top of page

Search Results

31 items found for ""

  • How secure is my password?

    As annoying as they can be, passwords will probably be the primary protection mechanism in our digital world for some time, so here is the core takeaway, and more details are below. Conclusion Whether you use passwords or passphrases, ensuring these are extended with another authentication layer is crucial; using a physical token, a smartphone app, or even a text-based system is better than none (ordered most - least secure). Always enable Multi-Factor Authentication. A strong, random, complex password like “6ipBD@4@kl20y9@D” or a passphrase like “The5un1sBr!ghtAga1nT0day” will be challenging to crack, but one is definitely easier to remember. Using a password manager like LastPass is preferable but also carries risk (see more below). Password managers also help with password reuse (which is a bad idea) as they can randomly generate and store passwords so you don’t have to remember them. Key Points - How secure is my password? What makes a good password/passphrase? A password or passphrase has two elements: length and complexity. The shorter the password, the more random and complex it must be to be considered strong. To increase complexity, use a minimum of 12 (we recommend 16) characters, a mix of uppercase, lowercase, numbers, and special characters. For example, I’ve entered a basic 12-character lowercase-only password into a “How Secure is Your Password?” website and increased complexity by adding different characters. As you can see, the difference in estimated crack times is greatly improved. pfyemvywaksc – 1000 Years pfyeMvyWakSc – 176,000,000 years 2fYe9v6W3kSC – 419,000,000 years 2fY£9v6W3kS* – 11,000,000,000 years Password crackers are getting more sophisticated, and using familiar words in shorter passphrases like “CorrectHorseBatteryStaple” are getting easier to crack. So, aiming for longer passphrases with added complexity is key for your most secure accounts. For example, something like “!ThisYearIsGoingToBeGreat2024!” is going to be a vast improvement, but you could go to the next level with added complexity like this example, “Th1sYear!sG0ingToB3Great2O24”. However, requiring a password/passphrase similar to this for every account is a lot to remember: But as it’s secure, you can reuse it, right? Reusing Passwords Password reuse is a bad idea. The main reason for this is that a data breach at one company could lead to a breach of all your accounts using a technique called credential stuffing. Hackers will attempt to use stolen credentials on many other sites, especially email. Email is usually the gateway to resetting all your accounts, so NEVER reuse that password anywhere. Storing Passwords (Password Managers) The issue today, is that we have multiple accounts across multiple systems, so we need to remember tens, if not hundreds, of passwords, and NO! A password notebook is not the way! Password managers have come to solve this issue. You remember one password, and the manager remembers all the others. Amazing, right? Well, they are not without their risks. Let’s look at the pros and cons. Pros You can remember one long, complex passphrase to unlock all your other shorter, randomly complex passwords. A caveat to this is always to use another long, complex passphrase for your main email (you’ll see why in the cons) Most managers will generate random, complex passwords for you, with complexity and length settings configurable to meet a website’s requirements. They will analyse your passwords for reuse. The encryption used is considered more secure than most sites. Cons Single point of failure: they are so secure that if you forget your master password, you’ve lost access to your vault. Enterprise editions can create recovery keys for admins. This is why you need your email password to reset all the others. Password vaults are highly targeted as a single password breach gives access to all your passwords. Advanced features usually have a cost, although most offer a good free version for home use. In most cases, the benefits outweigh the risks, allowing for better passwords everywhere you log in. Enhanced Security (Multi-Factor Authentication) Where available, enable Multi-Factor Authentication. This is probably the best current mechanism to secure your accounts from compromise. Adding an additional step in the authentication process means that even with a compromised password, an attacker would need access to your token, device, or phone number to gain entry. Fundamentally, nothing is 100% secure, but following the above will help keep your accounts safe from password attacks. ** Try LastPass Personal for Free Try LastPass for Business for Free Examples of Bad Passwords Anything that deviates from the above is not a great password, but below are the 20 most common passwords found in hacked credentials. Please do not use any of these 123456 admin 12345678 123456789 123 12345 password Aa123456 1234567890 1234567 123123 111111 Password root **note: we are fans of LastPass as a password manager and have been using it for a long time; we are also affiliates, and using one of our links above will give us an affiliate fee.

  • Safeguarding Data with a remote workforce: Mitigating the Risks of Data Leakage

