It is tempting to think that once you have achieved PCI DSS compliance you can rest on your laurels. That’s it, finished isn’t it – nothing more to do until this time next year?

I know you have worked very hard on PCI, but I am going to disappoint you here. If you want to KEEP your PCI DSS compliance you have work to do throughout the year. Unless you keep your eye on the PCI ball you could end up with a very expensive compliance project each year. The key to ongoing PCI success is continuity. You’ve got to keep up all that good work.

5 ways to ensure consistent PCI DSS compliance

1. Make someone responsible. Give someone responsibility for ensuring that all changes to business processes or the IT and network take account of your PCI DSS compliance obligations. This person needs to have a say in all areas of the business and all aspects of operations.

Often a business will task a project manager to run a PCI DSS compliance achievement project but when the project is complete the project manager moves on to another project. Nominating an internal PCI DSS manager – your organisation’s PCI conscience – will help to ensure that continuity is not lost.

2. Stay in touch with your QSA. Your PCI DSS Qualified Security Assessor is not only a worthwhile source of information and advice during the audit but throughout the year. They have a wealth of experience that can save you wasted time effort and considerable expenditure. Your QSA’s advice is invaluable to ensure that you are not undertaking work you don’t need to. At the very least they can give you the peace of mind that they are not going to raise objections next year at the audit.

3. Keep up the vulnerability testing. Most important of all make sure that you close off those “not so important low level vulnerabilities”. You will need to demonstrate to the QSA at the next audit that you have a good vulnerability management system in place. You can’t do that if you still have a lot of the same vulnerabilities that you had last year – even if they are unimportant low-level ones.

4. Focus on configuration control. Configuration management is essential in making sure that you have the correct versions in the right places. PCI DSS compliance is about keeping control of your network, routers, servers and ancillary devices. Without good and consistent version and configuration control you cannot hope to maintain control over your network and the way in which it works.

5. Make sure patch management and change control go hand in hand. Change control and patch management can cause inconsistency within a network. Systemise your patch management so that it is not a new job every time a new patch comes out. If you make it a continuous process there is less opportunity for overlooking a patch or failing to realise its significance. Patch management must be carried out within a change control framework. Without this framework the network will develop organically and consistent control becomes impossible.

“Variability is the enemy of efficiency.” Denning

Do these 5 things and PCI DSS compliance will be far easier and less expensive to maintain year on year. Reduce variability: consistency is key for PCI success.

Article by Colin Dixon, Ascentor’s lead QSA for PCI DSS.

Further Information

• If you have any questions about this standard and how to achieve or retain compliance Colin would be pleased to help: colin.dixon@ascentor.co.uk.
• Achieve PCI DSS, the Payment Card Industry Data Security Standard compliance with Ascentor

The UK Government’s Cyber Security Strategy landed in November 2011 and the message to Government suppliers is crystal clear – the cyber security standard has just got higher and we all need to raise our game.

“We are also raising the standard of cyber security we expect from suppliers of sensitive defence equipment.” UK Cyber Security Strategy 2011

The Government’s vision for 2015 is to have a vibrant, resilient and secure cyberspace to enhance prosperity, national security and a strong society. This means setting an example by adopting best practice on cyber security in their own systems and setting strong standards for suppliers to Government to ensure the bar is raised.

What can Government suppliers expect?

• Requirements in government contracts are likely to stipulate cyber security standards much as they do for physical security today.
• Emphasis is likely to move away from in-depth technical controls to one of a risk managed approach that raises awareness of the threat to reputation, revenues and intellectual property.
• Government will work with the insurance market to ensure that cyber security is effectively managed as a business risk.

“We know that companies are struggling to quantify the cyber risks that they face and the insurance industry can play a key role in helping to price this risk accurately.” Mark Fishleigh – Head of Insurance at BAE Systems Detica

Six ways to prepare

Change is on the way and Government suppliers need to be prepared to raise their standards this year. Here are six things to focus on to enhance your company’s information security and meet the Government’s high standard.

1. Get involved. The strategy makes it clear that the Government will work with industry to bolster cyber security but does not mention how. Ascentor will continue to monitor and provide advice and guidance through our blog updates and newsletters:  Sign up for our Information Risk Management updates

2. Adopt a risk-managed approach. There is no such thing as absolute security.

• Start to identify the important assets both to your own business and any assets you hold on behalf of your customers especially in government contracts;
• Evaluate the risks;
• Plan mitigation activities;
• Manage the risks and ensure the board accepts the residual risks. See Ascentor’s Board Guide to Information Risk for useful information.

