A PCI DSS Checklist for CIOs Worried About Work from Home Security
CIOs need to strike a fine balance between short term and long-term goals in making decisions about their tech spend priorities. In the short term, they need to focus on the sustainability of their daily operations and minimizing the increased risks due to the Work from Home (WFH) environment. Your remote workers with access to sensitive customer data are a honeypot for cyber criminals trying to infiltrate your network.
Outlined below is an easy sample checklist to ensure you stay compliant with PCI DSS compliance mandates.
1. Practice Good Cyber Hygiene
- Enforce a strong password management policy for your employees and ensure passwords are updated at regular intervals.
- Implement multi-factor authentication (MFA) to add an additional layer of security.
- Allow remote desktop access only over VPN with MFA enforced.
- Review your VPN configuration to ensure 256-bit encryption using modern protocols like OpenVPN.
- Ensure remote desktops are updated to the latest versions of anti-virus software.
- Publish a clearly-defined remote work policy that outlines accessing, handling, and disposing of personal data.
2. BYOD Security Policies
- Have your employees sign an acceptable use policy (AUP) to ensure compliant use of their BYOD.
- Update your incident response policy to cover WFH procedures.
- Ensure that all firewalls and anti-virus software are installed and regularly updated.
- Ensure that encryption is enabled for all sensitive data at rest and in-transit.
- Implement a mobile device management solution for centralized control, monitoring and automated provisioning and deletion of users.
3. Patch Management Cadence
PCI DSS Clause 6.2 mandates an effective patching program.
- Having a patch management cadence helps you ensure that all critical patches to remote desktops and end point devices are applied in a consistent manner.
- Automation of the patch management process can improve efficiency. Ensure that you do not fall behind in the timely application of patches as recommended by PCI mandates.
- About 70% of code in modern application is open source. Closely monitor the CVSS database for open source vulnerabilities that may be applicable to your environment and patch them as soon as a fix is made available.
4. Privilege Access Controls
PCI DSS Clause 3.2 defines extensive requirements related to securing privileged accounts in cardholder data environments. Privileged accounts hold “the keys to the vault.” Once hackers gain access to privileged accounts, they can easily elevate privileges and move laterally in your network to compromise your payment applications.
Recommended best practices for Privileged Access Management (PAM) include:
- Implementing a PAM solution to help in protecting PII data through access enforcement, central credentials management and separation of duties.
- Monitor privileged account activity to detect suspicious behavior.
- Remove unnecessary privilege accounts.
5. Security Awareness Training
PCI DSS Clause 12.6 mandates security awareness training for all employees. Annual security awareness training programs are ineffective in building a security culture. Already stressed staff that are working from home could expose new security and privacy risks that need to be addressed.
Security awareness training should cover relevant key topics like:
- VPN Basics for Remote Workers.
- Video Conferencing Security
- WIFI Security Best Practices
- Email Security
- Corona Virus Phishing Scams
- Social Engineering Threats.
Phishing attacks have spiked in the current pandemic with WFH staff being lured to click on malicious emails and exposing them to malware attacks. Educate your remote workforce on COVID-19 related phishing attacks, like Business Email Compromise and Email Account Compromise with regular phishing drills.
Check out our innovative 3-minute security awareness training delivered all-year-round here.