May 2019 - URM
  • Article, where we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI-DSS) places around the protection of cardholder data (CHD) and sensitive authentication data (SAD)

    Tips from URM – PCI DSS | What are the requirements for protecting CHD and SAD?

    In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and sensitive authentication data (SAD) in particular. Bit of a recap first.  The PCI DSS is an information security standard for organisations that store, process and/or transmit payment card belonging […]

  • Top tips from URM about Password Management and Compensating Controls

    Tips from URM – Password Management and Compensating Controls

    Section 8.2.4 of the PCI DSS v3.2.1 specifies that passwords must be changed at least once every 90 days. In our day-to-day PCI DSS consultancy work, we are frequently asked whether there is any flexibility in extending the period when passwords need to be changed and whether ‘compensating controls’ can be used. The argument often […]

  • The value of an internal information Security audit. A few reasons why you should not neglect it.

    The Value of Internal Audit

    The Value of Internal Audit This week’s blog takes a look at internal audit. Whilst it is a mandatory requirement of management systems, internal audit can often be the neglected ‘poor relation’.  This is particularly true in smaller organisations where the internal audit team consists of ‘volunteers’ who conduct audits as a secondary role to […]

  • How to deliver a business continuity exercise – the essentials

    How to Deliver a Business Continuity Exercise – The Essentials There is no arguing that exercising is an essential part of business continuity (BC) preparedness.  The challenge is how best to exercise our business continuity plans (BCPs) or incident management plans (IMPs).  This week’s blog is the first in a series of blogs around exercising […]

  • Phishing is on the rise – What should you be doing?

    This week we are looking at the rise of phishing attacks and what we should be doing to prevent them.  Let’s start with some scary stats!. Verizon’s 2017 data breach report indicated that: 3% of users who receive phishing emails fall for them (whether via a link or an opened attachment) 15% of all unique users […]

  • Corporate Governance, IT Governance and Information Governance

    In this week’s blog, we are going to look at governance.  We are regularly asked, ‘what do you mean by governance?’ or, ‘is information governance the same as IT governance?’  There seems to be a lot of confusion and mispositioning of governance, its role and the different forms.  In this blog, we will provide some […]

  • Tips from URM – Scope

    One area we are often questioned about is scope. How do you identify and then manage your scope?  This week’s tip focuses on just that! When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope […]

  • Gap Analysis VS Risk Assessment, ISO 27001, Which to choose, gap, gap analysis, gap control, risk assessment analysis, analysis gap

    Gap Analysis vs Risk Assessment

    Should You Start Your ISO 27001 Programme with a Gap Analysis or is There a Better Starting Point? The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when. When it comes to determining your need for information security controls there are a couple […]

  • Tips From URM – Management Commitment

    In previous blogs, we have tackled a number of fundamental ISO 27001 components.  One of the most significant is management commitment and this week’s top tip will look at just that. Commitment from your leadership team is absolutely crucial to managing information security within your organisation.  In just the same way as pretty much any […]