Standards for ISM + PCI-DSS

What is an Information security standard?

a description of security best practice. A description of the required level of activity/coverage and framework for documenting and auditing.

Why are standards important for ISM? Give 4 points

Help implement policy

Improve governance

Improve compliance

Improve security

What is PCI-DSS and what does it cover?

Payment Card Industry Data Security Standard. Covers the security of operating online payment systems and handling digital card payments.

How does PCI-DSS operate

Secure Network (Firewalls, No defaults).

Protect Data (Stored data protection, Encryption in transit).

Vulnerability Management (Anti-virus, Secure systems).

Access Control (Need-to-know, Authentication, Physical access).

Monitor & Test (Track access, Regular tests).

Policy (Maintain info sec policy)

What are the strengths of PCI-DSS?

Improved reputation for online shopping

Reduced fraud rates

Encouraged merchants with poor security to take it seriously

Not a significant burden for merchants who already had good security

What are the weakness of PCI-DSS

Can be expensive

Encourages box ticking approach rathe than real security

Shifts blame to merchants, hiding weaknesses of payment mechanisms

Focuses on technology/payments rather than holistic system security

How can outsourcing be used to implement PCI-DSS

Hosting: Transfers secure network compliance

Payment Function: Transfers compliance for secure network data protection access control and monitoring

What is cyber essentials and what does it cover?

Helping organisations implement basic levels of protection against cyber attacks. Covers basics to protect against unskilled internet based attackers using commodity capabilities

How does cyber essentials operate (5 controls)

Boundary firewalls and internet gateways

Secure configuration

Access control

Malware protection

Patch management

What are the strengths of cyber essentials?

Affordable

Solves simple issues

Demonstrates customers that the organisation takes cyber security seriously

Available at two levels

How is cyber essentials implemented?

Basic: independently verified self assessment where the organisation assesses itself against the 5 controls

PLUS: qualified independent assessor examines the controls and tests that they work by doing simulated attacks