HSM Implementation

HSMs are often loaded with security settings which provide services that businesses have no understanding of.

This in turn presents unquantifiable risk and worse still, unknown risk and unmanaged risk.

Many organisations make the mistake of bringing a Hardware Security Module (HSM) into service to support the business without having made the relevant checks from a regulatory or a good practice point of view.

In many cases they fail to capture the relevant detail to make the following essentials demonstrable:

  • Adherence to the chain of custody
  • Evidencing that the device has not been tampered with
  • Enforcing the right degree of dual control and separation of duties are in place before the device is commissioned
  • Evidencing the device build is compliant to a given specification
  • Ensuring that the attack surface has been reduced
  • Ensuring the access control logs are fit for compliance
  • Evidencing that remote management has securely been deployed to suit your strategy for reduced data centre presence

Making these items demonstrable can be a difficult thing to achieve when you only perform these operations on rare occasions, yet getting them wrong can have severe consequences for your organisation. Consequences  include financial penalty and in the worst case restricted processor network access which could lead to the inability to process. Compound the problem with the fact that the business could be production processing on an already compromised device and significant organisational pain could be realised.

Of course, it is always important to have the right balance between security and convenience but often organisations are unaware of where this balance lies and end up with a list of non-compliances that at minimum reflect badly on the stakeholders’ board reports.

ID-3 has proven experience and can help your organisation

to get this right using our tailored, framework.