3. Start doing the basics properly.

• Review AV policies and compliance
• Review patching policies and compliance. Are updates happening in a timely manner? Are they being effectively tested before being applied? Are backups of critical data taken before they are applied?
• Review the security functionality of key produces such as firewalls. Are they operating as expected? How do you know?

GCHQ estimates that 80% or more of currently successful attacks are defeatable by simple best practice.

4. Start an awareness programme  – ensure employees understand the risk to the business from Cyberspace and the role they can play in keeping the business safe;

5. Review physical security requirements in contracts and make sure you are compliant;

6. Review contracts with any third party suppliers to ensure they are not exposing you to unacceptable risk.

Grasp the opportunity with Information Risk Management

Government is going to get stricter with information held by third parties. More emphasis will be applied to the importance of Information Risk Management at Board level and it’s likely that there will be tighter inspection regimes to ensure compliance.

Ascentor recommends all Government Suppliers think seriously about how they protect and control access to the information they host on behalf of Government departments. Effective Information Risk Management processes and procedures will strengthen your business and open up new Government opportunities.

Article by Paddy Keating, Director of Ascentor and Information Risk Management consultant.

Further Information

• Download The Board’s Guide to Information Risk
• Assess the security of your information with our free online risk review

• As workplace interactions become increasingly digital (need we mention social media, the Cloud, the growing consumerisation of IT and the proliferation of smart phones and tablet technology) the risks to any organisation’s information are on the rise.

• 2011 saw a number of serious information security breaches – the Sony Playstation network’s hack probably the most high profile of all. These have made us all more aware of the risks.

• The UK Government is now firmly on the case. December saw the launch of the UK Government’s Cyber Security Strategy – a clarion call for all businesses, all organisations to up their game if we want to remain profitable and boost prosperity in our country.

“This country needs an increased capability to protect ourselves not only against cyber attacks on the government but on businesses and individuals. Such attacks can in the future become a major threat to our economic operations in this country, to our economic welfare and to national infrastructure. We have to make sure we are protecting ourselves.”

William Hague, Foreign Secretary – speaking to the BBC, October 2010.

• More organisations, more industries, and more buyers are demanding that their suppliers take information security seriously, and they want to see evidence of this too – achieving a relevant information security standard becomes a priority if we are going to hold on to and win the business that we need.

Taking all these factors into consideration, there is a strong probability that if information security never quite made it to the top of your to do list in 2011, it certainly should do in 2012!

Demystifying information risk

This leaves any leadership team with a challenge. Information security may be on the Board’s agenda but what exactly does it mean to your business? What information needs protecting? What exactly are the risks? How does your organisation manage them? Where do you start?

To help you Ascentor is giving away a really practical guide. In The Board’s Guide to Information Risk you’ll learn:

• Why information security is such a hot topic for businesses today
• The importance of effective information risk management and what it means to your business
• The business benefits if you get it right
• 8 critical considerations for any Board of Directors
• Why it’s dangerous to pigeonhole information risk as an IT issue
• A list of questions for each member of the Board
• How to manage the risks to your organisation effectively

By sharing this useful guide, we want to show UK businesses and organisations how to secure valuable information. There’s a really positive message here – a focus on information risk management will not only secure your information, it will strengthen your whole business too. Find out more in the Board’s Guide:

Download the Board’s Guide to Information Risk »

Other articles you might like:

• Information Security is Not Just an IT Issue
• Top 10 Information Security Breaches (and what you can do to avoid them)

Although secure information systems are of huge importance, technology is not the whole story. Not all information is stored on computers – it is physical too: it is filed in cabinets, carried around in folders, taken outside your office, it’s in peoples’ heads. It all needs protecting regardless of the medium it is stored on.

“If I want to know the risks to my information I ask my IT guy.”

The threats aren’t purely from cyber crime. Environmental incident, loss or physical theft are less newsworthy but equally dangerous and in some cases more likely. The human factor makes any business particularly vulnerable.

If you look at our recent post on the Top Ten Information Security Breaches, you’ll see a mix of scenarios – some arising from cyber attack but others due to a lack of physical controls or basic human error.

“What every organisation needs is parity and balance; the right mix of physical, procedural as well as technical controls – in line with your business objectives.”

Dave James, MD of Ascentor

Take a holistic view of information risk

An organisation’s information assets are many and varied – from personal information on your customers to confidential company information and intimate staff details. Information risk needs strategic thinking and a wide view. Risk management is not about avoidance but balance: the right mix of physical, procedural as well as technical controls – in line with your business objectives.