    Conclusion In the era of working remotely, safeguarding sensitive data has become a critical priority for organisations worldwide. Data leakage risks are heightened in remote work environments, where employees access company data from personal devices and unsecured networks. To mitigate these risks, you must implement robust data loss prevention measures, including employee training, secure communication channels, endpoint security, access controls, data encryption, remote wipe capability, regular audits, and policy enforcement. By adopting a proactive approach to data security, you can protect sensitive information and maintain the trust and confidence of your employees and customers. The Key Elements to Safeguarding Data with a remote workforce In the post-COVID age of remote working, digital collaboration and virtual meetings have become the norm for many people. Now, more than ever, protecting sensitive company data is in the spotlight. Being able to work from anywhere has a lot of advantages, like the time saved by not having to do the daily commute or the extra focus that can come from having fewer distractions you might get in the office.  However, being more physically separated from the organisation’s systems and IT support resources brings its own challenges, an important one being data leakage, or the unauthorised transmission and storage of confidential information, which poses a significant threat to businesses and individuals alike.  As more employees work from home, the risks associated with data loss have heightened, necessitating robust measures for data loss prevention (DLP). In this article, we’ll explore the potential risks of data leakage in remote work settings and discuss practical strategies to address them. Understanding the Risks Data leakage can occur through many channels, including email, messaging platforms, file-sharing services, and even physical devices. Employees who work remotely can often access company data from personal devices or unsecured networks, increasing the likelihood of data exposure. Here are some common scenarios where data leakage may occur: Unsecured Networks: Remote workers often connect to public Wi-Fi networks, which may be less secure. The data transmitted across them could be susceptible to interception by cybercriminals. Hackers can eavesdrop on communications and steal sensitive information like login credentials or proprietary documents. Phishing Attacks: Cybercriminals frequently use phishing emails to trick users into revealing confidential information or installing malware. Remote workers may be more vulnerable to such attacks due to the relative absence of IT support, and it may be more difficult to enforce the security protocols found in traditional office environments. Unauthorised Access: Inadequate access controls and weak authentication mechanisms can lead to unauthorised access to sensitive data. Remote employees may inadvertently share login credentials or fail to adequately secure their devices, allowing unauthorised individuals to gain access to confidential information. Endpoint Vulnerabilities: Personal devices used for remote work may lack the necessary security features, making them susceptible to malware infections and data breaches. Without proper endpoint security measures in place, remote workers’ devices become easy targets for cyberattacks. Implementing Data Loss Prevention Measures To mitigate the risks of data leakage in remote work environments, organisations must implement a robust programme of data loss prevention measures. Here are some strategies to consider: Employee Training: Educating employees about data security best practices is essential for preventing data leakage. Remote workers should receive training on identifying phishing attempts, securing their devices, and adhering to company data handling and storage policies. Regular security awareness training is one of the most effective ways of preventing unauthorised access. Secure Communication Channels: Encourage using secure communication channels, such as encrypted email services and virtual private networks (VPNs), to protect sensitive information during transmission. Avoid transmitting confidential data over unsecured networks or through unencrypted channels. Endpoint Security: Implement endpoint security solutions, such as antivirus software and endpoint encryption, to protect remote workers’ devices from malware and unauthorised access. Regularly update and patch software to address known vulnerabilities and enhance security posture. Where possible, always prevent the use of personal devices for work. You can then use technical controls to enforce things like software updates, distribute security software, and prevent access to systems from unknown devices. Access Controls: Implement strict access controls to restrict employees’ access to sensitive data based on their roles and responsibilities. Use multi-factor authentication (MFA) to enhance authentication security and prevent unauthorised access to company systems and applications. Data Encryption: Encrypt sensitive data in transit and at rest to prevent unauthorised access in the event of a data breach. Use strong encryption algorithms and encryption keys to ensure the confidentiality and integrity of stored data.  This doesn’t have to be complicated or expensive; many devices and operating systems have everything you need built-in. Remote Wipe Capability: Enable remote wipe capabilities on devices used for remote work to remotely erase sensitive data in case of loss or theft. This feature allows organisations to control their data and prevent unauthorised access to confidential information.  There are several ways of achieving this, the best being dedicated mobile device management solutions that often allow you to remove only the company data from the device and provide other useful DLP features like preventing the download or copy and paste of protected data between applications. Regular Audits and Monitoring: Conduct regular audits and monitoring of data access and usage to identify potential security threats and anomalies. Implement data loss prevention tools to monitor and control the movement of sensitive data across the organisation’s network. Policy Enforcement: Enforce data security policies and guidelines consistently across the organisation, regardless of employees’ location or work environment. Communicate data handling and security expectations to all employees and hold them accountable for compliance. As stated in the conclusion; to mitigate the risk of data leakage in remote working, you must implement stringent data loss prevention measures, including: Employee training Secure communication channels Endpoint security Access controls Data Encryption Remote wipe capability Regular audits Policy enforcement Don’t hesitate to get in touch with us on 0333 301 0187 for more information on how Vorago Security can support you on your journey to becoming more secure with a remote workforce.

  • Safeguarding Your Work-From-Home Environment: Understanding Endpoint Security Risks

