I've seen experts debate whether enterprises should enter "IT lockdown" during certain times of the year, meaning...
systems are left untouched, ignoring vital patches and scans, for weeks at a time to ensure availability. How do compliance regulations such as PCI DSS and HIPAA view lockdown? Is it a problem from a compliance perspective?
From a compliance perspective, lockdown periods -- where system configurations are not touched -- are only an issue if they last for an extended period of time and contain absolute bans on system modifications.
Organizations sometimes perform these lockdowns to prevent disruptions during critical operational periods. For example, if quarterly financial results are produced at the end of each calendar quarter, the last week of each quarter might be designated as a lockdown period for those systems. No changes are made to the servers, applications or other infrastructures supporting the financial reporting operations, reducing the likelihood of an error or failure during the report compilation process. The downside to lockdowns is that since no changes can be made, security and compliance may suffer. If a critical security patch is issued during a lockdown period, administrators may hesitate to apply it promptly.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (emphasis added).
An enterprise subject to PCI DSS that is considering the use of a lockdown period should contemplate how it will continue to meet this obligation in that operating environment. There are at least two options available. First, if the lockdown period is less than one month, it can simply apply all currently released patches immediately prior to the lockdown and then repeat the patching process at the end of the lockdown. Second, if the lockdown extends beyond one month, it can create an exception in the process that allows the application of critical security patches during the lockdown.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.continue reading
New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.continue reading
HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.