Effective Information Risk Management is about identifying your most important assets and the threats and vulnerabilities you face as a consequence of the company doing business. What is the impact – can you live with resultant risk? If you cannot, take action to reduce the vulnerability or the impact. This action could be a roadmap, a strategic intent to solve the problem and reduce exposure over a period of time. In case of an incident, be prepared – have a plan for how you operate when your information is unavailable.

We strongly advise any Board of Directors to take a holistic approach to Information Risk Management – right across the business: physical, procedural, personnel and technical. Task each Board member to go and investigate risk in their area.

Which of your gates are open?

You’ll find more information on this holistic approach to Information Risk Management plus questions for each member of the Board in our discussion paper: ‘The Board’s Guide to Information Risk‘.

Dr Ian Levy’s recent article in Guardian Government Computing is an excellent overview of why information assurance is difficult for government, (published 25th October 2011).

Read the article here: Government Systems: how much security is enough? >>

Dr Ian Levy is technical director of CESG, the National Technical Authority for Information Assurance. Dr Levy examines what an appropriate level of security means for government organisations and looks at the real world application of applying value to your data.

Valuing your data is the foundation of Information Risk Management. It’s like a house of cards – if you overvalue, your foundations are too big and heavy, if you undervalue the foundations are on sand.

It’s refreshing to hear an official view on this challenge, for what sounds like a simple concept in reality is complex and subjective. The solution can only be education and investment in Information Risk Management – with robust, mature processes and educated stakeholders.

“Achieving the right level of security in government IT systems really depends on the threats to the data and systems, the impact that compromise of the data could have, and the fine art of balancing cost, business benefit and security.

Getting this right needs a mature information management culture, a well understood risk management framework and a well rehearsed incident management process. Future success will also depend on government systems and services evolving to meet the changing threat as they become more exposed to the outside world.”

Dr Ian Levy, Guardian Government Computing 25/10/11

You only protect what you value. If government organisations do invest in understanding the value of their data they will make better investment decisions on what to protect and what level of protection is needed. Good decisions need good information.

You can read the full article here: Government Systems: how much security is enough? >>

Risk is everywhere in business. Part of managing risk is being prepared for it becoming a reality. When BT suffered a major broadband outage in October this year, hands up who didn’t have an effective business continuity plan in place and dearly wished they had?

BT suffers major broadband outage bbc.co.uk

3 October 2011. BT has confirmed that an issue at a major exchange in Birmingham is causing problems for broadband customers across the UK. Customers have reported problems from as far afield as Belfast.

Technical risk or information risk?

Some would pigeonhole this type of incident as a technical risk. But, where ‘technology’ is supporting ‘information’ the two risk areas are pretty much joined at the hip. So the BT service (technology) was enabling a business function (exchange of information). The failure of technology had a direct impact on the availability of information (e.g. email or cloud based services), which I would classify as an information risk.

Realisation of the information risk impacted a business function and caused a risk to impact the business – in this case loss of revenue through lost productivity or similar (obviously business specific). I would concede that where technology does not support information (production facility perhaps) there is a difference.

Information risk management is misunderstood

Many businesses don’t get ‘information risk’. The board often doesn’t see it in the same light as other business risks, mainly because they think information risk is all about IT and therefore it’s for the IT department to sort out. Once we have had an opportunity to explain what information risk is about most boards quickly change their mind!

Information security is a national priority

There is a big push from central government to improve the standard of information risk management (or cyber security using the new ‘sexy’ terminology). A National Cyber Security Strategy is in draft form and waiting for Ministerial approval. The strategy and the accompanying implementation plan is likely to call for business to do more in this area voluntarily but there are rumours of the ‘stick’ being used if change is not swift enough.

The Office of Cyber Security & Information Assurance (OCSIA, part of the Cabinet Office), BIS and CESG are touring the big blue chips with the aim of convincing the big players to do more by explaining the threat. This has PM approval as Cyber Security is seen as bringing ‘prosperity’ to the UK in a number of different ways.

• Increase in tax revenue to the treasury if IP theft and industrial espionage to UK business is reduced from the estimated £17bn/year.
• Reduced cost to government of delivering public services. If the citizen ‘trust’ government to delivery services on line (as per Martha Lane-Fox plan) as opposed to face to face.
• UK seen as a good place to operate a cyber-based operation –brings in investment from outside the UK.
• UK seen as a centre of excellence for Cyber Security enabling UK to export products and services.

In my view though effort should also be expended trying to convince the SME market to up its game as its likely the economic recovery will now be powered by SME’s not Government or the big blue chips.  In many cases SME’s are the innovators and it is these small companies that may be most vulnerable to IP theft or industrial espionage. If the SME’s are to lead us into the economic prosperity its the SMEs that need to up there game.

The opportunity for UK Plc.