    In recent years remote work has become more than a convenience but a necessity for many businesses and employees. However, the flexibility it offers comes with its own set of challenges, particularly concerning endpoint security. With the rise of remote work, the traditional security perimeter has dissolved, leaving endpoints—devices like laptops, desktops, smartphones, and tablets—more vulnerable than ever to cyber threats. Understanding these risks is crucial for individuals and organisations to effectively protect their sensitive data and systems while working remotely. In this short article, we will take a look at some of the main risks to the security of your devices while working remotely, and what you can do to guard against them. Unsecured Wi-Fi Networks: When working remotely, we often connect to home Wi-Fi networks or public networks that are readily available everywhere, such as in coffee shops, but these networks may lack adequate security measures.  It may be possible for the communication across them to be intercepted, putting our data at risk.  It’s usually better to use mobile tethering where possible and share your mobile data allowance, as this is a private, more secure connection.  When that’s not practical or cost-effective, you should always use a VPN to encrypt your connection to the internet or the office, and this will prevent your data from being intercepted by anyone else on the same network. Phishing Attacks: This is one of the most common types of attack, and remote workers are prime targets. Phishing is an email-based attack that is designed to trick users into revealing sensitive information or downloading malicious software onto their devices, compromising the security of the device and potentially giving the attacker a way into the corporate network.  The best defence against phishing is user education. Never click on links, and always check the address from which the message is coming, as this will help to ensure it is valid.  If you’re in any doubt at all about requests that you’ve received by email, contact the sender directly by another means, like a phone call. Weak Passwords and Authentication: Weak or re-used passwords are a significant vulnerability.  Often, credentials that have been exposed by a data breach will be re-used by an attacker to attempt to access many different services, so you should always use unique, strong passwords for each of your online accounts. You should also always add multi-factor authentication where available, as this provides a very effective way of preventing unauthorised access to an account by sending a code to your mobile device. It’s very unlikely that anyone other than you would have access to both your password and device, so this method alone can often stop an attacker in their tracks. Unpatched Software and Devices: New vulnerabilities are discovered in operating systems and application software every day, some of which can be very damaging if exploited. Failure to regularly update software and devices leaves them vulnerable to these known security vulnerabilities. Hackers use tools to find and actively exploit these vulnerabilities and gain unauthorised access to data or breach networks in order to launch ransomware or other attacks that have the potential to destroy all of your data. Often, the only way to recover is to restore from backups, which can be very time-consuming, so it is critical to keep all of your software up to date. Shadow IT and Personal Devices: Remote work often blurs the line between personal and professional devices. Employees may use personal devices or unauthorised software and applications (shadow IT) to perform work tasks, introducing security risks due to the lack of oversight and control by IT departments.  Always be mindful of which devices you are using to access your organisation’s data, and follow any policies that apply – they’re there for a reason. Addressing Endpoint Security Risks: Now that we’ve taken a brief look at some of the issues, let’s summarise what can be done centrally by the organisation to address them. Encourage employees to secure their home Wi-Fi networks with strong passwords and encryption (WPA2 or WPA3).  Many home internet service providers are securing their connections this way, out of the box, but it’s always worth checking. Additionally, consider providing employees with virtual private network (VPN) access to create a secure tunnel for transmitting data over public networks. Educate employees about the dangers of phishing attacks and how to recognise suspicious emails, links, and attachments. Regular training sessions can help reinforce good security practices and empower employees to protect themselves against social engineering tactics.  This regular training is also a requirement for some security-related standards like PCI-DSS and ISO 27001 and will help gain and maintain compliance. Enforce the use of strong, unique passwords for all accounts and devices. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security. This can prevent unauthorised access even if passwords have been compromised. Establish a patch management process to ensure that all software and devices are promptly updated with the latest security patches. Consider automating patch deployment to minimise the risk of human error and ensure timely protection against known vulnerabilities. Develop and enforce bring-your-own-device (BYOD) policies that outline security requirements for personal devices used for work purposes. Implement endpoint security solutions, such as mobile device management (MDM) and endpoint detection and response (EDR) tools, to monitor and protect devices against security threats. Conclusion: Remote working is here to stay, so it’s more important than ever to ensure that the security of devices is given the correct level of priority to safeguard sensitive data and systems from cyber threats. By understanding the main risks associated with remote endpoints and implementing proactive security measures, individuals and organisations can mitigate these risks and create a more secure work-from-home environment. Remember, endpoint security is not a one-time task but an ongoing effort that requires vigilance, awareness, and adaptation to evolving threats. By prioritising endpoint security, remote workers can enjoy the benefits that remote work brings without compromising the integrity of the organisation’s digital assets.

  • ISO27001 and Risk Management

    Risk management is a key component of ISO27001, covered under requirements 6 and 8 and featured in the ANNEX A controls. Risk forms the basis of ANNEX A controls decisions, and the ANNEX A controls form should be reviewed for alignment with risk treatment decisions. Understanding ISO27001 Standards I suppose we should introduce the ISO27001 standard. ISO27001 is a globally recognised international standard for managing information security. It provides a framework for implementing and maintaining an effective Information Security Management System (ISMS) designed to protect an organisation's information assets' confidentiality, integrity, and availability. If you want to know more, check out our "What is ISO27001" article. Incorporating Risk Management within ISO27001 Risk management is fundamental to ISO27001, and you have the following expectations from the standard's requirements Actions to address risks and opportunities Risk Identification Risk Assessment Including recurring assessments and documented evidence Risk Treatment Implementation of the treatment and again documented evidence Risk is also mentioned in controls within ANNEX A when assessing Supplier Relationships, including the ICT supply chain, as well as screening employees. Risk Management Methodologies The concepts of risk management in ISO 27001 are aligned with the ISO 31000 standard which is a general risk management guidelines document, this is a relatively simple standard and a good method to follow with ISO27001, although I would generally recommend adopting ISO 27005 which is focused on information security risk management which is fundamentally the focus of ISO 27001. It also has a more expectations in the risk assessment process. A bit of a blend is probably best for most businesses. A process that meets your needs still needs to be defined. Key Components of ISO27001 Risk Management Here, I will cover some of the key components of risk management for ISO 27001, but if you want a deeper understanding, read our "What is Risk Management" article. Criteria for accepting risks – Some risks you will just accept and move on, usually if they score low, but defining that means you get consistent treatment decisions. Document the risks in a risk register – this could be as simple as writing a description of the risk. Define the potential impact and likelihood—what impact could occur, give it a value, and how likely it is, again, give it a value and multiply this to give you a risk score. Document what you are going to do, if anything. You will define standard responses to risk and identify the controls from the ANNEX that are relevant to the treatment. Finally assign an owner – this is someone who can take responsibility, in a small company this may be the same person for all.

  • What is the difference between PCI-DSS 3.2.1 and PCI-DSS 4.0?

