eircom IT Perspective Issue 4 Spring 2009

Solutions in action - ICT security

As our lead story this issue outlines, there are multiple benefits of achieving a recognised standard for information security management, business continuity preparedness, or payment card industry data security (PCI-DSS). But the benefits don't accrue automatically. A significant factor is the expertise of your consulting and implementation partner.

eircom is the only Irish ICT solutions partner able to offer a full end to end service for helping you achieve standards like ISO 27001, PCI DSS, or the business continuity standard, BS25999, thanks to our four-part program:

• Discovery: our specialists engage with your senior team members including CIO, head of risk, head of internal audit and CFO, interviewing them to understand the maximum level of risk the business will accept. With your permission we conduct a security audit including an approved 'hack' of your infrastructure to assess where gaps exist versus the standard you want to achieve.

• Remediation: We make detailed technical recommendations on how the gaps can be addressed. Importantly, our recommendations are informed by our clear understanding both of your business (operations, priorities, appetite for risk, budget) and of the available technologies (to resolve known risks, a great variety of technological solutions can be employed, including true fixes as well as compensating controls). For PCI DSS, our recommendations are typically centered around small infrastructure changes that will secure credit card information flows by isolating them from other network traffic.

• Program managed implementation: we oversee rollout of the new systems and infrastructure changes that will bring you up to standard, including guiding you through inspection by a Qualified Safety Assessor (QSA). 

• Ongoing advisory services: PCI compliant organisations with a certain threshold of card transactions undergo quarterly and annual audits. Our ongoing advisory service includes a pre-audit check that prepares you for these assessments, and also informs you of changes to the standards that may affect you. For example, the PCI standard is multilevel, with lower compliance requirements on retailers who have a smaller volume of transactions. But the latest version of the PCI standard includes a significant change: from September 2009, debit card transactions will be included in the calculation of compliance level. This will mean more stringent requirements on retailers who previously had fallen below the level one threshold.

Whatever standardisation programme you pursue, keep in mind these four cornerstones as you move ahead:
 

• Strategy: Don't begin without setting your high-level goals for IT and business risk management. How will your organisation be strengthened when these risks are better managed? How do you want staff and suppliers to react to the new regime?

• Operations: Ensure that you're able to carry through on your commitment to monitor and manage IT risks and resources. An efficient IT delivery model will be essential here. The managed services ICT delivery model, including datacentre-based server and application hosting, can decrease IT delivery costs and increase security management capabilities as well as decreasing the cost of compliance.

• Reporting: Keep on top of IT security risk with proactive reporting, report analysis, and swift action on key gaps that are uncovered.

• Measuring compliance: Quality standards such as the Payment Card Industry Data Security Standard (PCI-DSS) or the Information Security Standard ISO 27001 must be maintained after they're achieved. Regular reviews are required to verify ongoing compliance. A rationalised, modern IT infrastructure means the burden on your organisation of measuring compliance is kept as low as possible.

Whichever partner you choose to help bring you up to standard and keep you there, do your homework to assure yourself of their expertise level both on the technology side and on the business side. Their experience levels will help determine the success of your own efforts at bridging the old organisational gaps, and translating strategic objectives into technology solutions that manage business risk.