Maintaining information protection and compliance rigor throughout the COVID-19 outbreak
By Jason Taule, Chief Information Security Officer & Vice President of Standard
As someone who frequently travels as part of his job, my first indication that something was wrong was the open seat next to me on the plane. This would have been unusual on any flight these days, but on an inbound Southwest flight to their headquarters at Dallas Love Field, such a thing literally had never happened to me before. And now, just a few short weeks later, I’m that empty seat, having been directed by my own Pandemic Response Plan to adopt social distancing and work from home strategies.
As HITRUST’s CISO, the strategies I’ve put in place to ensure the continuity of our operations are likely very similar to those implemented by many organizations in response to recent government disaster declarations and stay at home orders. Which brings me to my point–that nothing about the COVID-19 outbreak justifiably frees organizations from following their security and privacy policies. In fact, I would make the case that it’s just the opposite and that organizations must account for threats to their program and be prepared to achieve their information protection and risk management objectives even in the face of such obstacles. After all, the bad actors certainly aren’t going to stop.
Standard of Care
With respect to the certifications that we issue as a premiere Standards Development Organization, HITRUST is the authority and, as such, we get to decide whether the control objectives or requirement statements in our framework have been met. Likewise, there are certain legal and regulatory bodies with similar authority over the mandates they control. But apart from those specific-use cases, and for many organizations caught up in COVID-19 related dynamic working arrangements, there is no single clear rule that defines what they can and cannot do. To paraphrase Peter Venkman of Ghostbusters fame, the standard is more of a guideline than a rule. So how then are organizations to determine what is proper and keep from putting their organizations in jeopardy? The answer is that whatever actions they take must be “carefully reasoned and defensible.”
The following chart presents a few representative business-need scenarios organizations are likely to encounter. Consider the defensibility of the possible action as compared to the more defensible response, and you’ll quickly realize that the urgency and challenges of the current crisis do not mean that organizations must expose themselves to unacceptable levels of risk.
More Defensible Response
Work from home connectivity
An entity allows personnel to remotely access their internal network using direct RDP. An entity allows personnel to set up their own VPN tunnel without two-factor authentication (2FA), approval, or adherence to company standards.
An entity has a VPN approval process that requires a user to complete a written form and obtain their supervisor’s signature. Because of social distancing, they choose to allow approvals to be provided via email with a plan to later obtain the completed wet-signature form after their outbreak plan has been suspended. Digital signatures would also be acceptable. All other VPN protocols remain in place (e.g., company-approved VPN client, 2FA, etc.).
Bring your own device (BYOD)
An organization that currently limits access solely to company owned and managed endpoints decides to allow personnel working from home to access the network using their own home personal computers without any form of evaluation of security posture.
An entity chooses to allow BYOD based on a defined and communicated set of requirements that end users have formally agreed to meet and which are enforced by some form of Network Access Control (NAC). Alternatively, a VDI or like solution that avoids data remanence issues would also be defensible.
The firewall admin receives a request from a user or in response to a trouble ticket and simply opens a port on the firewall.
An organization opens a new port on their firewall on an urgent basis after obtaining approval in accordance with their emergency change control protocols.
Company personnel install software on their endpoint without any vetting of any kind. The company allows personnel to use any cloud-based storage or services without any vetting.
The company makes an emergent case for a certain software capability. Contract teams were put on notice to expedite their review. Security performed a review of critical security controls and concurrence was provided in an email. Software installation is limited, closely observed, and either removed or formally evaluated when time permits.
Relax Your Rigor, Not Your Guard
Enumerating every situation that might arise and suggesting a defensible response is well beyond the scope of this article (see the next section for a list of detailed recommendations on how to avoid such issues in the first place). But what I can offer are some thoughts on the so-called design parameters around which you can build a governance program to help your organization navigate the many challenges that will inevitably arise in a way that allows you to demonstrate your due diligence.
Bend Don’t Break – Where possible, design your program with flexibility in mind. This means craft policies and adopt procedures that support your dominant/normal use cases, yet allow for customization or exception when necessary to accommodate non-standard situations. Remember, if you say it, you must do it. The greater latitude you afford yourself to begin with, the better off you’ll be in times of crisis.
Make the Case – The CISO’s goal should always be figuring out ways to enable the business without exposure to undue risk. Nowhere is this mantra truer than during a crisis. So, when you receive a request for a variance against an established policy, process, or standard, your goal is to “get to yes,” but not without reason. Establish the expectation that the owner of the line of business in question must work with you to make a sound business case by demonstrating that 1) the ask in question is in support of a legitimate business need (i.e., as opposed to simply a matter of convenience), 2) the situation is truly extraordinary, 3) there are no other viable alternatives, 4) not taking actions means great negative consequence, and 5) the benefit of the variance substantially outweighs the risk.
Segmentation – CISOs already know the value that physical and logical segmentation strategies deliver as a means of managing compliance/regulatory scope, reducing the cost and/or administrative burden of tools deployment and maintenance, and most especially for limiting the horizontal spread of active threats. Hereto, and perhaps second only to an analysis of what data is involved in the emergency change request, you need to ask yourself whether there is a way to isolate the operations for which you are contemplating a relaxation of rigor from the remainder of your environment.
Document – Again, the fact that we are operating outside of the bounds of the normal doesn’t absolve us of the need to demonstrate that we fulfilled our due diligence requirements in the management actions we took during the crisis. The formality, presence of a wet signature, and perhaps the level of specificity may be relaxed, but you must document the decisions you reached and the basis for your conclusions. There is truth to what the auditors say in that if something isn’t documented, then it didn’t happen–but the value in spending a few moments to document these things is far more powerful and practical. Time spent now will pay dividends in terms of reduction of effort later in recovering and returning to normal operations when it comes to ensuring that the organization no longer has any unwanted risk exposures.
The post It’s More of a Guideline Than a Rule… appeared first on HITRUST Blog.