"The company sought expert assistance from several parties for the job, and Stiki ehf. was selected from that group.”
Ragnar Önundarson, CEO of Kreditkort

The operation of Kreditkort hf. is an important component in the mechanism that is the Icelandic economy. The role of bank notes and coins continues to shrink, and there is an increasing reliance on electronic information. The loss of the valuable services provided by Kreditkort hf. and the loss of the sensitive information stored by Kreditkort hf. would have extensive effects on the financial system underpinning Icelandic society. It is therefore vital to ensure, as far as possible, the business continuity of the Kreditkort hf. card management systems.

Kreditkort
The company handles the receipt of transactions from merchants who accept MasterCard, Maestro, American Express, JCB and Diners Club cards. The company is committed to becoming the most sought-after partner in the field of payment solutions in Iceland. The company’s card management system is the foundation on which its operation is built.

Icelandic society is the society which comes closest to being called a cashless society. The role of bank notes and coins continues to shrink, and there is an increasing reliance on electronic information. Due to the nature of its operation, the company stores a great amount of personal information in its card management systems. It is therefore very important to Kreditkort hf. to ensure the security of its card management systems and the professional treatment of the information stored therein.

“When looking for the best way to ensure that security measures for the company’s card management systems, its business continuity and the treatment of personal information contained in the card management systems complied with laws and regulations, the decision was made to implement an information security control system based on the ISO 17799 security standard. The company sought expert assistance from several parties for the job, and Stiki ehf. was selected from that group.”

Kreditkort hf. has, therefore, enjoyed the expert assistance of Stiki in the implementation of the ISO 17799 security standard. This work has resulted in the preparation of a web-based security manual for Kreditkort hf., a risk assessment of the company’s information assets, and a plan for business continuity, all prepared using the format and software provided by Stiki ehf. Co-operation between Kreditkort hf. and Stiki has been excellent.

The implementation of the security standard includes preparing a risk assessment for the company’s information assets. During this work, the company was able to use Stiki’s specialised software, RM Studio®. RM Studio® ensures conformity between the requirements set out in the security manual and the controls implemented to manage the analysed and assessed risk, as both are based on the ISO 17799 standard.

In the opinion of Kreditkort hf., RM Studio® is a very powerful tool for performing complex tasks such as information assets risk assessments. RM Studio® is accessible, managed the project well and led the company through the preparation of the risk assessment.

Kreditkort hf. currently has a business continuity plan under which the operating environment of the company has been defined. This means that the services provided by the company and the processes used are specified and their importance evaluated. This work was based on the risk assessment of the company’s information assets. Organisational circumstances are described, including policies and plans, assessment of risk and available skills and resources both inside and outside the company. Furthermore, the operations of the company are mapped out, necessary resources for each operational aspect are specified and the effects of possible operational disruptions are assessed. Emergency teams are defined. Finally, possible disruptions are specified, and this framework is used to define levels of urgency and prepare action plans for the various emergency teams. Restorative actions are defined based on the specified level of urgency.

Business continuity management procedures are described in the Kreditkort hf. safety manual and are based on the template provided by Stiki. Plans which can be implemented, in the event of a disruption which causes a discontinuation of the operation of the card management system, are a part of the management of business continuity. The goal of plans for business continuity is to limit the effects of disruptions and to minimise damage by shortening reaction and restorative action times in the event of an interruption to operations. It is our opinion that the project would not have taken such a short time, or been so successful, without the expert assistance of Stiki.