There is one question that everyone is guaranteed to get right – are cyberattacks on the increase? In this blog, we will review some of the more significant cyberattacks over the last year and look for any emerging trends in terms of cybercrime targets, as well as the type of attacks. First, let’s make sure […]
In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and transmitting of cardholder data (CHD)? Let’s look at the benefits and disadvantages of outsourcing. Pros of outsourcing Reduction of scope and in-scope processes Any […]
The certification process consists of a two (2) stage audit. These are most commonly described as : ► Stage 1 audit – organisational readiness (desk top review) ► Stage 2 audit – assessment of the implementation through the sampling of evidence (interviews and inspection of records etc). The exact duration of the 2 different audit […]
A crucial element in performing an audit is the collection and evaluation of evidence. Evidence is used to determine if the process or control being audited is performing as expected. In this blog, we will be exploring how you can define what evidence is required and what are the most effective ways of gathering evidence. Evidence […]
This week’s blog tackles the question of storing cardholder data and why the Payment Card Industry Data Security Standard (PCI DSS) is so beneficial. Fundamentally, it is very clear on this topic – if you don’t need it, don’t store it. Furthermore, if you do need it, make sure that you know everywhere it is […]
Definition With this week’s blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for Information Security Management. We will step right back and look at internal auditing from the perspective of those new to the subject or those trying to understand where and why it fits. […]
A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to that question was a simple yes, but currently, despite some disingenuous marketing to the contrary, there is no official GDPR certification either centrally or from […]
When looking at the key success criteria for any PCI compliance programme, there is no disputing the importance attached to accurately scoping the cardholder data environment (CDE). Within this blog, we are not going to delve into the murky depths of why a network component may be in or out-of-scope (thank goodness I hear you […]
Definition of information assets Well, that’s easy, there isn’t one, well at least not one universally accepted definition. ISO/IEC 27000:2018 Overview and vocabulary refers to ‘information asset’ 33 times, but never actually defines it. A frequently (ab)used definition of an information asset is ‘everything that has a value to the organisation’. This is the […]
Essentially, the trick is to identify the security requirements of any new software or… This week’s blog takes a look at onboarding information systems. When onboarding is mentioned in terms of information security, typically, most will conclude it’s referring to people, and particularly the starters and leavers process. However, it is also important […]