Cyber Hygiene: Important Considerations in Supporting Payments

Delivering a successful Payments Orchestration solution requires that we go above and beyond simple compliance. We must deliver the utmost confidence and trust in the security of our customer’s payments data. 

Failing to focus enough resources on security has been evidenced by past breaches to be a faulty and dangerous approach to doing business online. Ensuring basic cyber hygiene best practices are in place for your organization will not only deter a malicious attacker but also provide an additional layer of security needed in today’s world to appropriately protect critical data.

This is not to say that compliance is not important, it clearly is. The ability to comply with the various regulatory, statutory requirements is necessary to demonstrate a level of maturity. However, compliance is the bare minimum. If one prioritizes security frameworks (think NIST, ISO, etc.) and best practices (think CSA CCM, SANS/CIS Top Ten) as the core of an information a security program, compliance (think CCPA, GDPR) comes naturally. 

As Spreedly is an international organization providing services to customers all over the world, assessing and aligning to the multitude of security and privacy expectations is a daunting task. Risk management must be a part of an effective security program. One of the tools we've found tremendously valuable that brings both the security and compliance needs into one view is the Secure Controls Framework (SCF). 

The SCF provides a clear view on the controls needed to assess our environment against. It’s worth noting that this is still a significant effort that takes time and focus. In this piece, we’ll talk about basic cyber hygiene as a starting point for building out a comprehensive information security program. We will then explore how commiting to a recurring plan can expand and mature your control environment. 

Several basic cyber hygiene best practices are noted below. Be aware there may be some additional business/industry specific focus areas so be sure to engage stakeholders across the organization to discuss business processes and risks which are most likely. Start addressing those that would have the most impact.

Continuity and exercise 

Develop a business continuity plan to define what processes (and therein third parties, people, locations, etc.) are most important to the business (this will become the basis of needs for the information security program – the crown jewels if you will). Conduct exercises on likely scenarios and include the employees who would potentially be engaged so they are prepared. 

Use a risk-based approach 

Risk management will help prioritize what to focus on first and be sure to include key stakeholders in the risk assessment process to get a true risk picture.

Classify 

Put a data classification program in place that clearly identifies the types of data that employees need to protect and how. 

Educate 

Employees are often the first and last line of defense; spend time on awareness training that is specific to the business so they can easily spot phishing, smishing, other scams, and understand the importance of key controls. 

Maintain 

Keep your infrastructure and applications up-to-date with security patches; scan for vulnerabilities often; conduct penetration testing at least annually.

Use passphrases 

Require long passwords that can easily be remembered; promote the passphrase concept where a sentence or words that mean something to you (and you only) are allowed to be a password; don’t reuse; consider investing in a password manager for use by all employees (including personal use at home). 

Encrypt 

Encrypt your data wherever possible, at least the most important data based on your data classification program. 

Trust but verify 

Enforce multi-factor authentication on as many applications as possible; in today’s remote world, two-factor is a necessity. 

Vendor accountability 

Using your data classification program, assess vendors based on the data they store, process, or transmit on your behalf as they are an extension of your business. 

Insure 

Consider cyber insurance as risk mitigation, breaches can happen to even the most secure business. 

After these foundational items are in place, start to formally add additional key controls to your program via the SCF. Ideally, a business continuity plan is in place along with knowledge of what business processes, third party, people dependencies are unique to the business. This helps to engage the right people when scoping out the additional SCF controls needed. At a minimum, I recommend including Legal, Human Resources, IT, and Compliance to start as a cross-functional team, since these are critical enterprise roles who typically own controls that can have the most impact. 

Once the team is defined, seek to identify all regulatory and statutory requirements, this is where the legal stakeholder will provide expertise. Then as a team, agree upon other security requirements based on the business needs (ideally using the output from the business impact analysis (BIA) from the business continuity plan). 

With hundreds of controls, assessing the SCF can be overwhelming, so start with the “must have” as is recommended via the SCF instructions. Once the musts are defined, you have a starting point. To begin the assessment, determine which of the “must have” requirements address the most significant risk and start there. Consider conducting a phased assessment process in which the team can divide up the first pass review in which the control owner is identified. The second pass review would be assigned to the control owner. This activity can be done asynchronously or in group meetings, it’s really up to company culture and how work gets done. In order for a control to be considered in place, it must be documented. If it isn't documented, it doesn't exist. 

As part of our assessment, several new columns were added to the SCF spreadsheet as noted:

• Existing Control in Place? - yes | no | follow-up needed
• Documentation Location - link to where the document is stored
• Control Owner Title - ex. Director of IT
• Control Owner Name - employee name(s)
• Control Owner Reviewed - yes | blank (this was used for the second pass mentioned above)
• Comments - catch-all field where notes were added for follow-ups, additional context needed, etc.

We also filtered on the “Relative Control Weighting (1-10)” column to get better insight into what areas should be prioritized. We ended up downgrading some controls that weren’t as critical for our environment. The SCF sheet mentions these weightings are subjective and should be changed to suit respective risk appetites. 

Once both assessment passes are complete and the weighting reviewed, you now have your control framework. Using our custom column “Existing Control In Place?”, filter on any no’s and follow-ups to start building out a roadmap of work to be done. If this list is numerous, consider filtering on those with a “10” weighting as a starting point. As those controls are addressed to an adequate level for your business, continue to build out your information security program with “nice to haves”.  

Continue this approach iteratively on at least an annual basis and be sure to look for the latest version of the SCF, which is typically updated several times a year. Following the process will ensure your information security program will be compliant but more importantly, built on sound, comprehensive security controls. 

Learn more about the steps Spreedly takes to ensure your customer’s financial information is secure, while still allowing you to process transactions seamlessly.

‍

Download the PCI Compliance eBook Below