Minimize business disruption and move forward with solid assessment guidance

COVID-19 has seized the world’s attention by disrupting the economy, the workforce, and our personal lives. While no one knows when this pandemic is going to end or its lasting impact, Coalfire is listening closely to our customers and doing everything we can to minimize disruption to their businesses. We are keenly aware that businesses must move forward with selling products and services and still have a need – albeit not “mission-critical” – for third-party assurance.

In order to simplify things for our customer, we distilled the online information from various regulatory bodies (PCI Council, FedRAMP PMO, HITRUST, AICPA, ANAB, and UKAS) and created an overview of each major assurance framework and their updated processes, plus what you can expect from Coalfire as we carry out assessments during these evolving times. This blog post specifically highlights the guidance from our regulatory bodies and how are we handling on-site interviews and physical site inspections.

Bottom line upfront

• On-site Interviews: Until further notice, assessment interviews with business and control owners will be performed remotely. As you will see below, this is allowable by all third-party assurance framework governing bodies. Additionally, our assessors will participate using video to provide a more personal assessment experience.

• Physical site inspections: Site visits to data centers, security operation centers, call centers, and retail stores will not be conducted or will be conducted over video conferencing platforms.
• Project Management: Coalfire will use our assessment management platform, CoalfireOne, to manage the assessment process and keep artifact collection, interviews, and deadlines organized with real-time status. We understand that projects will need to be flexible to match the current state for each business.

Framework-specific guidance

PCI DSS

As a Qualified Security Assessor Company (QSAC), Coalfire maintains certifications with the PCI Security Standards Council (PCI SSC). Our remote assessment approach follows a “safety first” mindset, while also ensuring that compliance deadlines are not put at risk. Coalfire has recently communicated with the PCI SSC via Global Executive Assessor Roundtable (GEAR) meetings and received guidance around this developing worldwide event. Additionally, PCI SSC has released guidance pertaining to COVID-19 referenced below:

• https://www.pcisecuritystandards.org/covid19
• https://blog.pcisecuritystandards.org/remote-assessments-and-the-coronavirus
• https://blog.pcisecuritystandards.org/how-the-pci-dss-can-help-remote-workers
• https://blog.pcisecuritystandards.org/protecting-payments-while-working-remotely

As a response to these events as well as current guidance, Coalfire will immediately take the following steps for all PCI DSS assessments, where onsite assessment reviews are planned or expected:

1. Coalfire developed an alternative approach to performing onsite (physical) assessment activities through a combination of remote web conferences / video recordings with onsite staff, and the collection of supporting evidence (log outputs, access lists, video / photos, etc.).
2. At the discretion of both the appointed PCI Director and the assessed client, the option to revise the walkthrough activities from an onsite assessment to a remote assessment via the methods outlined above are now permissible.
3. At the discretion of both the appointed PCI Director and the assessed client, assessment schedules may be extended where remote assessment options are deemed to be nonviable. Coalfire will support the assessed client in discussions with acquirers to ensure necessary compliance extensions can be achieved.

To participate in these revised assessment procedures, we ask customers to proactively contact their Lead Assessor, assigned PCI Director, or Project Manager to coordinate revised assessment schedules and make the necessary adjustments for remote assessments.

FedRAMP

On March 20, 2020, the FedRAMP PMO sent an email to the FedRAMP community stating operations will continue normally, but through remote capabilities. There is no intention to halt or delay Cloud Service Providers (CSPs) looking to enter the FedRAMP program.

For advisory services, Coalfire will continue to perform FedRAMP workshops, gap analyses, engineering, full documentation development, and remediation and assessment support. For assessment services, Coalfire will proceed with initial, annual, readiness, and significant change assessments as previously planned.

Due to COVID-19 safety measures, all work will be performed remotely using video conferencing capabilities. Physical security assessments will be delayed for customers who have a physical site within their authorization boundary, and an associated Plan of Action and Milestone (POA&M) will be generated at the Moderate risk level. Coalfire will schedule these site visits when travel restrictions and stay-at-home orders are lifted to ensure the evaluations are properly performed and the POA&M can be remediated.