    Differences between PCI-DSS 3.2.1 and PCI-DSS 4.0 The technology organisations rely on is constantly evolving, as are threats to their security and reliability. Standards and regulations must adapt to address these emerging threats and vulnerabilities. The Payment Card Industry Data Security Standard (PCI-DSS) is no exception. Organisations must stay abreast of the latest updates and changes in PCI-DSS requirements as they strive to secure sensitive payment card data. In this article, we'll explore some of the differences between PCI-DSS version 3.2.1 and PCI-DSS 4.0 (recently released version), highlighting key updates and when these changes become mandatory. Understanding PCI-DSS: PCI-DSS is a set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment. It encompasses various requirements and controls to safeguard cardholder data and reduce the risk of data breaches and fraud. PCI-DSS 3.2.1 was released in May 2018 and has just been replaced by version 4.0, which came into force in March 2024. Key Changes in Version 4.0: PCI-DSS 4.0, first released in late 2022, introduces several significant changes aimed at improving the security posture of organisations and aligning with evolving cybersecurity threats.  Instead of simply following the defined set of controls provided in the standard, organisations can now follow a customised approach and select appropriate controls. Some of the other key modifications include: Expanded Scope: Version 4.0 provides clearer guidance on the scope of PCI-DSS requirements, particularly in cloud environments and for entities utilising third-party service providers. It emphasises the importance of understanding and documenting the flow of cardholder data across systems and networks. The roles and responsibilities related to each requirement must now be defined and documented. Authentication and Access Control: The new version emphasizes strong authentication mechanisms and access controls. It introduces requirements for adaptive authentication and risk-based access controls, allowing organisations to tailor security measures based on contextual factors such as user behaviour and location. Encryption and Key Management: Version 4.0 introduces updated encryption and key management requirements, reflecting advancements in cryptographic algorithms and best practices. It emphasises the use of industry-standard encryption protocols and encryption keys' secure storage and rotation. Security Testing and Vulnerability Management: The latest version of PCI-DSS highlights the importance of continuous security testing and vulnerability management. It introduces requirements for penetration testing of segmentation controls and enhanced guidance on conducting secure code reviews and vulnerability assessments. Secure Software Development: Recognising the growing importance of secure software development practices, PCI-DSS version 4.0 includes updated requirements for secure software development lifecycle (SDLC) practices. It outlines principles for integrating security into the software development process and emphasises the need for secure coding practices and regular security testing. Evolving Threat Landscape: Version 4.0 acknowledges the dynamic nature of cybersecurity threats and introduces requirements for threat intelligence sharing and monitoring. It encourages organisations to stay informed about emerging threats and vulnerabilities and proactively mitigate risks. There is also now a requirement to protect staff from phishing attacks. Mandatory Compliance Dates: Organisations subject to PCI-DSS must adhere to the compliance deadlines set forth for version 4.0. The PCI Security Standards Council typically provides a transition period to allow entities to implement the necessary changes and updates. With version 4.0, there are some new requirements that will become mandatory in March 2025. Organisations must plan and prioritise compliance efforts to meet the specified deadlines and ensure ongoing security and compliance. Conclusion: As cyber threats evolve, so must the standards and regulations designed to protect sensitive data. PCI-DSS version 4.0 represents a significant step forward in enhancing payment card data security and addressing emerging challenges. By understanding the disparities between version 3.2.1 and 4.0, organisations can better prepare to meet the evolving requirements and safeguard against potential vulnerabilities and breaches. Staying proactive and maintaining a strong security posture is essential in today's dynamic threat landscape. Remember, PCI-DSS compliance is not just a box-ticking exercise; it's a fundamental aspect of protecting your organisation and your customers from the ever-present risks associated with payment card data. A full explanation of the changes is available from the PCI Standards Council website here: Official PCI Security Standards Council Site - Document

  • What is a Risk Register?

    A risk register is a log in its simplest form. It can take many forms, from very simple to massively complex, but fundamentally, it is where you record your risks to understand your current risk landscape; also, be aware that it will take a few passes to capture everything (and you’ll probably still miss stuff). Purpose of a Risk Register The main purpose is to document your risks and the actions taken to minimise them; this is a core way to satisfy the expectation of most legislation that you have applied due care and due diligence to your cyber security efforts to protect the data of your clients as well as your own valuable information. Documenting allows you to prioritise your risks, ensuring the ones that could impact your business most are focused on. Key Aspects of a Risk Register Risk registers can be designed in various ways, from simple to massively complex, with multiple scoring vectors beyond the standard impact and likelihood. But they should all have the following Risk detail – what is the risk? Risk assessment – what is the impact and likelihood of the risk? Risk treatment – what is the plan of action? It can be nothing Risk ownership – who takes responsibility? And what a lot of people miss Risk monitoring and review – How do you know controls are working now and will be working in the future? Creating and Maintaining a Risk Register Once you have defined your risk register, you must add risks. The first step is to identify the risk. Don’t think of risks as things you have missed; when you start this process, just document risks that could affect you; don’t think about the controls you already have. A good example of this is malware; almost every business will have some form of anti-malware, but it is always a risk; new malware is released daily, so the threat is always present, even if the risk is low due to your anti-malware controls. Closed risks should be reviewed using the same principles. However, the threat landscape changes, and what worked at the point of treatment may no longer be enough. This is why routine review and monitoring are important. Best Practices for Utilising a Risk Register Once you create your register then, here are some good practices to follow to ensure it brings value to the business in the long term Routine reviews – Risk assessment is not a one-time process but a continuous review. Risks change, controls fail, new risks occur and old ones re-occur Get the right people involved—Risk shouldn’t be left to a single individual. It may be managed by one person, even in large organisations, but it needs to involve key people, especially risk owners. Risk is a leadership issue. Ensure that risk is presented to the leadership, and ideally, they should be represented as owners of key business risks. Training and awareness – Make sure everyone involved in risk is trained to understand the process and expectations on them and ultimately bring buy-in. Having a good risk management strategy (read more here) and a well defined risk register (download one for free here) is vitally important to all businesses.

