In today’s climate of business insecurity it is becoming increasingly important for businesses to take every conceivable precaution to protect themselves and their assets from risk and breach. You only have to look in a newspaper or go online to read about the latest hack attack or security breach to realise that business are facing these dangers every day. Millions of pounds are being lost, and countless crucial data sets are being compromised. These security breaches can cause loss or significant damage to people, brands, reputation and profits.
Most businesses will be aware of the vital importance of spotting security vulnerabilities within their network and applications, and many will also be aware that they will need to carry out a network penetration test to help them comply with the Payment Card Industry Data Security Standard (PCIDSS) requirements. Understandably many SMBs will look to find the cheapest and quickest way to comply with the required standards. However, some businesses might be surprised to learn that the service they are paying for isn’t necessarily what they think it is. PCI DSS is explicit in its requirement that a penetration test has to be performed, but it is rather vague when it comes to explaining what methods need to be employed when performing testing.
The majority of organisations will generally now have a number of information security controls in place. However, without a formal Information Security Management System (ISMS), these controls tend to be somewhat disorganized, haphazard and disjointed.
The reason for this is that the controls have often been implemented partly as specific solutions for specific situations, or simply introduced as a matter of convention. Unfortunately, the security controls in operation today typically only address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organization. The ISO 27001 standard was introduced to address these issues.