还记得今年早些时候一切如常的时候吗? 在过去的一个月里,明升体育app下载生活改变得有多快. COVID-19 has wreaked havoc on everyday life for individuals and businesses across the nation. 尽管我们国家的很多地方已经关闭了, many of our regulatory and contractual requirements haven’t gone anywhere, 尤其是在信息安全方面.

事实上,当我们远程工作时,信息安全是 比以往更重要. 你可能已经被要求一份SOC报告, PCI ROC, ISO certification, HITRUST certification or any number of third-party reports that demonstrate a secure environment to your customers or regulators, 在当前的环境下, 你可能不确定这是否可行. However, many organizations are still being asked for these assurances on the security of the data they handle from customers, government regulators, and prospects. Fortunately, the regulatory and accreditation bodies that oversee these services have been very proactive amid the pandemic and are coming out with new guidance that will help businesses and auditors alike move forward utilizing technology and remote work to complete these audits.

向远程工作的过渡

远程工作已经成为许多公司新的关注焦点. 我们如何保持联系? 远程工作将对我们当前的项目产生什么影响? 我如何与我的团队和客户有效沟通? 远程工作不一定是可怕的. 事实上,它可以和在办公室里一样高效. You may already have access to tools that can help mimic an in-office experience. Tools such as WebEx, Skype, Zoom, Slack, 微软团队允许团队和客户进行视频会议, share screens, 并可能进行观察. 对于那些可能一直在回避这项技术的人, what better time to become acquainted with these tools and learn the many capabilities they offer?

监管和认可组织的回应

Regulatory and accreditation bodies have recognized that the COVID-19 pandemic has created new challenges for both organizations and their assessors. In response, many have issued additional guidance on meeting regulatory requirements during these unique circumstances.

AICPA

The AICPA has released guidance on how to conduct remote audits while many organizations have limited access to their facilities to employees only. At this time, no formal guidance has been issued relative to SOC 2 reports that are so critical for many; however, much of the guidance for remote financial audits can be applied to these SOC audits. In addition, CPA firms may employ alternate procedures where observations were once utilized to document the effectiveness of a control. If no evidence can be gathered where physical observation was once utilized, a worst case scenario is a possible scope limitation for certain physical controls.

HITRUST

HITRUST发布了新的指南 COVID-19对脑脊液评估程序的影响, including new bulletins that have waived the requirement for on-site assessments and addressed the impact of COVID-19 on assessment timelines. 虽然HITRUST已经放弃了一段时间的现场要求, HITRUST still requires that HITRUST Authorized External Assessors obtain sufficient and appropriate evidence in order to determine requirements are met. This process most notably affects requirements that would typically be tested using an onsite observation, 例如对物理和环境保护的观察. 对于这些观察,HITRUST列出了一些例子 alternate procedures an assessor can leverage in order to obtain sufficient appropriate evidence of implementation. 这些包括对证据的评估,如摄像机镜头, facility diagrams, access logs, 安装和维护记录, etc.

就时间表而言,HITRUST最近 宣布了新的桥梁评估 is available for companies needing help in maintaining their HITRUST CSF Certification due to the COVID-19 crisis. This allows companies to maintain a form of HITRUST CSF Certification status for an additional 90 days even if the validated assessment submission due date is missed. 如果您的机构需要HITRUST桥梁评估,请明升体育app下载. 我们甚至为新顾客提供特价. 如果你有兴趣了解HITRUST的最新指南, 更新可以在他们发布的正式公告中找到 here.

ISO

ISO最近发布了 statement in light of the COVID-19 pandemic indicating that all ISO governance and technical meetings should be conducted virtually or postponed until a later date. Many ISO accreditors, who typically allow no more than 30% of an audit to be conducted remotely without special permission, 现在是否允许完全远程审计.

PCI

PCI安全标准委员会也提供 guidance 为应对COVID-19大流行进行远程审计. PCI SSC had already issued guidance related to remote audits but continues to monitor the COVID-19 pandemic and will provide updates as necessary. 外部渗透测试继续照常进行. However, new processes have been implemented that allow internal penetration tests to be conducted without setting foot on the premises.

The common denominator across these assessments is the need to address observations for physical and environmental protections. As discussed, most cases do not have to have an impact or delay your current needs to keep your business moving and meeting your compliance obligations. 不管评估结果如何, 您的组织正在经历, LBMC可以帮助您实现遵从性需求. LBMC has implemented processes and updated testing procedures to conduct successful observations remotely.

 

LBMC认识到每个组织都是不同的. If you have questions on how COVID-19 affects your organization’s IT compliance audit you can continue to monitor LBMC COVID-19资源中心 or contact us here.

 

Want to learn more? Listen to our 网络安全意识的播客 切尔西·史密斯和比尔·迪恩.

友情链接: 1 2 3 4 5 6 7 8 9 10