow. And that’s not necessarily new with remote assessments, but it’s an emphasis that assessors are putting on at the moment.
So, the risks of not being able to test mean that you will fall out of compliance. The assessor, or the authority that is checking you are in compliance, might give you an extension but, at the end of the day, you still need to remain compliant.
Assessors will ask you to demonstrate and validate that the evidence you’re providing is adequate for full assessment.
Adshead: How are remote compliance assessments carried out?
Gorge: I think it’s really a question of preparedness. The more prepared you are, the easier it will be to make your remote security assessment a successful one, so you need to be ready and you need to anticipate the assessor’s needs.
The assessor will want to be able to have secure access to network diagrams, ecosystem diagrams, data flow diagrams. Also make sure that the right people are available at the right time. In normal times, when we’re in a building, it’s easy to go up to someone in a different office and wheel them into the assessment. In a remote assessment situation, you can’t do that, so you need to have people ready on standby who can join in the call.
It’s also interesting that there’s a debate right now as to whether the interviews and the discussions between the assessor and the company being assessed should be recorded, purely from a GDPR [General Data Protection Regulation] perspective, that is throwing up a number of challenges. But also the assessor might say: “Actually, I am supposed to record everything that you’re saying. Normally I would be typing it or recording it through another system, but right now we need to do that remotely, so we need to use a system that allows you to do that securely.”
Finally, what we would recommend you to do is use a collaborative risk management solution that allows you, in real time, to share information in a secure environment, and that includes maybe the ability to get access to systems, to do data sampling and that really should be limited to the data that’s in scope. One of the pitfalls of remote assessment is to open up the enterprise too widely.
What I mean by that is that you need to limit the remote access to what’s in scope. So, if you’re doing a PCI-DSS assessment, it’s the credit card holder data. If you’re looking at alignment with FDA or NHS regulation, it’s really protected health information.
So, it’s a balance between providing enough access so the assessor can be satisfied they’ve done the right sampling and that the evidence is OK, but not opening your systems too widely, which is something it’s easier to control when it’s on-site and not as easy when it’s done remotely.
So, in summary, it’s really being prepared and anticipating the needs of the assessor for them to validate that you’re in compliance.