Monthly Archive February 2017

The flaw in the plan: business continuity management

When is a plan not a plan? When it is an out-of-date plan. The latest research from the industry-respected Ponemon Institute, reveals that 26 per cent of IT and IT security professionals from UK companies have some sort of cyber resilience plan, but that 49 per cent of these have either not reviewed or updated it since it was first put in place.

In a world where the sophistication and determination of malicious attackers is on the increase, this is concerning. Because it effectively means that nearly half of those who have actually made a concerted attempt to develop cyber resilience are not actually maintaining these defences. So, when even those who have put in place a strategic plan are failing to update it, where does this leave UK organisations and businesses? Well, at the very least, it puts those with an up to date, regularly reviewed plan at a sound competitive advantage.

Research shows that a Business Continuity Management (BCM) plan, applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience, thus protecting financial and reputational assets. Made up of the Business Continuity Plan (BCP), Disaster Recovery (DR) plan and Business Impact Assessment (BIA), the BCM process identifies risks, threats and vulnerabilities that could impact an entity’s continued operations in the face of potentially damaging attacks. An effective BCM plan provides a framework for building organisational resilience and the capability for an effective response; but it also goes further than that.

An overarching strategic plan also sets out how the individual BCM strategies will be delivered into the future. This includes the assigning of responsibilities, the establishment and implementation of BCM within the organisation and its ongoing management. Properly executed, this not only builds in a level of business resilience but also the capacity to continue to adapt quickly to disruptions, maintain continuous business operations and safeguard people, processes and technology into the future.

Planning is the key to an effective strategy, as is exercising the plan to ensure that it is effective and continues to support the business appropriately. It is worth considering bringing in professional expert support at this stage to assist in developing and maintaining an ongoing BCM plan that not only ticks the boxes but actually has a scheduled updating process, delivering optimum results in the event of a breach. The cost of professional input is cost effective in the context of restoring business function.

To find out more visit Business Continuity Management

GDPR: the impatient tiger


General Data Protection Regulation (GDPR) is an impatient tiger. That is, it has many more teeth and much less patience than its predecessor, the comparative kitten that is the Data Protection Act. As the GDPR becomes effective in May 2018, in theory, most organisational boards, regardless of their sector and size, should therefore have considered the implications of its enactment and their level of exposure by now. But this is by no means the general picture; and failure to understand the implications of the ruling risks a thorough mauling from this tetchy big cat.

This is because of the explicit inclusion of an accountability requirement which signals a very clear intent that this ruling will be enforced. GDPR will also require us all to be able to show that we comply with the principles of the regulation. The implications here are not insignificant.

GDPR gives Data Subjects – that’s us – significant rights to demand how our data is managed (including a right to be forgotten). It imposes mandatory high tempo reporting of breaches and it also carries punchy fines for those organisations who fail to fulfil their obligations. These can be up to £20m or 4% of global turnover.

The risks to business are exacerbated by the fact that GDPR finds us in a dramatically more complex information environment than its predecessor. It is often said that the amount of data in the world doubles every two years. In addition to this, compromise tools are more accessible and the illicit market for personal information is booming. Meanwhile, and very significantly, society expects much more from data Controllers and Processors, Chief Information Security Officers (CISOs) and Information Security Managers (ISMs).

Curiously, it appears that it is not just micro businesses that have underestimated GDPR; it has also been overlooked by a number of organisations which one would expect to have thought very carefully about it indeed. GDPR will have different implications for different organisations, but regardless of what we do, how big we are or what sector we operate in, we all need to know some key facts about our data. We must know precisely what personal data is held, where it is and what plans are in place to access it.  We also need to manage it correctly and ensure we provide the appropriate protection.

If you can honestly say you are confident that you have achieved that, then well done you.  If not, then now is the time to act. This is a board level challenge, and if we evade our responsibilities, it is a pretty sure thing that we will be found out!

If you need help, our Virtual CISO service (VirtualCISOTM) has been developed to provide a cost effective bespoke portfolio of professional services supporting, resourcing and advising on all practical and strategic aspects of Information Security including GDPR compliance. We can provide the support you need to help you seize the initiative and keep your house in order.

Do not wait until it’s too late – engage a PFI company now!

Do not wait until it’s too late – engage a PFI company now!’ That is the advice given by Jeremy King, International Director, PCI Security Standards Council in his closing speech at last week’s PCI London event. He’s right of course. Too many organisations wait until there is a crisis – a potentially crippling breach of their data card security – before they make their first contact with a Payment Card Industry Forensic Investigator (PFI).

