The COVID-19 pandemic has created a number of new scenarios that had not previously been contemplated, not the least of which is “how do we assess an environment when we can’t actually be there?” Onsite assessments are recommended, and formerly preferred, as they allow the assessor to review the physical environment and connect with staff in person. But over these past several months we have learned that, with proper planning and coordination, it is possible to perform a thorough remote assessment and still achieve the same goals as an onsite engagement.
CampusGuard has performed remote assessments in the past and, through those experiences, we have documented some best practices for achieving the desired outcome. Using current technology like WebEx or Skype, assessors are able to “meet” with staff to have a comprehensive discussion of their environment and processes. Mobile devices can be used for virtual tours of a data center or other key locations to ensure controls are properly implemented and requirements are being met.
Below are some key factors to consider when planning for a remote assessment:
Documentation/Evidence
With an onsite assessment, key documentation like departmental procedure manuals, device inspection logs, etc., can easily be viewed while the assessor is at the merchant location. However, with a remote assessment, collecting that documentation and delivering it to the assessor prior to the scheduled discussion is now a priority. Having access to this information will provide the assessor with more insight into the environment and allow him/her to be more efficient with their interview questions.
All documentation should include a change log indicating the dates of changes and reviews as well as a description of relevant activity and who performed it. This will help the assessor determine the currency of documentation.
Screenshots of applicable configurations or system settings can be used in the review. These images should include timestamps and descriptions including details about which system, setting, and/or configuration is displayed.
Video or photographic evidence may be used to show physical security controls that are in-place. As mentioned above, live videoconferencing is also an option.
System-generated outputs, including scripts or log files, may be produced and used as evidence. The tool that was used to generate the information should also be documented.
Live demonstrations of remote desktop tools or other applications can be conducted so the assessor can clearly observe login procedures, security controls, etc.
Interviews
As much as possible, designate a specific day or dates for the assessment and block that time on staff calendars. This allows both your team and the assessor team time to focus specifically on the assessment and your environment. With that said, remote assessments allow for additional flexibility so if one or two interviews need to occur outside of the designated window, this can typically be accommodated.
Interviews should still be scheduled with the same personnel that would have been included if the assessor was onsite. By blocking their calendar as recommended above, the priority and importance of the assessment is confirmed and their participation shouldn’t be in conflict with other responsibilities.
Take advantage of video conference tools so everyone can see each other and establish the level of engagement that comes naturally during a face-to-face meeting. These tools also facilitate screen sharing so can be used to easily switch from the discussion to a demonstration without having to use another tool or schedule another call.
If the selected video conference tool is new to the team, scheduling time before the assessment to setup, test, and orient your staff to the tool will save time on the day of the interview. A five to ten minute delay for one meeting may not sound like much, but accumulated over the course of the day can lead to long delays for the final meeting or interviews that get cut short.
Many things we are doing today were once thought to be “impossible” but we all have persevered and found ways to get done what needed to be done. Whether an assessment is being done at the site or remotely, the need, importance, and goals are the same – it’s the delivery method that is different. But by planning ahead, you can be confident that a remote assessment is as thorough as an onsite assessment.
As a side note, if your organization is unable to perform a planned assessment before a preset compliance date, we recommend reaching out to the requesting party (your acquiring bank, third-party, etc.) to request an extension to your compliance date as early as possible due to complications of Covid-19. CampusGuard can assist with this communication as requested.
Some additional guidance from the Security Advisor team:
[Hobby]: Remote assessments offer considerable potential efficiencies including saved travel time and associated travel costs, simplified assessor access to corporate resources, and more flexible scheduling options. However, remote assessments also pose challenges. Assessment planning, coordination, and clear communication are critical to any assessment, but are even more critical with remote assessments. Effective remote assessments require a focused commitment to preparation, organization, and good communication.
When performed well, remote assessments can offer significant advantages over traditional on-site assessments, and remote assessments are definitely growing in popularity.