At the board level information risks (or technology risks) don’t have many advocates. Consequently there is little senior level involvement to manage the associated business risks that are an inevitable consequence of an information-related incident like the recent BT outage.

For those organisations new to the mystic world of accreditation, their relationship with the Accreditor can be confusing at first.

Is the Accreditor an all-knowing demi-god of security information sitting in an ivory-clad tower whose word is final and beyond reproach? Or, is he part of the team charged with ensuring that risks to government ICT systems are adequately managed?

Of course, the latter is true but the role of the Accreditor is not always easy to understand as it covers so many different aspects of information security.

To make more sense of the role, I think a football referee analogy comes in useful. Like a referee, an Accreditor plays an impartial role to ensure the rules of the game are met without bias. A referee does not determine the rules and neither does an Accreditor set policy. They are both responsible for understanding the rules and making balanced decisions based on the evidence presented to them. For example, a referee can only take appropriate action if a foul is actually witnessed. Equally, an Accreditor can only make an accreditation decision if all the evidence is presented.

Here are a few more similarities.

Why Accreditors are like referees:

1. A referee enforces the rules of the game. An Accreditor ensures that security solutions are in compliance with security policy.
2. A referee is responsible from start to end. An Accreditor is responsible from the very beginning of a design, through implementation and operations and through to final disposal.
3. A referee issues verbal and formal warnings. An Accreditor provides warnings where designs are not in compliance with policy.
4. A referee has assistants to enforce compliance. An Accreditor can call on the assistance of others – example would be a Security Assurance Co-ordinator or CHECK team.
5. A referee cannot make a decision based on hearsay no matter how convincing the argument – if a foul is not seen, then it cannot be given. An Accreditor can only make a decision based on the evidence presented.
6. A referee has some scope to interpret the rules of the game and are issued guidelines to help. An Accreditor may have some leeway to interpret policy requirements based on business benefits.
7. A referee keeps time. An Accreditor ensures that security requirements are produced and implemented.
8. A referee does not pick the teams. An Accreditor does not select security controls.
9. A referee does not decide the team formation. An Accreditor does not design security solutions.
10. A referee does not buy new players. An Accreditor does not fund security solutions or testing.
11. A referee does not determine the rules of the game. An Accreditor does not set policy.
12. A referee does not carry out investigations. An Accreditor does not conduct audits or compliance testing.
13. A referee does not select the substitutes. An Accreditor does not offer alternative solutions.

If you want to get the most from the process it’s good to set your expectations of the accreditation process correctly and have a clear understanding of exactly what the role involves – where the Accreditor’s responsibilities lie and where they don’t. Let me know if the analogy helps.

Top 10 Information Security Breaches 

1. 2007 – TJX (parent of TK Maxx) hacked: information stolen on tens of millions of credit and debit card details – unprotected wireless network
2. 2007 – HM Customs and Excise chairman forced to resign: 2 disks lost in internal post containing personal information of 25 million families in the UK
3. 2007 – HSBC Bank fined £3.2 million by FSA for losing details of 180,000 life insurance customers – unencrypted floppy disk lost in the post
4. 2007 – Nationwide Building Society employee laptop stolen from his home containing confidential customer details – failure to manage or monitor downloads of data onto portable devices
5. 2008 – Bank of New York Mellon suffers physical security breach – potential compromise of personal details of 12.5 million customers – lost data back up tape
6. 2009 – Heartland Payment Systems hacked: tens of millions of transactions compromised – computers infected with malware
7. 2011 – RSA subject to sophisticated and targeted attack that began with ‘spearphishing’ email
8. 2011 – Epsilon email marketing company could face $4 billion in damages: customer databases of names and email addresses hacked – sophisticated ‘spearphishing’ campaign
9. 2011 – DigiNotar (Dutch web certificate issuer) files for voluntary bankruptcy – hacker attacked operational IT systems and generated fake certificates. Loss of reputation is cause of downfall.
10. 2011 – Sony Playstation Network suffers security breach. Up to 24 million users affected and personal, billing and password security questions stolen. Sony expects to pay out $171 million in new protection, welcome back, customer support programmes and legal cost.

Information risk is often seen purely as a technical issue as the variety of incidents in the list above show, this is not the whole story. It’s a very human risk too. There is a need for parity and balance, looking at risk across the board: the right mix of physical, procedural as well as technical controls – in line with your business objectives.

This post introduces a series of articles. We’re not in the business of scaremongering (there is too much fear selling in our industry and we don’t want to add to that!) so in each article we’ll give you advice on how your company can avoid the situation these unfortunate organisations have faced, highlighting the positive business advantages if you get information security right.