BillBird is the second intermediary, after the Polish Post Office, for accepting payments from consumers for bulk bill issuers such as gas, electricity and telephone charges and cell phone top-ups. Handling cash payments at the more than 14,000 locations covered by the VIA™ network requires software with full procedural and IT security – and this is the infrastructure BillBird has. However, wherever such sensitive information as customers’ personal or financial data (account numbers, amounts, bill amounts, etc.) is involved, guarantees of secure data storage and processing are crucial.

BillBird’s partners on both sides – both individual customers and principals (telecom operators, utility distributors and providers, etc.) – need to be assured that the data needed to complete a transaction is secure regardless of the transaction, procedure or IT tools being used.

It’s not just about avoiding external and internal threats from malicious activity, industrial espionage, etc., but mainly about protecting information from loss, ensuring the organization’s business continuity, reducing losses, maximizing return on investment and growing the company.

For these reasons, in mid-2010. BillBird decided to implement an information security management system (ISMS) compliant with ISO/IEC 27001 and the ISO/IEC 27002 set of good practices, and to undergo a certification audit for compliance with the standard. Implementation of the system and preparation for the audit was done in cooperation with BCC (currently All for One Poland).

BillBird’s partners – both individual customers and principals – need to be assured that data is secure regardless of the transaction, procedure or IT tool being performed

Project preparation

The project began with defining the objectives and identifying the processes that were then covered by the ISMS. Integration of the ISMS with the company’s other management systems also had to be considered. Once the Blackbird project team and the information security management forum (FZBI) were established, their responsibilities were defined.

The primary tasks of FZBI members include reviewing and approving the information security policy, monitoring significant changes in the exposure of information assets on a threat basis, approving major projects to improve the level of information security, defining the assets covered by the ISMS, their owners and the threats to those assets, developing and implementing a risk management plan, implementing and operating safeguards.

In addition, in the context of the company’s comprehensive risk management, FZBI was responsible for determining the level of risk and developing a risk estimation report, determining actions to resolve security breaches taking into account business priorities, internal audits and reviews of the ISO/IEC 27001 SZBI at scheduled intervals.

During the presentation, the Blackbird team, which included the board, directors and managers (process leaders), reviewed the main objectives of the project. These were to establish an appropriate level of information security, formalize the risk estimation process, and implement the standard as part of BillBird’s corporate governance. The culmination of the work, and at the same time the most important test, was to be ISO/IEC 27001 certification.

The meeting also agreed on the form of cooperation with the BCC and other elements regarding project management (scope, time, resources, project charter, deliverables, consultation protocols and schedule).

Subsequently, all BillBird employees were trained in the basics and terminology of ISO/IEC 27001 and information security management in the context of business needs and associated risks. They also received information on how the project will be conducted, its goals and scope, the task involved, and how the system will be supervised in the future. Based on a case study of the certification process at BCC, they learned how a certification audit will be conducted, what questions auditors may ask. Practical examples also provided a general overview of supervision measures with ISO 27001.

The goal of the first phase of the project was to create one of the strategic documents of the ISO/IEC 27001 standard – the information security management system policy

Information security management policy

The goal of the first phase of the project was to create one of the strategic documents of the ISO/IEC 27001 standard – an information security management system policy. At BillBird, it was based on:

  • The involvement of management and employees in the implementation of the information security management system policy,
  • Protecting information assets based on procedures for their identification, classification and monitoring, and strengthening the company’s image as a trustworthy organization,
  • applying recognized global standards and best practices in the field of information security, as well as ICT security,
  • systemic management of information security as defined in the risk management policy based on a comprehensive risk analysis, taking into account attention to the effectiveness of measures to minimize the identified risks,
  • Recording information security incidents and taking corrective and preventive actions,
  • Continuous improvement and promotion of an ISO/IEC 27001-compliant SMS and legal requirements, as well as education of employees in this regard.

