I've seen experts debate whether enterprises should enter "IT lockdown" during certain times of the year, meaning...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
systems are left untouched, ignoring vital patches and scans, for weeks at a time to ensure availability. How do compliance regulations such as PCI DSS and HIPAA view lockdown? Is it a problem from a compliance perspective?
From a compliance perspective, lockdown periods -- where system configurations are not touched -- are only an issue if they last for an extended period of time and contain absolute bans on system modifications.
Organizations sometimes perform these lockdowns to prevent disruptions during critical operational periods. For example, if quarterly financial results are produced at the end of each calendar quarter, the last week of each quarter might be designated as a lockdown period for those systems. No changes are made to the servers, applications or other infrastructures supporting the financial reporting operations, reducing the likelihood of an error or failure during the report compilation process. The downside to lockdowns is that since no changes can be made, security and compliance may suffer. If a critical security patch is issued during a lockdown period, administrators may hesitate to apply it promptly.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (emphasis added).
An enterprise subject to PCI DSS that is considering the use of a lockdown period should contemplate how it will continue to meet this obligation in that operating environment. There are at least two options available. First, if the lockdown period is less than one month, it can simply apply all currently released patches immediately prior to the lockdown and then repeat the patching process at the end of the lockdown. Second, if the lockdown extends beyond one month, it can create an exception in the process that allows the application of critical security patches during the lockdown.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach ...continue reading
The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have ...continue reading
Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.