It could be compared to a fire. If a sound working partnership has been developed with a fire officer then all reasonable preventative measures will have been taken. The chances of a fire being established and taking hold are minimised. Yet even the most robust preventative strategies cannot eliminate an unforeseen event and no matter how many potential fires are avoided, it only takes one wilful arsonist or one electrical fault to wreak chaos.

Even in the event of such a catastrophe, having a trusted relationship with an expert professional is still hugely beneficial. Here the analogy to a fire becomes a bit shaky, but imagine if a fire is taking hold and there is someone who not only understands how to put the fire out, but also knows where all your valuables are kept, who is particularly vulnerable and also has the capability to deploy the fire fighters immediately thereby reducing its impact. That is what a PFI does when it comes to managing data breeches.

The fact is that breaches can and do occur. Even to those with full PCI DSS compliance and strong defences. If a business is identified as the ‘common point of purchase’ for a breach then a PFI forensic investigation is a regulatory requirement of the Brands. But a trusted and engaged PFI company will already have an intimate knowledge of that company, its systems and key personnel, ensuring that fraudulent activity is stopped and remedial action taken in the shortest possible time frame. This will save time and money, while also protecting the company’s reputation.

It is not all about crises, however. It is important to note that PFI companies have a much wider scope of expertise than simply conducting forensic investigations. They can help to manage and drive all aspects of a company’s online security, providing a holistic approach to the whole range of issues from data storage to Incident Response Planning. Crucially, they will also provide the expertise to provide a robust defence without compromising the ability of the business to trade.

SRM is one of only 22 companies worldwide accredited by the Payment Card Industry to investigate breaches of credit card data. It has the largest experienced PFI team in Europe which includes a large number of qualified PCI PFIs. Our expertise goes beyond PFI, to include all aspects of information security management and the implementation of PCI DSS.

Changes to the Issuer Identification Number (IIN) standard

The numbers on payment cards are going to become longer. This is because of changes which are being made to the international standard (ISO/IEC 7812) under which Issuer Identification Numbers (IINs) are issued. The changes have come about because of the increasingly dwindling number of IINs that remain open for registration.

IINs currently appear as the first six digits on payment cards. The leading digit is the major industry identifier (MII), followed by five digits, which together make up the IIN. But due to an increasing demand for these unique identifying numbers, the International Organization for Standardization (ISO) is expected to publish revised standards which will change IINs from six to eight digits. The overall Primary Account Number (PAN), which is generally understood to reflect the IIN plus the unique number assigned to an individual or company, may consequently increase in length to reflect this change.

Visa announced in July 2015 that it expected that they would continue to support a PAN length of 16 digits. This was after stakeholder consultation within the industry. A change that is seemingly as minor as this turns out to have some significant ramifications to any entity that accepts payment cards in that the application are generally designed to expect card numbers of certain lengths, depending on the card issuer. Changing these values would require updated software in all devices or systems that accept a payment card – no small task.

So what about the security implications of this change? If the IIN is increased to 8 digits and the PAN remains 16 digits, the unique value assigned to the card has in effect been reduced from 10 to 8 digits. Does this pose a potential security weakness to card numbers? This point has not been missed by the industry and discussions are afoot to try and counteract this change.

The draft of the revised standard has been approved by ISO members and is due to be published in early 2017. Businesses and organisations which require IINs should be aware of these imminent changes and should begin a process of planning and analysis to identify any potential system and process impacts. At the moment it is all conjecture, but it seems likely that something will have to change at a standard level before vendors start to make updates to their software and merchants start rolling these changes out.


The main points of the revised version of the ISO/IEC 7812 standard are:

  • The Registration Authority (RA) will start assigning eight-digit IINs to any institution applying for a single IIN or block of IINs.
  • Issuers with eight-digit IINs will be required to issue a minimum PAN length of ten digits. The maximum will continue to be 19 digits in length, (with Visa supporting the current standard of 16).
  • Existing six-digit IINs will be converted into a block of a hundred eight-digit IINs. As the majority of issuers are unlikely to need all one hundred of these, they are encouraged to return any unused eight-digit IINs to the RA.
  • Any ISO/IEC standards referencing ISO/IEC 7812-1 should be reviewed for potential impacts.

All users of ISO/IEC 7812-1 are strongly advised to begin planning and analysis to identify any potential system and process impacts associated with their plans to adopt the new standard.

The security implications of the extended IIN lie in the detail. Visa are currently undertaking systems analysis and development, which they expect to be complete by 2019, three years ahead of the proposed change. Currently the PCI standard is only built to accommodate the masking of the first six and last four of the sixteen digit card number. It may be that the PCI council will have to have a look at changing the standard to accommodate this new field length without altering the security posture of the masking.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

SRM Blog

SRM Blog