This week’s top tip focuses on data protection and the value of the information you can find on the Information Commissioner’s Office (ICO) website. There is a wealth of information available on the ICO’s website, however, probably one of the most visited areas is ‘Action We’ve Taken’. In particular, the enforcement notices, audits, advisory visits […]
Have you Planned for the Unexpected? This week’s top tip reflects on the prevalent theme of ‘uncertainty’. Whether it be the general backdrop of political uncertainty that has dominated our lives since 23 June 2016, the vexing Tory leadership race as we await to see who will be our next Prime Minister or the unpredictability […]
Continuous Improvement, What next? This week’s top tip focuses on where to seek information and highlights a recently released report which contains useful and valuable information. A fundamental expectation of all ‘best practice’ ISO management systems is the requirement for a programme of continuous improvement. There is often a danger within all organisations that programmes can […]
PCI DSS compliance as BAU (Business As Usual) For an organisation to achieve and maintain compliance to the Payment Card Industry Data Security Standard (PCI DSS), the Payment Card Industry Security Standard Council (PCI SSC) encourages organisations to implement security into it business as usual (BAU) processes. From URM’s own experience this is especially true for […]
In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around the protection of cardholder data (CHD) and sensitive authentication data (SAD) in particular. Bit of a recap first. The PCI DSS is an information security standard for organisations that store, process and/or transmit payment card belonging […]
Section 8.2.4 of the PCI DSS v3.2.1 specifies that passwords must be changed at least once every 90 days. In our day-to-day PCI DSS consultancy work, we are frequently asked whether there is any flexibility in extending the period when passwords need to be changed and whether ‘compensating controls’ can be used. The argument often […]
One area we are often questioned about is scope. How do you identify and then manage your scope? This week’s tip focuses on just that! When you are looking at the processes associated with managing the security of your organisation’s information assets, there are a number of occasions where you will need to consider the scope […]
In previous blogs, we have tackled a number of fundamental ISO 27001 components. One of the most significant is management commitment and this week’s top tip will look at just that. Commitment from your leadership team is absolutely crucial to managing information security within your organisation. In just the same way as pretty much any […]
Our top tip last week focussed on a question which often crops up, ‘How do we approach asset identification within our information security risk assessment?’. As we pointed out, there are 2 aspects to this question; ‘which assets do we include?’ and ‘how granular do we make the list?’. This week’s top tip examines which […]