  • Implementing ISO 27001 - what to expect from the external audit

    So, previously, we looked at how to get started on your 27001 project and followed up with steps to follow when implementing iso 27001. We’ve glazed over some of the nuances around implementing particular controls and with good reason. Every business can implement controls differently. There is an extensive spectrum of what is considered ‘okay’ for 27001; however, it really is down to your business’s risk appetite as to how diligently you implement those controls. Let’s move on to understanding what the external audit process looks like when implementing iso 27001. All certification audits follow a standard format, and I’ll try to break down the expectations for you. The first thing to note is that there could be a significant lead time to book your audit, so make sure you plan ahead. Picking a company to audit your business is no different to choosing a supplier to provide any other service. Speak to a few of them and get a gut feeling of whether they are a good fit for your organisation. Some are more expensive than others, and some auditors tend to be more pragmatic. Get some quotes and ask for some lead times. Once you’ve picked your auditing company, they typically want to arrange dates for the first part of your audit. Certification audits are divided into two separate audits. The first is called Stage 1, and the second is Stage 2. So, what’s the difference? Stage 1 audits look at your ISMS readiness. The auditor will want to check that the ISMS you built meets all the standard's requirements stated in clauses 4-10. In my original blog, I recommended you purchase the standard, which is why. The standard states precisely what is required. The difficulty comes in interpreting the written words into something tangible that you can evidence. The auditor’s job is to tease out of you how you’ve gone about implementing each of those clauses and making sure it’s been understood correctly. In my experience, the majority of the audit time is spent understanding how you have managed risk. Which risks have you logged, and which controls have you decided to implement in order to build your statement of applicability? At this stage, there should not be much emphasis on how you have implemented the controls. The auditor should be more interested in how you have determined which controls are relevant. There does tend to be some scope creep here, and plenty of auditors will want to see examples of control implementation. Don’t be surprised if it happens, but as you’re well prepared, you can answer any questions they might have at this stage. What else will I have to evidence other than risk? Well, you will need to prove you have an effective internal audit plan; they will want to understand and see evidence of how you are managing non-conformance and continual improvement, as well as how you are monitoring the performance of your ISMS and completing the appropriate management reviews. That sounds difficult. What happens if I miss something? There are a few possibilities. Missing something significant can result in a termination of the audit. Honestly, I’ve never seen this, and if you’ve done enough due diligence prior, then it is pretty unlikely. The other scenario is you will receive a minor conformance or an improvement request at the end of the audit. You will then have some time to fix whatever the issue was prior to your stage 2 audit. Don’t be annoyed if you pick up some level of non-conformance. It happens; people are human, and small mistakes can happen. Just make sure it’s resolved prior to your stage 2. So, what happens in the stage 2 audit? This is where you get to show the auditor how you have implemented the controls in your Statement of Applicability. These are usually show-and-tell sessions where the auditor will ask you to explain how you did something and then ask you to demonstrate what you did. Evidence is key here: Do you have the signed contract for the new starter? A helpdesk ticket for setting up their new accounts that you can show the auditor. Some proof that they have read your policies. Can you provide evidence their laptop was built correctly, that is, has appropriate disk encryption and anti-virus deployed? These are all examples of what they might want to see. Remember, there are over 90 controls to choose from, and each one will need to be evidenced where possible. What happens if I can’t evidence a specific control? Good question! Some controls are more challenging to evidence than others. If you have an incident response plan but have had no incidents, then you can’t have proof that the plan is followed. This is normal. You can’t fail for not being able to positively evidence something. Your auditor will now spend a number of days collecting evidence. They have a few different findings they can capture against each control that you have marked as applicable. Compliant – everything is implemented as described and is ok. Opportunity for Improvement – Its possibly meeting the requirement but adding some additional level of control may provide some benefit. The auditors have to be careful here as they are not allowed to consult whilst conducting audits. You may get some informal or ‘off the record’ advice also. Take it positively and decide if you want to implement any of those changes or not. You’re under no obligation to implement any opportunities for improvement. A Minor non-conformance – the control didn’t quite hit the mark. Something was missed. A Step in a process wasn’t followed. There can be loads of reasons for picking these up. Some examples might be that your asset register was missing a device, or perhaps your supplier register was missing a supplier. Any minor non conformance will need to be resolved and evidence sent to the certifying company prior to you being issued with a certificate. A Major Non-Conformance – You missed something big. The wording in the standard is that there is a material breakdown in the ISMS. Some examples might be no one has had any information security training; there is no asset register, none of the documents in your ISMS is version-controlled and changes are made to them without any appropriate procedure being followed. Perhaps you have not completed any management reviews. A major non conformance may cause an auditor to end the audit, so it pays to make sure everything is in place when implementing iso 27001, prior to a stage 2 audit taking place. Conclusion: Audits always feel scary. The fear of the unknown can be enough to put anyone off. Don’t let it, though. Most auditors are really friendly and will work with you so you can provide positive evidence. If you think that you want some assistance, we can help. That can either be sitting in the audits with you or working through a pre-audit scenario to give you the confidence that you have everything you need to sit the audit by yourself.

