Cancer Research catches up with compliance

Charity organisation Cancer Research stays on top of PCI compliance while also working towards ISO 27001.

As the banks have improved their security, hackers and phishers have turned their attention to exploiting charities and the goodwill of the general public. The job of Brian Shorten, IS Risk Manager for Cancer Research, is to ensure his organisation does not become a soft target for that kind of attack. He has also recently formed the Charities Security Forum, to help raise awareness of security matters right across the charity sector. caught up with him to see what's keeping him busy at the moment. What has been your main preoccupation over the last few months?

Brian Shorten: PCI compliance has been a big task. At first, we thought it didn't affect us because the donations we get through the Internet go through Worldpay and Streamline. But we have 600 shops, all of which accept credit card payments using a Streamline terminal. We also have people ringing in with donations, and also sending back paper forms in response to our fund-raising. So that gave us pause for thought.

We started going through all the different business processes and talking to the various areas that hold credit card details. It taught us a lot – we realised we didn't know as much as we'd thought. It gave us a better idea of how the credit and debit card data flowed through the organisation.

We had to talk to all the different departments involved, and this raised a lot of issues. For instance, if you ring up and buy something from us, you talk to our call centre and give them your credit card number. We had to check whether they recorded telephone calls, because if they did, they would have to store the tapes securely. Luckily, they do not record calls, but if that changes, then we'll have to secure the tapes.

We are now PCI compliant, and have a monthly scan by a company called SecureWave to ensure we stay compliant. But it is also easy to lose compliance. For instance, the website is constantly changing. We have web editors whose job is to change it, and any change could introduce a vulnerability, which might lead to it being hacked, and to us failing our next scan and becoming non-compliant. So we have to stay on top of it all the time.

What next on your agenda?

Brian Shorten: Business continuity (BC) is going to be our next focus. This time last year, we had little or nothing in term of BC. We didn't have a second site. We just had a few policies on how to rebuild servers.

We now have a second site and should have everything in place by the end of March. Then we'll do user acceptance testing on critical applications through to June, by which time we should have it all compete. The main site is in London, and the second in Reading.

I have put BC into our project management process. It means that every new project that comes up for approval will have to be assessed for its business continuity implications. We need to establish whether it will be a critical system and if so, make sure there is budget in place to pay for a server in the second location, for instance. And obviously budgets are always tight here – we don't really like spending money on anything that isn't research.

I also want to tie BC into the change process to make sure that if a production application is going to be changed, we think about its impact on the business continuity side. For instance, we are currently upgrading our finance system. It is critical to make sure that when we update the production version, we also upgrade the back-up system as well.

These things are so often overlooked. In previous organisations I have worked at, we've found applications on the back-up systems lagged behind the production versions because the IS department hadn't got round to doing the upgrades. One guy said to me he'd need two months to catch up – which is no good if the data centre is on fire. We guarantee to get everything up and running within three days, so we need to have everything updated all the time.

Are you compliant with ISO 27001?

Brian Shorten: We are not yet certified for ISO 27001. I think we generally comply with its requirements, although I can't always prove it. We lack the paperwork and documentation that you need for 27001. Our auditors tell us they have no doubt we know what we are doing, but they'd like to see more documentation to show how we do things. So I am trying to tie that together, and document our policies and processes.

I don't intend to treat this as just a paper exercise for its own sake, though. It will help concentrate everybody's mind on what they should be doing, and should help to raise security awareness among project planners. Getting these policies created and issued will help that to happen.

I recently called in a firm of consultants, Ultima Risk Management (URM), to do a gap analysis for me and identify those areas where we fall short of ISO 27001. I was aware of most of the shortcomings already but having it in a report produced by an outside company should be helpful in providing impetus to get them fixed. At the moment I don't have the resources to go through a formal 27001 certification but I'd like to think that in six to nine months I'll get URM back and we'll go for certification then. It is well worth doing, and many of the organisations we deal with, such as clinics in the NHS, increasingly want to know we are compliant.

Is there any technology that impresses you at the moment?

Brian Shorten: The Yoggie Personal Firewall is something that interests me. We have a lot of scientific devices, such as microscopes that are computer-controlled but which we cannot update for security purposes. They have to be connected to the network, but the manufacturers of the software running on them say we can't touch the software. So any anti-virus software running on the microscope can't be upgraded. This means they are vulnerable to the latest viruses. The Yoggie device comes with all security software on a USB stick, and I think this might help us provide the extra protection. I'll need to get our technical people to look it over and trial it. But we're short of resources at the moment.

Read more on Regulatory compliance and standard requirements