Prism Infosec would like to provide an update to our clients on our continued capacity to deliver cyber security services. Information security responsibilities should not stop in the event of a pandemic, indeed there is clear evidence of cybercriminals looking to exploit this further (see: https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus).
Our ISO27001:2013 Information Security Management System makes full provision for business continuity planning, which focusses primarily on asking our consultants to work from home in the event that we must close our offices. All consultants can access our testing servers and data securely in the same manner as if working from one of our offices.
Clearly, we offer a mix of remote testing and consulting services which we envisage will not be affected by the Coronavirus as we have enough resource internally, whilst being geographically diverse, to be able to deliver these services. As such, we believe it is unlikely that all of consultants will become affected at the same time – particularly given we have closed our offices.
There are a number of services that we offer that usually require our consultants to come onto site, however given the unprecedented situation these can be delivered in other ways to ensure continuity of testing: –
· Internal Penetration Testing – Prism Infosec can conduct this over a client VPN, or ship a small appliance to a client premises to allow us to gain access either via the client’s Internet channel or a separate communications mechanism
· Internal Consulting – this can be delivered using video conferencing and screen sharing using any collaboration tools that are supported by our clients
· Cyber Essentials Plus – IASME has published the following guidance: there is no change to the existing requirements. Assessors are already not obliged to visit client offices if the client can give the assessor suitable remote access to carry out the tests. This would likely involve VPN access and remote desktop access to carry out the internal tests. If you use this method, there is no need to notify IASME about the remote audit.
· PCI QSA / SAQ Support – the PCI Security Standards Council (PCI SSC) has published guidance on the issue of remote audits during this time – for further details see: https://blog.pcisecuritystandards.org/remote-assessments-and-the-coronavirus.
Prism Infosec are fully committed to protecting customers, employees and the public as a whole and as such will be complying with guidance and restrictions announced by the government, which may involve late changes.
If we can help further or you’d like to discuss any specific concerns regarding service delivery or indeed maintaining cyber security during the pandemic please don’t hesitate to get in touch with the team at Prism Infosec.