  • Simple Strategies for Achieving PCI-DSS Compliance

    Any organisation that processes card payments must comply with the Payment Card Industry Data Security Standard.  Want more details on PCI-DSS read our intro here It can be difficult to know where to start, so here is a brief guide to the steps to becoming compliant. Understanding PCI-DSS Before delving into the strategies, let's briefly understand what PCI-DSS entails. PCI-DSS is a set of security standards to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Developed by major credit card companies like Visa, Mastercard, and American Express, PCI-DSS consists of 12 high-level requirements, divided into numerous sub-requirements, covering network security, data protection, and vulnerability management. Simple Strategies for Compliance Know Your Scope: Understanding the scope of your cardholder data environment (CDE) is fundamental to PCI-DSS compliance. You need to identify all systems, processes, and people that interact with cardholder data. By clearly defining your CDE and mapping out the flow of card data throughout your organisation, you can focus your efforts and avoid any unnecessary complexity that might make achieving compliance more difficult and costly. Read out scoping guide here Conduct Regular Assessments: Regularly assess your systems and processes for compliance with PCI-DSS requirements. Conduct internal audits and vulnerability scans to identify and address any weaknesses promptly. These assessments help maintain compliance and enhance the overall security posture. Secure Cardholder Data: Implement robust security measures to protect cardholder data throughout its lifecycle. This includes encryption of data both in transit and at rest, restricting access to cardholder data on a need-to-know basis, and ensuring secure storage and removal of any sensitive account information. Implement Strong Access Controls: Limit access to cardholder data only to those who require it to perform their job responsibilities. Enforce strong authentication measures such as unique IDs, passwords, and two-factor authentication to prevent unauthorised access. Maintain Secure Networks: Secure your network infrastructure by implementing firewalls, intrusion detection systems, and regular monitoring. Segment your network where necessary to isolate cardholder data from other less sensitive systems, thus narrowing the scope required for compliance and reducing the risk of unauthorised access to card data. Regularly Update and Patch Systems: Keep your systems and software up-to-date with the latest security patches and updates. Attackers often exploit vulnerabilities in outdated software to gain unauthorised access to systems and compromise data. Educate Employees: Train your employees on security best practices and their roles and responsibilities in maintaining PCI-DSS compliance. Awareness programs help foster a culture of security within the organisation and empower employees to identify and report potential security threats. Implement Incident Response Plans: Develop and test incident response plans to effectively respond to security incidents and data breaches. A well-defined incident response plan can minimise the impact of breaches and facilitate swift recovery while ensuring compliance with regulatory requirements. Engage with PCI-DSS Experts: If your organisation lacks the necessary experience or resources, consider seeking assistance from qualified PCI-DSS experts. They can guide, conduct assessments, and help streamline compliance. Stay Informed and Adapt: PCI-DSS is not a static standard; it evolves to address emerging threats and vulnerabilities over time. Monitor online resources to stay informed about updates and changes to the standard and adapt your security measures accordingly to ensure ongoing compliance. Conclusion Achieving compliance with PCI-DSS may seem daunting, but by breaking it down into manageable steps and implementing simple yet effective strategies, businesses can successfully meet the standard's requirements while enhancing overall security posture. Remember, compliance is not just a checkbox exercise but a continuous effort to safeguard sensitive financial data and maintain customers' trust. By prioritising security and adopting a proactive approach, businesses can confidently navigate the complexities of PCI-DSS compliance.

  • What is PCI-DSS?

    What is PCI-DSS? In today’s digital age, where online transactions have become an integral part of everyday life, ensuring the security of payment card data is critical for businesses. The Payment Card Industry Data Security Standard, or PCI-DSS, is a security standard designed to protect payment card data and prevent fraud. This article will examine what PCI-DSS is, why it is important, and how your business can achieve compliance with the standard. PCI-DSS is a set of security standards established by the PCI Standards Council and major credit card companies like Visa and Mastercard. The primary goal of PCI-DSS is to secure payment card data and prevent unauthorised access, fraud, and data breaches. It applies to all organisations that store, process, or transmit cardholder data, regardless of size or the number of transactions they process. The Importance of PCI-DSS Ensuring compliance with PCI-DSS is essential for several reasons: Protecting Cardholder Data: PCI-DSS helps businesses safeguard sensitive cardholder data, including credit card numbers, cardholder details and sensitive authentication data, from theft or unauthorised access. Preventing Fraud: By implementing PCI-DSS controls and best practices, businesses can significantly reduce the risk of payment card fraud, protecting their customers and reputation. Maintaining Trust: Compliance with PCI-DSS demonstrates a commitment to security and trustworthiness, enhancing customers’ confidence in your business and encouraging them to continue transacting with you. Avoiding Penalties: Non-compliance with PCI-DSS can result in severe consequences, including hefty fines, legal liabilities, and damage to reputation. Compliance helps businesses avoid these penalties and associated costs. Understanding the PCI-DSS Requirements PCI-DSS consists of twelve high-level requirements, organised into six control objectives. These requirements cover various aspects of security, from network security, access control and encryption to physical access controls, logging and monitoring, as well as documented organisational policies and procedures for handling sensitive card data. Here’s a brief overview of the PCI-DSS objectives: Build and Maintain a Secure Network and Systems: This includes installing and maintaining firewalls and ensuring secure configurations are used on all system components that process or store card data. Protect Account Data: Businesses must protect any stored cardholder appropriately and use strong encryption during transmission over public networks. Maintain a Vulnerability Management Program: This involves regularly updating and patching systems, conducting vulnerability scans, and addressing any vulnerabilities that are found. Systems should be protected with anti-malware, and software development must be done securely. Implement Strong Access Control Measures: Cardholder data access should only be allowed for those in the business with a legitimate need to know. Each user should be identifiable with a unique ID, and their access should be regularly reviewed to ensure it’s appropriate. Physical access to card processing facilities should also be restricted and monitored. Regularly Monitor and Test Networks: Continuous monitoring of network activity and security controls is essential to promptly detect and respond to security incidents. You should also conduct regular security testing, including penetration testing and wireless scanning, if appropriate. Maintain an Information Security Policy: Establishing and maintaining a comprehensive security policy that addresses all aspects of PCI-DSS compliance is crucial. This includes educating employees about security best practices, implementing incident response procedures, and ensuring compliance with any applicable local laws and regulations. About SAQs and Scoping The majority of businesses will be able to self-assess their compliance with the standard using a Self-Assessment Questionnaire (SAQ). There are several of these, and the one you will need to complete depends on how you process and/or store cardholder data. For example, if you are an e-commerce business that completely outsources all card processing, you may only need to use SAQ A, and this will mean that many of the controls in the standard won’t apply to you. If you’re using your own internal systems to process payments and have a more complex setup, you may need SAQ D, which contains hundreds of questions and can take a significant amount of time and resources to complete. When starting your compliance project, defining an accurate scope by identifying any card processing systems and their data flows is the critical first step, as this will help you determine which SAQ applies and reveal how much work you will need to do to become compliant. Look out for more in-depth information on scoping and SAQs in future articles. Achieving PCI-DSS Compliance Achieving and maintaining PCI-DSS compliance requires a concerted effort and ongoing commitment to security. Here are some steps businesses can take to achieve compliance: Assess Your Current Security Posture: Start by conducting a thorough assessment of your current security practices and infrastructure to identify areas that need improvement to meet PCI-DSS requirements. Implement Necessary Controls: Implement the security controls and measures outlined in the PCI-DSS requirements as they apply to your particular situation. Train Your Employees: Educate your employees about PCI-DSS requirements and security best practices to ensure they understand their roles and responsibilities in maintaining compliance. Regularly Monitor and Audit: Establish processes for ongoing monitoring, logging, and auditing of security controls to detect and respond to security incidents promptly. Conduct regular internal and external security assessments to ensure compliance. Stay Informed and Up-to-Date: Keep abreast of changes to the PCI-DSS standards and evolving security threats and best practices. Continuously evaluate and update your security measures to adapt to new challenges and requirements. Conclusion In conclusion, PCI-DSS plays a critical role in ensuring payment card data security and preventing fraud in today’s digital landscape. Compliance with PCI-DSS is a fundamental aspect of maintaining trust with customers and protecting your business from financial and reputational harm. By understanding the requirements and implementing appropriate security controls and measures, you can enhance your business's security posture and mitigate the risk of data breaches and fraud.

