I've seen experts debate whether enterprises should enter "IT lockdown" during certain times of the year, meaning...
systems are left untouched, ignoring vital patches and scans, for weeks at a time to ensure availability. How do compliance regulations such as PCI DSS and HIPAA view lockdown? Is it a problem from a compliance perspective?
From a compliance perspective, lockdown periods -- where system configurations are not touched -- are only an issue if they last for an extended period of time and contain absolute bans on system modifications.
Organizations sometimes perform these lockdowns to prevent disruptions during critical operational periods. For example, if quarterly financial results are produced at the end of each calendar quarter, the last week of each quarter might be designated as a lockdown period for those systems. No changes are made to the servers, applications or other infrastructures supporting the financial reporting operations, reducing the likelihood of an error or failure during the report compilation process. The downside to lockdowns is that since no changes can be made, security and compliance may suffer. If a critical security patch is issued during a lockdown period, administrators may hesitate to apply it promptly.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (emphasis added).
An enterprise subject to PCI DSS that is considering the use of a lockdown period should contemplate how it will continue to meet this obligation in that operating environment. There are at least two options available. First, if the lockdown period is less than one month, it can simply apply all currently released patches immediately prior to the lockdown and then repeat the patching process at the end of the lockdown. Second, if the lockdown extends beyond one month, it can create an exception in the process that allows the application of critical security patches during the lockdown.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.