Go-Ahead transports more than a billion passengers on its trains and buses each year, including 1,800 London buses and some 30 percent of UK rail journeys.
David Lynch, group technology and procurement director at Go-Ahead, along with his team of 50 IT specialists, is responsible for technology investments across the organisation with a variety of solutions provided. The challenge is to ensure that his information security budget is well invested. “Organisations spend a lot on business continuity and security. I need to prove that I am spending the company budget wisely,” says Lynch.
As a level 1 merchant of travel tickets, often bought online with credit cards, Go-Ahead has to comply with the Payment Card Industry Data Security Standards (PCI DSS), including the new 3.0 terms, and has to have regularly scheduled audits with a PCI qualified security assessor (QSA).
Lynch spoke to RandomStorm, a PCI QSA, about how he could ensure that the security detection and protection products he deployed were being used to their full potential.
Combining requirements for ongoing monitoring of the enterprise security status with Lynch's love of football,
RandomStorm designed a Security League Table demonstrating the comparative performance of different areas of Go-Ahead's IT estate.
“One of the issues regularly cited by QSAs is that they go in and run a penetration test for a merchant and produce a report highlighting the vulnerabilities on merchant networks,” explains Robin Hill, co-founder of RandomStorm. “Then they go back six or 12 months later and nothing has been done to fix those earlier vulnerabilities.”
The RandomStorm Management Platform of security monitoring products, including iStorm, was used to develop a Security League Table enabling Lynch to quickly review where vulnerabilities have been identified, which assets are affected and what remedial action is required. Where a highlighted vulnerability has not yet been addressed, such as a misconfigured device or required patch, this will be marked down, pushing that IT domain lower in the League Table.
The League Table is regularly updated with details of the active security issues, and work schedules are generated to address the vulnerabilities highlighted. It also measures ongoing security in-between scheduled audits. “I am amazed that no one else is doing this,” says Lynch. “The League Table identifies where vulnerabilities highlighted by the scans have not yet been repaired and provides IT managers with a schedule of work during the month.”
He cites the protection of the network, prevention of breaches, avoidance of fines and protection of corporate reputation as the key drivers for initiating the Security League Table. The changing nature of attacks means an IT team could be at the top of the league one week and at the bottom the next, explains Lynch.
Another benefit is creating a dialogue between IT staff and non-technical business managers at Go-Ahead to demonstrate where IT is adding value to the business: “The League Table gives the IT teams an opportunity to explain what has happened on the network, what caused it, what it means to the business and what they are going to do about it. IT staff mark why they are bottom of the league and what they are going to do to fix highlighted vulnerabilities,” Lynch says. He adds that IT staff constantly monitor the network perimeter and IP addresses to react to any unauthorised activity.
“I'd rather know about an issue and get people to work on repairing a security hole,” Lynch says. “I am not a great fan of putting a tick in the security compliance box, unless I am certain that I am actually complying. We have to know that we are getting value out of it, and we are.”