How compliant are you? That is one of the first questions a newly minted compliance manager should ask themselves about their businesses and associated procedures. Nevertheless, many assume that a simple audit or inventory may be enough of an indicator that compliance requirements are fully enforced. However, there are many twists and turns in the world of compliance, some that go unnoticed and leave gaping holes in security.
Take, for example, remote control applications. They are used primarily for tech support to take control of a PC to troubleshoot a problem, and have become common in many organizations. It is pretty straightforward to secure a tech support-initiated remote control session, because many safeguards are built in and everything usually takes place inside the corporate firewall to keep data secure.
Yet there are times when remote control services/software can become a compliance manager’s biggest enemy — especially those trying to adhere to compliance requirements that specifically target a remote access system. The problem stems from the PCI DSS regulation, which contains specific requirements on how access to personally identifiable information links to payment accounts. One of the key requirements is that data isn’t compromised from an unsecured remote access system.
Unsecured is a broad term, but compliance officers can rest assured that an unsecured connection includes any end-user installed remote access service or application, such as GoToMyPC or LogMeIn. End users install those services for a number of reasons, ranging from collaboration to working from home to getting support from an outside source. Nevertheless, if the target PC deals with information that falls under compliance requirements, odds are those regulations are being broken.
So, what does all of this mean to the compliance officer? Simply put, better control over what end users can do with their PCs and comprehensive software inventories are a must-have. What’s more, advanced technology that blocks remote control services at the firewall is something that must be considered.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.