This phase defined which company locations, human resources, assets and technologies will be covered by the ISMS. BillBird’s Board of Directors decided to appoint an ISMS Officer, who is responsible for establishing, implementing and maintaining the ISO/IEC 27001 information security management system, presenting periodic reports on the functioning of the ISMS to management as a basis for improvement. His duties also include conducting internal training and initiating and conducting SZBI improvement activities.

Conceptual preparation

In the second phase of the project, information on business processes and information systems at BillBird was collected and systematized. A risk management process was also carried out, and the organization’s potential and capabilities, or risk handling plan, were determined. The input to the risk estimation process was the classification of information and assets. The project team formalized the risk management procedure, describing in the document such areas as:

  • Risk management methodology,
  • main risk factors,
  • risk identification and assessment,
  • risk assessment criteria,
  • risk mitigation activities,
  • Acceptance of the implementation of new and modifications to existing products, services and processes,
  • risk incidents,
  • Ensuring business continuity for the company,
  • Emergency and crisis management,
  • handling the detection of crime or suspected crimes.

Such methodology follows the so-called Deming circle, also known as the PDCA (Plan-Do-Check-Act) cycle. It is a recognized standard used for risk management understood as a consistent, ongoing practice involving risk identification and assessment, mitigation through action, monitoring of risk levels, and reevaluation and corrective action.

Risk management covers all spheres of the company’s operations and all business lines. Risk estimation was carried out by the Blackbird project team. Its result is a matrix and a risk handling plan, specifying the details of security implementation.

Implementation

Among other things, the third stage of the implementation of the SMS included the development of a declaration of use, a document defining which points of the security standard will be applied and how safeguards will be implemented. An incident management procedure was also created during this stage.

Its goal is to establish a consistent and clear way of dealing with incidents in the company, from the moment of detection, through reporting, classification of the incident, coordination of corrective and preventive actions, to restoration of normal operation of processes and ex-post analysis.

The next task in the implementation phase was to develop a business continuity management strategy. To this end, the Blackbird project team developed key documents:

  • business continuity management policy,
  • crisis and emergency management procedure,
  • The procedure for conducting business continuity tests,
  • Business continuity test run plan template,
  • BCP testing schedule for 2011.

During this phase, personal data protection documentation was also updated. Among other things, the security policy and the instruction for processing personal data in the IT system were revised. A series of training sessions introducing the most important duties of the information security administrator (ABI) were conducted, as well as workshops that presented practical solutions and the most relevant problems related to the protection of personal data in BillBird.

The training courses covered, among other things, the scope and basic concepts of the Law on Personal Data Protection, limitations and exclusions to the application of the Law, and other premises that legalize the processing of personal data. In addition, the role, position in the organization and legal empowerment of the personal data administrator (ADO), information security administrator and information systems administrator (ASI) were discussed. Attention was paid to the rights of data subjects (information and rectification rights), as well as when to provide and when to deny access to personal data. Participants in the training learned about the scope of powers and recent case law of the Inspector General for the Protection of Personal Data, as well as the scope and consequences of inspections carried out by GIODO.

Monika Wolczynska-Stachura, Chief Financial Officer, BillBird

Information security a competitive advantage
The most important objectives that guided us in our pursuit of ISO27001 certification and the resulting benefits were, first and foremost, to ensure comprehensive protection of information (i.e. confidentiality, integrity and availability) recorded and transmitted in all forms, both our own and entrusted to us by customers and business partners.
We have strengthened the company’s image as a professional and trustworthy organization, applying the best management standards. Since an accredited certificate of compliance with ISO 27001 can boast only a few dozen companies in Poland, having it is a source of pride, but also quite a tangible benefit in the form of a competitive advantage. Awareness of the importance of information security is growing and a certificate of compliance with global standards is beginning to appear as a requirement, for example, in various tenders.
We now have a coherent, effective risk incident management system, which is an integral part of the company’s overall risk management process. We manage business continuity based on proven benchmarks and best practices.
We have reviewed, organized and streamlined processes and solutions in areas such as internal and external communications, ICT security, physical security of people and assets. In the course of preparing for certification, we were able to identify and then eliminate or significantly reduce gaps and vulnerabilities in information security, and often in the process streamline the process itself, which is translated into improved efficiency throughout the organization.
Awareness of the importance of information security and risk management among employees and colleagues has been significantly raised. The implementation process has allowed the company’s management to develop better mechanisms for overseeing these processes and seeing them as an investment for the future.
Compliance with global standards for information security and business continuity management will greatly facilitate our preparations for applying for a license to operate as a payment institution in connection with the Parliament’s passage of the long-awaited Payment Services Act. Issues such as up-to-date business continuity plans or effective risk management are among the basic requirements for the issuance of such a permit by the Financial Supervisory Commission.
Monika Wolczynska-Stachura, Chief Financial Officer, BillBird

