LBTH are mandated to comply with the PSN Code of Connection and the PCI-DSS mandate but initial attempts to create and monitor a Card Data Environment (CDE) had proved costly and labour intensive. LBTH needed to implement logging within the CDE and also perform regular vulnerability scanning, as per PCI-DSS sections 10 and 11, and also as per CESG Good Practise Guide 13 and the PSN Code of Connection for Impact Level 2 (IL2). The first challenge was the identification of what the boundary of the CDE should be followed by what were the correct events to capture and why? The existing SIEM system was logging everything creating a mass of data that was unwieldy and difficult to analyse and respond to. A simpler solution was required that was more cost effective in terms of LBTH budget and also one that freed up internal IT resources for other projects. The existing approach was not using IT resources in an efficient way plus it was not delivering monitoring and alerting of the correct events. Niether the PSN or PCI-DSS compliance mandate was not being met.
The solution deployed was the MOSAIC COMPLY&SECURE managed using the CNS COMPLIANCEngine from CNS supported by a small period of consultancy to analyse the CDE, determine its boundary and what was in scope and as importantly, what was out of scope. During this period the correct events to log, alert and report on were defined and a proof of concept (PoC) was setup. The PoC delivered the required result within days and within four weeks a live system was configured and installed. All compliance events are monitored 24x7 by the CNS Managed Service, all events are automatically ticketed and the LBTH ICT Desk is informed on all events, backed by strict Service Level Agreements. The managed service is supported by quarterly service reviews and full reports to LBTH detailing all compliance events.