Royal Mail tightens hacker defences
Weekly sweeps to spot any weaknesses for post service
The Royal Mail is tightening security practices by sweeping its networks for vulnerabilities on a weekly basis. The postal service, which is starting to use more web-based business processes, has outsourced vulnerability and penetration testing to security company QinetiQ. Martin Roe, Royal Mail's IT security manager, said: "What we were trying to achieve was periodic penetration tests five times a year. But they were quite irregular and I was worried about the gaps of time in between them." Roe said he wanted more regular tests performed to ensure hackers stood no chance of breaking in: "I wanted to try and automate the process. I looked at vulnerability scans and we put it out to tender to see who could do this on a weekly basis instead of a few times a year." He said vulnerability scanning on individual products was taking up valuable time for his staff, so the company opted for three services: QinetiQ's Managed Vulnerability Assessment and Alerting Service, a general security health check, and Qualys' Automated Scanning Service. QinetiQ packaged the services to guard against the threats deemed to be most severe to Royal Mail. Roe said he now receives weekly status reports with advice on any action his team needs to take, such as which software patches to apply. As a result, staff can focus on other areas of IT: "I'm now getting the sort of information I need. It follows my business logic. QinetiQ haven't an axe to grind and will provide me with straight facts. One of the nice things about it is I can set service level agreements with vendors." QinetiQ's tests found Royal Mail's networks were more secure than Roe had thought: "It wasn't as bad as I was expecting it to be. We can spot things so much more quickly now. We now know the infrastructure is fairly sound so we can focus on applications." Roe said he was happy with QinetiQ's work, and could even trust their staff like one of his own: "I have a rising endorsement for them. If I have a request beyond what they are obliged to do, they drop everything to do it. It's like having an employee at the end of the phone."
Reproduced from an article published by Silicon.com
© Silicon.com
The original article can be viewed here:
http://software.silicon.com/security/0,39024655,39131148,00.htm
Permalink Bookmark Digg this story
