INDUSTRY: Culture and Heritage
BUSINESS: British national museum organisation with branches at five locations in England.
SCOPE: National
BUSINESS PROBLEM: Imperial War Museums wanted a more effective way to safeguard critical business systems from potential security threats, all while proving compliance with the latest industry standards for payment protection.
SOLUTION: Qualys Vulnerability Management
WHY THEY CHOSE QUALYS:
- Accurate, comprehensive vulnerability scans ensure that IT assets are kept totally secure.
- Streamlined PCI DSS compliance testing and reporting will improve overall security and help meet regulatory requirements.
- Prioritisation of vulnerabilities enables staff to focus resources on resolving the most critical issues.
Imperial War Museums Strengthens Security Posture and Complies with Industry Standards for Payment Protection
Imperial War Museums has introduced a comprehensive vulnerability management solution that will help it to proactively tackle threats that place its network at risk and prove compliance with PCI DSS.
Imperial War Museums (IWM) is a global authority on modern conflict and its impact, from the First World War to the present day. IWM engages audiences from all over the world, both physically and virtually, through its website, digital resources and five branches: IWM London, IWM North, IWM Duxford, Churchill War Rooms and HMS Belfast.
Keeping payment card information safe
Every year, IWM’s five museums receive huge numbers of visitors; in 2014 alone, more than 2.8 million people visited the museum group. These visitors perform large volumes of credit and debit card transactions—buying entry tickets for the three charging museums (IWM Duxford, Churchill War Rooms and HMS Belfast), tickets for major exhibitions and events through to making purchases in gift shops and cafes.
To keep customers’ payment information safe and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), it is critical for IWM to keep its business systems secure from possible security breaches. Failure to conform card payment systems to PCI DSS could lead to fines and even expulsion from credit card acceptance programs—something that IWM was keen to avoid.
Ian Crawford, CIO at Imperial War Museums, elaborates: "IWM is committed to ensuring PCI DSS compliance and, as the number of transactions we process increased, we wanted to adopt a more rigorous approach to protecting our network from vulnerabilities that could jeopardise security and regulatory compliance."
“Security threats are constantly evolving and Qualys VM will be a key asset as we work to keep our systems secure and in full compliance with regulations.”
Ian Crawford,
CIO
Toughening up IT security
As a first step, IWM engaged a security consulting service provider to assess its network to identify key risks and areas of potential non-compliance.
This exercise sparked a realisation for the organisation’s IT team, as Ian Crawford explains: "As we covered the basics of what needed to be done to ensure PCI DSS compliance, we saw that we could go one step further, and use the opportunity to bring in better security practices around IWM's entire network."
He continues: "The systems we operate are essential for the guardianship of collections – many of which are sensitive in nature due to our subject matter – maintaining the health and safety of employees and visitors, and managing a range of information and processes. Beyond PCI DSS compliance, a security breach or attack could have a serious impact on our day-to-day operations and reputation. We needed an enterprise-grade solution that would allow us to conduct vulnerability and compliance assessments, and help rapidly resolve any vulnerabilities."
Taking Vulnerability Management To The Cloud
After evaluating a range of options, IWM selected Qualys Vulnerability Management (VM) as the cornerstone of a more strategic approach to network security and compliance management.
"Qualys VM was recommended by our service provider," recalls Ian Crawford. "We also reached out to existing Qualys customers including the British Library, who had a similar use case to our own, and received good feedback. This convinced us to test the solution ourselves and after seeing some very positive results, we decided that Qualys VM would be an ideal fit for our requirements."
Built on the Qualys cloud security and compliance platform, Qualys VM offers powerful, end-to-end vulnerability management capabilities—from asset discovery and vulnerability assessment to remediation and security-fix verification. And as the solution is delivered as a cloud service, there is no need for IWM to deploy and maintain any software or costly infrastructure.
Using Qualys VM, IWM went to work scanning its entire network, comprising more than 750 workstations and 180 servers, as well as devices such as switches and printers. Based on the results of its initial scans, the organisation has come up with a comprehensive plan to target and eliminate vulnerabilities through regular monitoring, updates and patching.
Ian Crawford says: "Qualys provided valuable support as we got started with the solution. They offered great help when it came to getting everything set up, and the team was quick to respond when we had questions or gave feedback on certain features.
"The first time you run a scan can be quite daunting, as it can seem like there are a lot of issues to deal with all at once! With help from Qualys we have worked out a solid vulnerability management strategy and have put policies in place to address vulnerabilities."
Enhancing security and compliance
With Qualys VM, IWM has gained a powerful platform for proactively tackling the vulnerabilities that place its infrastructure and applications at risk, and one that will help it to prove PCI DSS compliance.
Ian Crawford remarks: "Qualys VM gives us much better visibility into the vulnerabilities around our network and the risks involved, so we can prioritise remediation efforts. We scan our systems on a continuous basis and check new devices as they are brought onto the network. We have also established a more consistent approach to patching and updates, helping ensure that systems are highly secure and up to date."
In addition, a more rigorous approach to vulnerability management will enable BHF to ensure that systems remain within compliance, and help prepare for mandated PCI DSS assessments and reporting.
Ian Crawford adds: "We are making great strides with our PCI DSS efforts and expect to achieve full compliance over the course of 2016. We expect the Qualys solution to be of particular benefit in streamlining the reporting process, allowing us to easily prove our compliance status to acquiring banks."
He concludes: "Security threats are constantly evolving and Qualys VM will be a key asset as we work to keep our systems secure and in full compliance with regulations. It gives us a great deal of confidence to know that Qualys is constantly enhancing the solution, as this will help us to stay one step ahead of risks and keep our most critical assets protected."