  • Does a company need a risk register?

    Regulatory Requirements for Risk Management Risk management is a common expectation of most governance and compliance systems, and I am a firm believer that it is the fundamental process in security management. If you understand the potential threats and vulnerabilities that can affect your business, you can be proactive in your defence. A great example of this is a General Data Protection Regulation (GDPR) Data Privacy Impact Assessment, a risk assessment by any other name—a review of potential risks that could impact the privacy of future data processing operations. So officially, although there will be some companies that don’t, the vast majority of companies would need a risk register of some kind for compliance. I recommend you have one regardless; the complexity of said register is up to you. A risk register can be used in several places, most commonly a general risk register and independent project registers. Benefits of Having a Formal Risk Register As part of documenting your risks, you also document your remediation activities and long-term monitoring; risks rarely stop being risks, so having good monitoring to validate that your controls are working and knowing how you previously remediated them means if they do re-occur, you have a good record of your approach to remedying it last time. Risk metrics are also good indicators of your overall security posture, as you should document them regardless of whether you think you have mitigated them or not when you start the process; most businesses will have common risks, such as virus infection, that form a great starting point. Risks of Not Implementing a Risk Register The biggest problem with not implementing a risk register and overall risk management process is that it removes the ability to truly focus on your key vulnerabilities. I have witnessed numerous organisations spending significant sums on the wrong things in a vendor's sales pitch. Risk Assessment process Along with your risk register, you will need a robust risk assessment process to ensure consistency in your approach to managing risk; learn more about risk management and assessments from our other articles about risk - What is Risk Management? and What is the difference between a risk assessment and a Risk Register? Need a risk register??? Download a simple useable example here.

  • What is the difference between a risk assessment and a Risk Register?

    A risk assessment is the process of identifying, scoring and treating risks, a risk register is where you record the assessment. The assessment method should be a repeatable process that allows you to score risks with consistency allowing your defined acceptance criteria to be used to make decisions on how to treat risks. The register should log the key information garnered from the process to help make decisions. Understanding Risk Assessment: Process and Objectives To make your risk assessment effective, your process is key, the approach should be well defined to ensure consistent results, this allows the business to make prioritising identified risks easier and ensuring that response is appropriate. Quantitative or Qualitative As part of your analysis, you will use a quantitative or qualitative scoring system where possible. Quantitative should be used, but unfortunately, it is difficult to apply due to the exact nature of the process; quantitative uses numbers to define the actual value of risk; a simple example is an e-commerce platform that can be valued operationally by how much revenue it generates. Qualitative, on the other hand, is more of a finger-in-the-air type measurement, and this makes it more important to make at least one person chief finger in the air holder to maintain consistency. The Process These are the key steps in a risk assessment. Identification of Risks: Risks can come from internal and external elements and are often identified through risk workshops, events, and incidents, as well as by looking at the ever-changing landscape. Risk Analysis: Once identified, risk needs to be assessed for their likelihood and potential impact to the business, this will most likely be using qualitative scoring depending on available data. Risk Evaluation: Once analysed you can start to prioritise them based on their risk level, allowing focus on highly impactful and highly likely risks first. Risk Treatment: Now that you have evaluated your risks and determined the level. Once risks have been evaluated, appropriate risk treatment measures are identified and implemented to mitigate or manage them effectively. This may include risk avoidance, risk transfer, risk reduction, or risk acceptance, depending on the organisation's risk appetite and available resources. Monitoring and Review: Finally, the risk assessment process is an ongoing activity that requires regular monitoring and review. Risks should be reassessed periodically to ensure that mitigation measures remain effective and to identify any new or emerging risks that may require attention. Getting Risk Assessments Right These are the 5 key things I would do to ensure that you get the best value out of your risk assessment process. Define your assets: What are you trying to protect? Define stakeholders (risk owners): Involve the key people who can make decisions against risk mitigation. Create a risk team or key risk person: Depending on the size of your business, have a consistent person or team to manage the risk register and risk assessment process, as this creates consistency. Review often: While risks are open, you should be checking in as often as is sensible. Monthly is a good baseline, but if something is going to take 6-12 (or longer), you may want to do quarterly and reduce as the deadline gets closer. Keep it simple: When you first start your risk journey you want to make the process as simple, but still effective as possible, it doesn't need to be complex to bring value. Need a risk register??? Download a simple useable pre-populated one here.

