The UK Cyber Security Strategy – Update
The latest document published by the Cabinet Office in relation to the UK Cyber Security Strategy provides an update of progress throughout 2014, and the plans moving forward in 2015.
Part of the plans involve Government and industry working together in a joint Cyber Growth Partnership (CGP) to drive innovation and growth in the UK cyber security sector, including helping to establish regional Cyber Security Business “Clusters”.
SRM are responsible for initiating and progressing the Cyber Security Business Cluster in the North East of England.
There are now 14 such clusters established or soon to be launched across the UK. These clusters support and champion smaller UK cyber security companies domestically and internationally.
Trustwave Sued Over Target Breach
There may be some alarm in the world of PCI QSA Companies with the news that Trustwave Inc. (arguably the largest QSA company in the world and sponsor of many of the PCI Security Standards Council events) is to be sued by banks in the USA due to alleged negligence in respect of the Target payment card breach.
A number of factors come into play through this action not least of which is the thought that if the bank action is successful will the Target (the company involved in the breach) also seek damages from the auditor contracted to verify their security compliance status.
As PCI Consultants; QSA companies are often viewed by clients as being doom merchants, identifying vulnerabilities that are sometimes costly to defend. Such vulnerabilities are not always given high priority by the (non IT) lead directors and managers of such organisations even where the cost to eliminate the vulnerability may only be down to changing routine business processes and culture.
AS PCI Auditors; QSA companies have to be able to work with clients to enable them to reach the most appropriate level of compliance possible and at the same time defend their audit process and reports if and when a breach occurs. Failure to assess effectively, or being negligent in the assessment process will always raise the risk of subsequent “breach of contract” action. I believe failure to knowingly facilitate or enable client compliance is now likely to lead to QSA companies being subject to compensatory claims from the Brands and the Banks.
Whatever your view, the PCI landscape has changed.
UK Information Commissioners Office has views about Cloud Computing Solutions
The UK’s data protection watchdog has reminded companies of their responsibilities to safeguard confidential details in the cloud.
According to the Information Commissioner’s Office (ICO), firms should ensure that they safeguard personal data held using cloud computing solutions and the organization has published new guidelines to ensure compliance when records pass to cloud network providers.
With the increasing adoption of cloud computing tools, the ICO noted that the cloud offers flexible and scalable options to expand the capabilities of businesses of all kinds, but pointed out that some organizations are not aware that they are still responsible for data when it is stored in the cloud.
Simon Rice, Technology Policy Advisor, cautioned: “Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws.”
A survey for the ICO by YouGov revealed that 46 per cent of UK adult internet users using cloud storage have reservations about the security of their information.
Neelie Kroes, European Commission Vice-President Responsible for the Digital Agenda, recently revealed in a press conference on cloud strategy across the region that the EU is planning to draw up international standards relating to data protection in the field.
According to the official, planned regulations and reforms for the market include establishing a global privacy standard for the cloud, creating a system for fair and safe cloud contracts and harnessing the buying power of the public sector.
She explained: “Cloud computing could offer a huge lift to the European economy. But only if users can understand and trust it.”
The EU executive predicts that GDP across the region could be boosted by more than £1 trillion in gross domestic product by 2020 as a result of the cloud, with millions of extra jobs created.
I recommend that to assist cloud customers in assessing the security offered by a cloud provider the use of industry recognised standards and publications is essential.
More about the legal issues concerned with cloud computing can be gleaned from an introductory book available from our website www.srm-solutions.com
Global Payments breach
Alarm bells have been ringing and share price dropping at Global Payments Inc. with the news that they have been suspended (removed?) from the Visa Service Provider Register because of an identified breach of credit card data.
Bad news indeed for Global Payments and perhaps a certain amount of alarm within the company responsible for the independent auditing of the PCI Compliance status. This is the nightmare scenario that every auditing company faces with a client who is compliant today but by tomorrow has implemented a change or failed to upgrade or apply a patch without abiding by basic security rules.
Another persuasive factor for the auditor and client to work in partnership to increase security thereby facilitating compliance.