Tests and training

Process testing was the fourth phase of the project. It was carried out through audits, corrective and remedial actions in individual units of the organization, and presentations and training on the CMS for all employees. BCC consultants performed penetration tests of the IT infrastructure at BillBird. Their goal was to diagnose and lay the groundwork for improving the state of IT security. Penetration tests involve an in-depth check of the state of the IT infrastructure security measures in use in an organization, with a focus on potential vulnerabilities that could affect the security of systems and data.

The process audit consisted of two phases. The first covered IT security. Experts from BCC (currently All for One Poland) checked access from LAN/WAN, organization of remote work, security of systems and applications, inventory of the physical structure of the network, reviewed the logical topology, switching layer, routing and security of the internal network, network sockets and users’ connection to the VPN.

In addition, backup procedures (backups), test recovery, privilege management strategies, policies for granting and revoking access and privileges, and management of information available in applications (e.g., printing) were checked.

In the second phase of the audit, proper penetration tests were performed. Attacks from outside the BillBird network were carried out, and it was checked whether it was possible for important company data to be available on the Internet (e.g. through so-called Google Hacking). Subsequent tests dealt with attacks from inside the BillBird network, attempts to breach system security, and attacks on Wi-Fi and Web applications.

FZBI then conducted a review of the ISMS. Its report included information on the results of audits and reviews of the ISO/IEC 27001 Information Security Management System, feedback from stakeholders, the status of preventive, corrective and improvement actions, among others. Also presented were techniques, products, procedures that could be used in the organization to improve the implementation and effectiveness of ISO/IEC 27001, and actions taken as a result of previous reviews performed by management, as well as vulnerabilities or threats that were not adequately addressed in the previous risk assessment.

The report also discusses performance measurement results, changes that could affect the ISO/IEC 27001 Information Security Management System, and improvement recommendations.

At the end of the project, a workshop was held to present the ISO/IEC 27001 information security management system in place at BillBird. The procedures and instructions in force were presented, as well as other organizational arrangements. Participants were able to learn about the principles of the certification audit and sample questions and tasks they can expect during the audit.

Finally, a three-day certification audit for compliance with the requirements of ISO/IEC 27001:2005 took place in June 2011. The audit, conducted by accredited certification body TUV Nord, concluded with a positive recommendation for the system’s compliance with the requirements of the standard, BillBird’s information security policy, internal regulations, and good practices in ICT security.

The elite of good management
It is important to emphasize the visible involvement of the management board and all the company’s employees in the project to implement and maintain the SMS. We rated the safeguards applied and the continuous monitoring of the system’s effectiveness required by the ISO standard very highly. BillBird is another company that has joined the elite of organizations managing the security of processed information in accordance with the international standard. It is an organization that has clearly defined its goals and is fully determined to achieve them. This approach, in the auditor’s opinion, makes it possible to meet the changing requirements of the market and legal regulations over time.
Robert Wójcik, Lead Auditor, TUV Nord
BillBird is Poland’s largest provider of financial and other commercial services through POS terminals and POS systems. Each month, the My Bills, My Top-ups and My Transfers services operating under the umbrella brand VIA™ process more than 4 million transactions: daily bill payments, telecom and energy top-ups or money transfers from abroad, which can be received directly at the store checkout. The company also provides customers with an online top-up service for pre-paid phone accounts of all leading operators. The company is part of the GTECH corporation, the largest lottery services technology company in the world.