While the home office has become a normality for many IT companies and operations during the pandemic, the requirements for security evaluation, certifications, accreditations, and other approvals have remained constant.
Site visits at the development sites are required to achieve the approval of certification and accreditation. How could this be accomplished when developers, auditors, and certifiers were located in different countries and were working from home?
In addition, there were multiple travel restrictions with varying rules in each country.
How did we do site visits for EAL3+ Common Criteria evaluations and NESAS audits?
How was atsec re-accredited from the national agency, and how did we maintain the level of certification for ISO 9000, ISO 27001, and other accreditation our lab must carry to provide evaluation services when an auditor from these agencies had to be on-site while our atsec colleagues worked from home?
We performed and received these site visits remotely!
Special “remote site-visit” rules were provided both by the SOG-IS for CC evaluations and GSMA for NESAS audits to allow remote site visits temporarily.
During the first remote site visits, the developers, auditors, and certifiers were skeptical. The main concern regarded the effectiveness of such an examination method in determining:
- how to examine the development processes
- how to demonstrate the ways records are kept
- how to conduct effective interviews ย
- how to perform physical security examinations via video call
Going back to our first experience with a remote site visit, it went well, actually almost too well. The developers were able to show development processes and appropriate artifacts remotely. The developers were also better prepared and less nervous.
The auditors and certifiers were rested since they could avoid traveling. They were also better prepared since they had access to readily accessible digitally provided documentation on their computers rather than printed documentation. All documentation was examined during the video interview with the developer seamlessly, without any interruptions to the conversation.
Shortly after the first virtual site visit, some Certification Bodies issued updated procedures to state that the site visit oversight should be performed remotely using Information and Communication Technology (ICT), suitable for the purpose of the site visit oversight. They found that the remote site-visit procedures work very well and should be used, among other things, to avoid extensive traveling.
I would not dare to say that a remote site visit can replace an actual site visit. Still, it is possible to examine the majority of the security measures and development processes remotely. It depends on the goals of the site visit and the preparation by the developer, auditor, and certifier. The pandemic has taught us that a full or partial remote site visit should be considered to save time spent on traveling, save costs on travel and accommodation, and enable more sites to be audited cost-effectively.
We had witnessed working both ways: when we did site visits and when we received site visits. We understand that some technical areas, such as hardware evaluations, require on-site visits based on the nature of the analysis.
There is a lot of discussion about returning to the office after the pandemic. Most IT companies are considering hybrid solutions, some days in the office and some from home.
The procedures requiring on-site visits should consider the same approach of a hybrid solution: partly remote and partly on-site. It would help to shorten the on-site audit since the remote portion would help identify the part that requires the auditor’s presence on-site. This, in turn, allows the on-site portion to be more focused. It won’t reduce the cost and time for traveling but might lessen the permanence of the auditor on-site since the developer will also be prepared for what the auditor is requiring.