SOC

While no specific guidance has been released by the AICPA related to the pandemic, the SOC reporting framework has historically relied on auditor judgment, risk management, and sufficient supporting evidence. As mentioned above, Coalfire is performing all interviews and observations remotely and we will continue to rely on supporting evidence for all audit conclusions.

ISO

As a certification body, Coalfire ISO (CFISO) maintains accreditation with both the ANSI National Accreditation Board (ANAB) and the United Kingdom Accreditation Service (UKAS). Both governing bodies have been proactive in their responses to this developing worldwide event and have issued guidance to certification bodies referenced below.

• ANAB Heads Up (February 6, 2020)
• ANAB Heads Up (February 28, 2020)
• UKAS Technical Bulletin (February 25, 2020)

As a response to these notices, in addition to performing audits remotely, CFISO is taking the following steps for:

• Surveillance audits
  • Should both normal audit procedures and remote auditing options be rejected by the certified organization, certificate continuance deadlines will be extended to the end of the 2020 calendar year.
• Recertification audits
  • When traditional or remote auditing procedures are not possible, certificates will be granted a one-time extension for a period of six months in accordance with ANAB Heads Up 448 when a legally enforceable contract between CFISO and the certified organization is in place.
• Audit programs such as ISO/IEC 27006 and IAF MD 5
  • During this period where onsite time is not viable in accordance with accreditation standards, CFISO may revise its multi-year audit program during subsequent reviews to account for additional onsite auditor time and physical site sampling requirements per IAF MD 1.

HITRUST

Like other assessments, HITRUST CSF workshops, readiness assessments, validated assessments and interim assessments will be conducted remotely until further notice. Additionally, HITRUST (regulatory body for all HITRUST CSF assessments) has issued two Assurance Advisories related to the COVID-19 pandemic:

1. HAA 2020-001: Waiver of On-site Requirement for Validated Assessments
   HITRUST is waiving the requirement for on-site validate procedures until further notice. Specifically, it states "to provide assessors added travel flexibility, HITRUST is waiving the requirement that in-person / on-site validation procedures be performed at the assessed entity’s facilities. This temporary waiver is effective immediately." It is the responsibility of the assessors to clearly document the alternative measures used to gain proper assurance. See full advisory here: https://hitrustalliance.net/csf-assurance-bulletin/#
2. HAA 2020-002: Impact of COVID-19 on Assessment Timelines
   HITRUST acknowledges the current business challenges related to COVID-19 and the ability to adhere to the various timing considerations for HITRUST CSF Validated Assessments (such as 90-day fieldwork rule, 90-day implementation rule, maximum age of testing performed by Internal Audit and relied upon, interim due date, re-certification dates, etc.). no blanket waiver for timing exceptions is provide, nor approval guaranteed, each case-will be individually reviewed and evaluated. Specifically, it states "HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. Should you have any questions on this, please reach out to your project manager and lead assessors and we can help you navigate the process. See full advisory here: https://hitrustalliance.net/csf-assurance-bulletin/#

Coordinated Assessments

With current hiring freezes and budget constraints, organizations look to maximize output of current staff and minimize costs. The same reality should apply to external assessments. We’re seeing a growing number of organizations considering consolidation of all external assessments to gain efficiencies and minimize the burden on internal resources. While undergoing a more complex assessment compared with doing all assessments individually may first seem illogical, there are short- and long-term benefits to coordinated assessments, so now may actually be the best time to utilize this new process.

While the above information provides guidelines, we realize it may not answer every question. For our customers, reach out to your account manager, project manager, or lead assessor if you have additional questions. All others, please send questions via the contact form on our website, and we’ll respond right away.

Co-authors:
Michael Carter, formerly Coalfire
Aaron Reynolds, VP, Commercial Services, Payments