Best Practices for Remote Security Assessments

How to manage a successful assessment during COVID-19

April 1, 2020 • Published by

What happens in social distancing situations like the one we are in now, when security assessments such as PCI, HIPAA, risk analysis, and many more require an onsite visit to your in-scope locations? Events such as COVID-19 create a need to become more agile in order to maintain business as usual while shifting the paradigm of working in person.

Technology has come a long way over the last five years, and it has made telework possible in a great many scenarios. Despite these advancements, there is still a need for assessors and their clients to work well together as a means of ensuring that all primary business and satellite locations, data centers, call centers, etc., are properly reviewed for security and compliance.

Confirming Your Assessment can be Fully Remote

Entities like the Payment Card Industry Data Security Standards Council have released guidance outlining some of the criteria to perform remote security assessments. This won’t work for all assessments and industries, as there are some entities and some types of assessments for which a fully remote assessment doesn’t make sense or is impossible to properly substantiate.

Your third-party compliance or security assessor are the best individuals to outline what they can and can’t properly execute in a remote scenario. In those instances where a remote security assessment doesn’t make sense, contact your assessor or the entity that is requiring your compliance validation (e.g., your acquiring bank, card brands, customers, etc.) for an extension and/or further guidance on expectations.

Key Differences Between Onsite and Remote Assessments

If you have been through a security or privacy assessment engagement in the past, what should you expect to be different when done remote and how can you prepare to be more successful when having a remote assessment performed?

Here are the key differences between onsite and remote security assessments:

  • Your assessor will most likely request that interviews and observations are done with teleconferencing screenshares and collaborative internet-based applications.
  • Physical observations may be required to be done via a web cam or other video sharing solution. Staff and/or personnel may be expected to go to places and remotely show things using these technologies.
  • Assessors may ask your workforce to try things, such as opening doors or gates, showing how a multi-factor authentication token works, etc.
  • Assessors may request—or insist—that conferences are recorded. The need to do so must be determined in advance and discussed. Assessors require work papers, notes, and references to substantiate the entire assessments findings. Due to the use of remote conferencing solutions, it is more difficult to take notes as your hands are occupied in ways they wouldn’t always during an in-person meeting.
  • Taking notes and follow ups will be critical for organization’s sake. It may be many smaller/shorter meetings over a week or two instead of a week of in-person activities. Organization will take a little more thought but should actually make it easier in the long run.

Making Remote Security Assessments Successful

Have the tools – Screen shares, video sharing, mobile video calling, webcams, voice conferencing, digital white board/presentation capabilities; it all depends on the environment. In many instances, your assessor should be able to provide a solution that works for you; however, you will have to ensure that everyone on your side of the table has adequate access, bandwidth, and equipment. In the event that this fails, your auditor may not be able to obtain the required evidence. If the required observation isn’t able to be conducted, and this limitation isn’t able to be resolved in the allotted remediation window, this could even lead to a non-compliant finding.

Be early and show up - No one likes a meeting that is 15 minutes of “can you hear me now, can you see my screen, ding ding, who just joined.” It takes away from the time allocated to the meeting and is wildly inefficient. We have all been there, so join early and test your connection before the call is scheduled to start. Make sure your resources know when they are expected to join, and that they do. If they are running late, the schedule can be moved around. If they don’t let you know with plenty of notice, it will be wasted time.

Have an agenda and schedule – Because people won’t be in the same room, it is critical that you have an agenda and dedicated time with folks. Your assessor may be providing interview topics and examples of who needs to be interviewed, but ultimately every organization is different. Obtain any interview guidance (questions, topics, etc.) and ask questions if you need to pinpoint who to invite and who not to. Your assessor should be happy to help here. Ensure that there is an agenda for each meeting and topic, along with an estimated amount of time the discussion may take. For example, it is possible that you only need an individual in HR for 10 minutes, not the entire hour. A remote assessment can make things more efficient in many instances if this is done right.

Take Breaks – Remote work is mentally challenging and exhausting. Schedule breaks periodically for restroom, food, actual day-to-day work. Know your limits and stop working together before the time becomes unproductive because everyone is tired of each other’s faces.

Be focused – If you are going to engage in remote activities, be focused on the time you are scheduled instead of juggling other things at the same time. If you were face to face, you would have to do the same. Ensure you aren’t on your phone playing around, answering emails and IMs non-stop. You are paying for the assessor’s time, so you should use it accordingly. This applies to the assessor just as much. It happens to everyone using remote conferencing; you aren’t in it alone here. Who doesn’t play a game on their phone during a webinar from time to time? This isn’t a good time for that.

Be prepared – Have the data you need pulled up in advance. Just like with in-person activities, being prepared is critical. Upload as much data as humanly possible. Your assessor should be able to provide you with a complete list of the requirements and evidence required, or at least general information that should provide enough guidance to be applied to your organization. This needs to be done in advance. This is general guidance that applies onsite, but it is even more impactful when remote. Not being prepared in advance will easily wipe out any efficiency you can gain through the remote security assessment. After all, it is a point-in-time assessment by a third party of what and how you are doing things, not an assessment preparedness session.

Subscribe to this blog for more security and compliance best practices for your business.