With the festive period rapidly approaching, many people will no doubt be looking forward to an extended break and some well-earned time away from work. The run-in to Christmas can be a relatively peaceful time of the year for many people, with organisations reluctant to kick-off large projects, or make significant change at a time when their employees are taking leave.
Many businesses will implement, what is referred to as, a change freeze over this period; completely stopping all but the absolutely unavoidable, hoping to minimise the risk of unexpected downtime. After all, nobody wants to be rolling back a system upgrade on Christmas Eve, or recovering backups on Boxing Day.
Probably the most common justification for a change freeze is found in the retail sector. With the Black Friday madness now behind us, the busiest shopping day of the year is predicted to be December 23rd. Crowds of hopeful last minute shoppers are expected to rush to the high-street, and possibly even more will go online and put their trust in next day delivery.
It’s at this time of year, where the impact from any technical glitches will likely cost more than at any other time. Last year, over a third of all shoppers waited until the final week before Christmas to complete their shopping, resulting in a significant loss for any retailer whose website or shops are unable to satisfy their customers desire to spend.
It’s easy to see why those tasks, considered not to be “absolutely unavoidable”, are delayed. Updates, upgrades, migrations, new installations – they’ll have to wait until January. But this can prove to be problematic, especially if your business is trying to comply with PCI DSS.
There are many ongoing requirements that must be met to maintain PCI DSS compliance, and some of them could fall victim to the change freeze. The most significant issue is applying critical security updates within one month of their release. In my opinion, PCI DSS is already very forgiving on this requirement, arguably one month is an overly long window in which to apply a critical security update. However if your business runs a change freeze from mid-December until January, failing to install updates could leave you (and your Qualified Security Assessor (QSA)) with a problem, come the time of your next on-site assessment.
Any organisation which enforces a change freeze that might impact on security (never mind compliance) should complete a comprehensive risk assessment. Consider what additional risks exist as a result of the freeze, and any mitigation work required (wherever possible). Make sure that you assess the risks of both making and not making changes, and use the same risk assessment process for a consistent result.
Keeping with the example of not installing security patches, you should consider the exposure of each system affected (a public-facing server versus an internal server), as well as the time immediately before and after the change freeze. It should go without saying that your ‘house’ should be in order prior to the change freeze, and that all patches should be applied and verified. Another recommendation is to complete additional vulnerability scanning to provide extra visibility and assurance.
While the change freeze is in place, your teams should be actively monitoring any alerting systems you have, as well as the security bulletins provided by vendors. If critical updates are released, assess whether they justify breaching the change freeze. If they don’t, then at the very least you should consider applying them to any test environments.
Schedule in any required maintenance windows in advance, and when the change freeze lifts, apply any critical updates to the most exposed systems first, and work back from there.
As for your PCI DSS and compliance, it’s important to “show your working”. Don’t simply hope your QSA won’t notice that some tasks haven’t been completed. Each QSA’s approach and expectations may vary, so work with them on an ongoing basis and at the time of your assessment, and show that you’ve acted appropriately.
Performing a risk assessment doesn’t have to mean pages and pages of documentation, but you should be able to demonstrate that you considered the risk and acted appropriately. You may also need to complete a compensating controls worksheet, but again this is something to discuss with your QSA. PCI DSS should never stand in the way of your organisation achieving its goals, and taking a pragmatic and open approach to this should help to ensure that the change freeze doesn’t leave you out in the cold.
To contact Nettitude's editor, please email firstname.lastname@example.org.