I've seen experts debate whether enterprises should enter "IT lockdown" during certain times of the year, meaning systems are left untouched, ignoring vital patches and scans, for weeks at a time to ensure availability. How do compliance regulations such as PCI DSS and HIPAA view lockdown? Is it a problem from a compliance perspective?
From a compliance perspective, lockdown periods -- where system configurations are not touched -- are only an issue if they last for an extended period of time and contain absolute bans on system modifications.
Organizations sometimes perform these lockdowns to prevent disruptions during critical operational periods. For example, if quarterly financial results are produced at the end of each calendar quarter, the last week of each quarter might be designated as a lockdown period for those systems. No changes are made to the servers, applications or other infrastructures supporting the financial reporting operations, reducing the likelihood of an error or failure during the report compilation process. The downside to lockdowns is that since no changes can be made, security and compliance may suffer. If a critical security patch is issued during a lockdown period, administrators may hesitate to apply it promptly.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (emphasis added).
An enterprise subject to PCI DSS that is considering the use of a lockdown period should contemplate how it will continue to meet this obligation in that operating environment. There are at least two options available. First, if the lockdown period is less than one month, it can simply apply all currently released patches immediately prior to the lockdown and then repeat the patching process at the end of the lockdown. Second, if the lockdown extends beyond one month, it can create an exception in the process that allows the application of critical security patches during the lockdown.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.