New Zealand is starting a period where lots of people are going to be working from home because of COVID-19. For some of us, it’s temporary; for others it may be (or become) a normal way of working. With this massive shift in how we are having to work for a period of time, we at Confide thought it would be good to offer some advice on how to stay secure and still maintain the Payment Card Industry (PCI) Data Security Specification (DSS) compliance.
PCI DSS is probably the last thing on your mind. But let’s start with some things that you can do to keep yourself secure at home.
- Always remember to lock your computer. [Windows: Control-Alt-Delete MacOS: Control-Command-Q] This isn’t because you think your family will do something with your data; it’s to make sure that someone doesn’t accidentally do something they shouldn’t, like delete something critical.
- Make sure that you enable multi-factor authentication anywhere it isn’t already enabled. And if it’s a cloud service managed by your company (GitHub, Jira, etc.) and you can’t enable it yourself because of how it’s configured, ask your IT team to enable it.
- Make sure you have a strong password on your home’s wireless network and that the software on your wireless devices (including your ISP’s router) is up to date (if you can update it). Make sure you update the admin password on it too.
- Make sure you continue to patch your computer and keep key things running like antivirus and firewalls. Just because you’re at home, doesn’t mean that your computer is more secure.
- Keep your laptop to work use only. This is for both helping you draw a line between your work and home life when you’re working from home and to keep your computer secure by not installing other things on it.
- Before you start using your own computer to work remotely, check with your organisation to find out about their BYOD policy and if you need to add things like antivirus software or firewalls before you connect to the network.
- If you’re using your own device, make sure it has a strong password!
- Encrypt your local hard drive and your backups (and make sure you keep doing your backups!)
- Consider what else is on your network. If you have the ability to set up a separate network for VLAN for your work, do that. Keep your IOT devices and cameras separate (and patched).
While not a security issue, also check the speed of your broadband connection. You might be on a cheaper plan with low speed e.g. fibre running at 100 Megabits, when you could be running at a higher speed e.g. One Gigabit or higher. Check here: https://broadbandmap.nz/home If there are a couple of you working out of the same home, the increased speed will be very useful. Almost all ISPs in New Zealand have lifted their data caps until further notice.
So with some basics covered, we move on to steps that organisations can take to minimise risk with such a significant change in how people are working.
- You’re probably already using multi-factor authentication for your remote access since it’s been part of PCI DSS requirements for years, so this one shouldn’t be hard. What may be hard is making sure that all the new people who may have to have remote access are using multi-factor authentication. We know this may mean you need more licenses or you may have to ask staff to use their personal devices for authentication. But it’s important for your compliance to ensure that everyone has multi-factor authentication in place for remote access.
- Making systems available remotely can also offer some challenges. Say you normally lock down access to your internal systems by IP address so that only certain people can access it. Suddenly you’re having to allow for dozens, hundreds, or thousands more people requiring access. So however you decide to do things, whether that’s whitelisting a lot more IP addresses or removing IP address restrictions altogether, you need to make sure your changes are documented and go through proper change control.
- Sure, you’ve probably had to make some emergency changes because of how quickly the work from home mandate was put in place nationally. But make sure that these changes get documented as soon as possible. Don’t wait for weeks to complete the documentation.
- You may have to make some other significant changes. Maybe you need to add a new jump box to let more people access the environment, maybe you need to change some firewall rules to make access less restrictive. Make sure that you’re reviewing the impact of that significant change for PCI DSS. When things are back to normal, one of the things that we look for as Qualified Security Assessors (QSA) is evidence of how you have managed and documented your significant changes and how you’ve considered your risks.
- With all these potential changes going on, make sure you’re running vulnerability scans (internal and external). It should give you an idea if any of the changes are opening up new vulnerabilities in your environment. And if your change is particularly significant, make sure you’re reaching out to a penetration testing company who should be able to conduct testing remotely.
- Review your change control processes to make sure that you can still follow them even if people are working remotely. If your system is highly restricted, you may have to consider how you deal with this if the people who need it can’t access it remotely.
- If you are fully shutting down, treat this just like you might the Christmas black out or brown out period. Take the same steps and same precautions.
- Consider how you roll out some additional training for your staff remotely. Not only will this make it easier to ensure that you can train staff as and when needed (when they first join and annually thereafter), you might find that this opens up new opportunities for staff to complete their training when they have time rather than everyone attending a single session.
- Remember to make sure that people are still on call for monitoring for security breaches. If you rely on people generally being in the office to be able to respond to things, your response processes might need to change. You may need to create a more formal roster to make sure that someone is monitoring for incidents. You may need to make a more formal process for recording and responding to incidents so that people know who responded and what was done.
- Document everything. Document what you’ve done, how you’ve addressed the risk. We know that there will be things that you have to do to get things set up to keep operating in this situation.
- If your staff are using BYOD, make sure they have antivirus software installed! A few more licenses is better than the risk of malware infecting your environment.
We know that things are hard at the moment. But maybe you’ll find some new opportunities over the next few weeks to improve the way you do things and become more secure in the process.
There are other great articles out there on how to secure your organisation and your workers.
- PCI Guru: Work from Home Considerations
- NIST: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
- PCI SSC: Protecting Payments While Working Remotely
Stay safe and be kind everyone. PCI DSS compliance isn’t the end of the world and neither is the COVID-19 outbreak.
Confide is available to answer your questions about PCI DSS and how remote working could affect your compliance during the current situation and once things are back to normal.
In addition to being a Qualified Security Assessment Company (QSAC) under the PCI Security Standards Council, Confide is also an active corporate member of the New Zealand Internet Task Force (NZITF), whose mission is to improve Information Security standards in New Zealand.