Securing business data
Call us today on 020 7592 8800

Case Study: London Borough of Tower Hamlet

PCI DSS & GPG 13 Compliance | Logging, Monitoring & Alerting

Client Overview

The London Borough of Tower Hamlets (LBTH) has the remit to be provider of first class public services.  LBTH also needs to comply with the PSN Code of Connection and Payments Card Industry – Data Security Standards (PCI-DSS) mandate.Additional priorities for the council are to provide first class public services and blending managerial and leadership skills to improve areas such as ICT.



The Challenge

LBTH are mandated to comply with the PSN Code of Connection and the PCI-DSS mandate but initial attempts to create and monitor a Card Data Environment (CDE) had proved costly and labour intensive.  LBTH needed to implement logging within the CDE and also perform regular vulnerability scanning, as per PCI-DSS sections 10 and 11, and also as per CESG Good Practise Guide 13 and the PSN Code of Connection for Impact Level 2 (IL2).  The first challenge was the identification of what the boundary of the CDE should be followed by what were the correct events to capture and why?  The existing SIEM system was logging everything creating a mass of data that was unwieldy and difficult to analyse and respond to.  A simpler solution was required that was more cost effective in terms of LBTH budget and also one that freed up internal IT resources for other projects.  The existing approach was not using IT resources in an efficient way plus it was not delivering monitoring and alerting of the correct events.  Niether the PSN or PCI-DSS compliance mandate was not being met.

The Solution

The solution deployed was the MOSAIC COMPLY&SECURE managed using the CNS COMPLIANCEngine from CNS supported by a small period of consultancy to analyse the CDE, determine its boundary and what was in scope and as importantly, what was out of scope.   During this period the correct events to log, alert and report on were defined and a proof of concept (PoC) was setup. The PoC delivered the required result within days and within four weeks a live system was configured and installed. All compliance events are monitored 24x7 by the CNS Managed Service, all events are automatically ticketed and the LBTH ICT Desk is informed on all events, backed by strict Service Level Agreements.  The managed service is supported by quarterly service reviews and full reports to LBTH detailing all compliance events.

“We’ve been very pleased with the improvements that the CNS COMPLY&SECURE service has brought to Tower Hamlets and especially pleased with the smooth way that CNS has implemented this.  The managed services have been excellent value for money.”

“By taking advantage of the CNS services we have been able to enhance our responsiveness to compliance events and there is greater trust between ICT and our Security team,” 
IT Programme Manager, LBTH


“Our Managed Security and Compliance Security offerings are designed to reassure clients and ease the day-to-day burden of IT operations,”  
Cliff Warder, Head ofSales, CNS Mosaic.

Key Business Benefits

  • PSN Code of Connection (GPG13) and PCI DSS compliance
  • Clear visibility into events that affect compliance, reassuring business leaders
  • Reduced IT operational costs and better deployment of IT resources
  • Reduced costs of maintaining the compliance mandate
  • Early detection and SLA’d response to security and network events affecting compliance

The Challenge

  • Compliance to PCI-DSS requirements
  • Compliance to GPG-13
  • Costs and complexity of previous approach
  • Overwhelming amount of data being collected
  • Monitoring and response to correct compliance events
  • Ticketing and scheduled reporting of all events

The Solution

Key Business Benefits

CNS’s ability to integrate the consultancy with the Managed Service has delivered a working PCI-DSS and PSN CoCo compliance monitoring solution that helps prevent the ICT group from being swamped with data and alerts. 

The solution has delivered excellent benefits to LBTH such as clear visibility into events that affect compliance and reassuring business leaders they are being monitored.  This has reduced not only the costs of maintaining the compliance mandate but also has reduced IT operational costs and permitted a better deployment of IT resources. 

Talk to an expert:

Company Size

E.g. Finance
*Required fields