What is an Incident Response Plan?
Information security breaches can and do happen, even to the best prepared organisations. Every year, companies that have demonstrated ongoing PCI DSS compliance will still fall victim to an information security breach. Because, in the war for our card data security, the enemy always has the element of surprise.
Most can imagine a scenario which would compromise their security. A serious fire destroying the whole office function. A rogue employee exposing customer data. A terrorist or criminal hacking their systems. With a war fought on so many fronts, however, it is impossible to defend against all attacks. Because an organisation that is defended to the hilt is also likely to be impenetrable, and therefore not in the business of doing business.
In this war of attrition, some attacks will get through. And the repercussions could be disastrous if there is a long delay in getting the business back on its feet. But the aftermath need not be catastrophic. Recovery can be accelerated to restore normal trading in the shortest possible time frame. That is where a robust Incident Response Plan comes in. Not only does it go a long way toward anticipating and avoiding potential disasters but if an organisation is compromised, it will mitigate the damage and accelerate the road to revenue and reputational recovery.
PCI DSS Requirement 12.10 states that entities must “be prepared to respond immediately to a system breach.” Guidance notes go on to state that such a plan should be “thorough, properly disseminated, read, and understood by the parties responsible”; and include proper testing at least annually to ensure the process works as designed and to mitigate any missed key steps to decrease exposure.
In reality, while all PCI DSS compliant organisations have a degree of incident response capability, in some cases this is simply a box ticking exercise. Few have an adequate Incident Response plan which fully outlines the process for recovery in any number of situations and provides a framework for rapid restoration.
Planning is the key to an effective strategy. It is also important to consider bringing in professional expert support at this stage to assist in developing and maintaining an Incident Response plan that not only ticks the boxes but actually delivers in the event of a breach. If a breach does occur, having engaged professional support, it means that there are expert investigators with an intimate knowledge of your organisation on standby. They will ensure the breech is stemmed, card holder data is secured and revenue generating activities suffer minimal impact. The cost of professional input must be seen as cost effective in the context of restoring business function.
Hot water and PCI compliance
There are a lot of online registers for reputable tradesmen. Many of these provide contact details for reliable plumbers in any given area, together with ratings and personal recommendations. In theory, you need look no further: your job will be completed to your entire satisfaction. On time. And in budget.
Yet, in reality most of us know that there is a still a measure of personal responsibility required to check out whether the credentials are genuine and the glowing testimonials are accurate. Because if one small element of a plumbing job is overlooked, it is our shower that runs cold, not the tradesman’s. In the end, you can outsource any job but, if even a small part of it goes wrong, you are the one that ends up in hot (or cold) water.
So, when Visa makes claims for its Global Registry of Service Providers, it is worth applying the same critical faculties. That is not to cast any aspersions on the integrity of the list because it is an extremely valuable tool. But the sole responsibility for an organisation’s payment card security lies with that organisation; not with a third party which operates behind the scenes.
PCI Requirement 12.8 states that businesses must ‘maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.’
They are also obliged to keep a list of all the service providers that fall under this banner and to have a program to monitor these third parties’ compliance programs too. And checking the Visa list is one way of doing that. But your organisation’s security measures must go much deeper – and more personal – than this. It is advisable to have a nominated person within the business to manage PCI compliance and also to maintain the policy for engagement with third parties, like due diligence checks for example.
Having a checklist of what is required is also very important. If you are going to outsource some of the security functions to a third party, you will need to check that no elements of your security management framework have fallen down the cracks. For instance, if you outsource physical destruction of paper media that contains some sensitive info (like card numbers and order data), the third party must be able to demonstrate that, even if they are registered with the Visa (or any other) list for some of their operations, they have been assessed for the elements of the PCI standard that deal specifically with physical security and data destruction.
This method, often referred to as the Third Party Compliance Matrix is a neat way of mapping out all of the requirements and ensuring that total coverage is achieved across your own business and via the various third parties that you use.
Ultimately, you can outsource virtually every aspect of your payment card management apart from the actual responsibility to securely manage your environment. Risk transfer Is all about making sure you understand the contractual relationship and the obligations of your third party suppliers. This responsibility lies with you and only you. If something goes wrong, it is you that will end up in hot water, rather than the fairly anonymous third party behind the scenes. Which brings us back to the dodgy plumbing and the cold shower.