  • Implementing ISO 27001? Make sure to follow these steps

    Following up on my previous blog, once you have created your statement of applicability, it’s time to start thinking about implementing changes to your business. Manage this in much the same way as you would any other project. Create an Implementation Plan: Developing a comprehensive implementation plan is crucial for the successful implementation of ISO 27001. Start by outlining the specific tasks required to achieve compliance, such as conducting gap assessments, drafting policies and procedures, and implementing technical controls. Assign clear responsibilities to team members and set realistic timelines for each phase of the implementation process. Consider allocating adequate resources, both human and financial, to support the implementation effort effectively. Additionally, ensure that the implementation plan is flexible enough to accommodate any unforeseen challenges or changes in priorities that may arise during the process. People will be off sick, controls will be misunderstood, and people will have questions about how specific controls might need to be implemented. Establish Information Security Policies: Information security policies are the foundation of your organisation’s ISO 27001 compliance efforts. These policies should reflect the organisation’s commitment to protecting sensitive information assets and outline clear guidelines for employees to follow. Take the time to tailor these policies to your business’s specific needs and risk profile, ensuring they address key areas such as data classification, access control, incident response, and employee responsibilities. Consider involving key stakeholders from across the organisation in policy development to ensure buy-in and alignment with business objectives. Don’t make them a thousand pages long; most importantly, ensure they say what you intend to do, not how you intend to do it. Define Roles and Responsibilities: Clearly defining the team’s roles and responsibilities is essential for ensuring accountability during an ISO 27001 implementation. Identify individuals or teams responsible for leading different aspects of the implementation effort, such as project management, policy development, risk assessment, and technical implementation. Clearly communicate these roles and responsibilities to all relevant stakeholders and provide them with the authority and resources to effectively fulfil their duties. Regularly review and update these roles and responsibilities as needed to reflect changes in the implementation process or organisational structure. Implement Controls: Implementing controls identified in the Statement of Applicability (SoA) is a critical step towards mitigating identified risks and achieving ISO 27001 compliance. This involves deploying a combination of technical, administrative, and physical controls to protect information assets. Examples of controls include access control mechanisms, encryption protocols, security awareness training programs, and incident response procedures. Consider leveraging industry best practices and guidance from ISO 27002 when selecting and implementing controls relevant to your organisation’s risk profile. Do not implement 27002 verbatim, though. It is meant as guidance only, and a lot of the examples provided will not make sense to implement in your specific business. Document Procedures and Processes: Documentation plays a central role in ISO 27001 compliance by providing a clear and comprehensive record of the organisation’s information security policies, procedures, and processes. Document all procedures and processes related to information security management, including policies, operational procedures, work instructions, and other relevant documents. Ensure that these documents are regularly reviewed, updated, and communicated to all relevant stakeholders. Training and Awareness: Training and awareness programs are essential for ensuring that employees understand their roles and responsibilities in maintaining information security and complying with ISO 27001 requirements. Develop and deliver comprehensive training sessions that cover key topics such as security policies, procedures, best practices, and regulatory requirements. Consider leveraging a variety of training methods, including online courses, workshops, and interactive simulations, that cater to different learning styles and preferences. Additionally, you should promote a culture of security awareness by regularly communicating updates, reminders, and success stories related to information security within the organisation. Remember, this is YOUR training plan, though. Smaller organisations may need less training, and that is fine. There is never a requirement to buy a training tool, so don’t get sucked into purchasing one unless you’re confident it will add some value. Monitor and Measure Performance: Establishing mechanisms for monitoring, measuring, and evaluating the effectiveness of implemented controls and processes is critical for maintaining ISO 27001 compliance over time. Implement regular internal audits, risk assessments, and performance reviews to identify any gaps or areas for improvement in the organisation’s information security management system (ISMS). Track key performance indicators (KPIs) such as incident response times, compliance rates, and training completion rates to gauge the effectiveness of implemented controls and processes. Use these insights to make data-driven decisions and continuously improve the ISMS to address emerging threats and evolving business requirements. Management Review: Conducting regular management reviews is essential for ensuring that the ISMS remains aligned with the organisation’s strategic objectives and business priorities. Schedule periodic meetings with senior management to review the performance and effectiveness of the ISMS, identify areas for improvement, and make informed decisions about resource allocation and prioritisation. Ensure that management reviews are conducted in a structured and systematic manner, with clear agendas, objectives, and action items. Encourage open and transparent communication between all stakeholders to facilitate collaboration and decision-making. The members of your management review team should have been discussed when you looked at roles and responsibilities earlier. Continual Improvement: Continuous improvement is at the heart of ISO 27001 and involves actively seeking out opportunities to enhance the effectiveness and efficiency of the ISMS over time. Foster a culture of continual improvement by encouraging feedback, innovation, and collaboration among all stakeholders. Regularly review and update policies, procedures, and controls to reflect changes in technology, regulations, and business requirements. Encourage employees to report security incidents, near misses, and suggestions for improvement, and establish mechanisms for capturing, prioritising, and addressing these inputs in a timely manner. Now you’re about there. It’s time to look at assessment. The next blog, which is all about assessment, will go live next week.

bottom of page