Our country and much of the world is locked down due to the coronavirus (COVID-19) pandemic. As we look forward to returning to our usual lifestyles, it’s apparent that what was normal pre-pandemic will not be the same post-pandemic. We are starting to hear plans that begin to phase out restrictions and lead to the reopening of businesses in a ‘new normal’.
While everyone has faced rapid and significant change, one thing remains constant: the need to maintain security of information systems and comply with regulatory requirements.
The unique situation we are all faced with provides an added challenge when it comes to our IT Security. Many businesses may have bypassed existing controls in order to maintain productivity during the pandemic. For example, the Federal government relaxed HIPAA regulations for telehealth services in order to maximize the number of patients who were able to receive treatment, and ease the burden on the healthcare industry.
Companies have adapted and some have learned new ways to conduct business. These adaptations occurred within a rapid time frame. New processes were developed, established change management procedures may have been ignored, and there likely was not enough time to consider the ramifications to regulatory compliance requirements. The quick-fix genies that were let out of their bottles to assist during the pandemic, now need to be re-evaluated and potentially return to their rightful homes.
Dean Dorton has identified the following challenges and learning opportunities that will be essential to address once we are no longer under a COVID-19 lock down.
Disaster Recovery
- Was this treated as a disaster event?
- Updating the disaster recovery plan.
- Documenting lessons learned.
Incident Response
- Does the plan address national and global events?
- Documenting lessons learned.
- Updating the incident response plan.
IT Risk Assessment
- Did the IT risk assessment address this risk?
- Updating the IT risk assessment for national and global events.
Existing/New Internal Controls
- Were existing IT controls circumvented?
- Were mitigating controls in place?
- What new IT controls are needed for new processes?
IT Policies
- Do IT policies address the locked down work model?
- Updating IT policies.
HIPAA
- Were Telehealth solutions implemented or expanded?
- Once regulatory requirements are restored, will processes comply?
PCI
- Was credit card information taken or entered differently during the lock down?
- Were new processes PCI compliant?
GLBA
- Were Higher ED remediation efforts placed on hold?
- Even with a Single Audit report filing extension, Higher ED will still need to comply on time.
CMMC
- Were DoD CMMC remediation efforts placed on hold?
- CMMC deadlines are loosly defined at this point, but will be coming this year.
Dean Dorton has a team of IT Audit and Compliance professionals ready to assist your organization with navigating the challenges awaiting a “new normal” as it relates to IT security controls, IT compliance requirements, and the related policies and procedures.
We can assist your organization by getting your compliance back on track. If you would like to brainstorm more about how to prepare for the post-pandemic world or how to evaluate your pandemic response, please contact Kevin W. Cornwell.
IT Audit ServicesCybersecurity Services
For more information on how the Coronavirus is impacting businesses across multiple industries, visit our COVID-19 resource page: