Olivier Le Moal - Fotolia

Manage Learn to apply best practices and optimize your operations.

How IT lockdown periods affect PCI compliance regulations

IT lockdown periods are sometimes used to improve system efficiency, but do they work with PCI compliance regulations? Expert Mike Chapple answers.

I've seen experts debate whether enterprises should enter "IT lockdown" during certain times of the year, meaning systems are left untouched, ignoring vital patches and scans, for weeks at a time to ensure availability. How do compliance regulations such as PCI DSS and HIPAA view lockdown? Is it a problem from a compliance perspective?

From a compliance perspective, lockdown periods -- where system configurations are not touched -- are only an issue if they last for an extended period of time and contain absolute bans on system modifications.

Organizations sometimes perform these lockdowns to prevent disruptions during critical operational periods. For example, if quarterly financial results are produced at the end of each calendar quarter, the last week of each quarter might be designated as a lockdown period for those systems. No changes are made to the servers, applications or other infrastructures supporting the financial reporting operations, reducing the likelihood of an error or failure during the report compilation process. The downside to lockdowns is that since no changes can be made, security and compliance may suffer. If a critical security patch is issued during a lockdown period, administrators may hesitate to apply it promptly.

The Payment Card Industry Data Security Standard (PCI DSS) doesn't explicitly mention lockdown periods, but section 6.2 contains the following language that affects lockdowns:

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release (emphasis added).

An enterprise subject to PCI DSS that is considering the use of a lockdown period should contemplate how it will continue to meet this obligation in that operating environment. There are at least two options available. First, if the lockdown period is less than one month, it can simply apply all currently released patches immediately prior to the lockdown and then repeat the patching process at the end of the lockdown. Second, if the lockdown extends beyond one month, it can create an exception in the process that allows the application of critical security patches during the lockdown.

Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? 
Ask your enterprise-specific questions today! (All questions are anonymous.)

This was last published in August 2014

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.