SlideShare a Scribd company logo

ETIS Information Security Benchmark Successful Practices in telco security

ETIS - the Global IT Association for Telecommunications
ETIS - the Global IT Association for Telecommunications
TechnologyNews & Politics
1 of 23
© ETIS 2012 Successful Practices in Telco Security Benchmark observations 2010 - 2012 Date October 7th 2012 Authors H. Kerkdijk M.Sc. and R. Wolthuis M.Sc. Version: FINAL
Successful Practices in Telco Security © ETIS 2012 2 / 23 Successful Practices in Telco Security Produced by TNO PO Box 1416 9701 BK Groningen The Netherlands www.tno.nl Authors H. Kerkdijk and R. Wolthuis Project manager H. Kerkdijk Project owner Terje Tøndel, ETIS Status FINAL Date October 7th 2012 © 2012 ETIS Disclaimer All rights reserved. No part of this document may be reproduced and/or published in any form by print, photoprint, microfilm or any other means without the previous written permission from ETIS. The commercial use of any information contained in this document is strictly prohibited.
Successful Practices in Telco Security © ETIS 2012 3 / 23 Contents Preface 4 Abbreviations ........................................................................................................................... 5 1 Introduction.............................................................................................................. 6 1.1 Background................................................................................................................ 6 1.2 About this document.................................................................................................. 6 1.3 About TNO................................................................................................................. 7 2 Corporate Security Function.................................................................................. 8 3 Security management ........................................................................................... 11 4 Commercial role of security ................................................................................. 15 5 Fraud management................................................................................................ 17 6 Security in the development process.................................................................. 19 7 Security monitoring and incident management................................................. 22
Successful Practices in Telco Security © ETIS 2012 4 / 23 Preface Already in its fourth year, the ETIS Information Security Benchmark is motivated by the prevailing absence of Telco specific security benchmarks focusing on the industry in Europe. Between 2009 and 2012, the Benchmark has incorporated a total of 16 European Telecom providers, many of which are now repeat participants. This continuity not only lends more value to the results as it allows for a good degree of comparability with previous years, but it also enables one to track the evolution of the security landscape and best practices. As a complement to the Security Benchmark, we have also produced a Successful Practices Executive Report that is publicly available to highlight our work and also attract potential participants. Over the years, the survey has been exceptionally rich with interesting practices that Telcos might adopt from one another. The results is 33 best practices distributed over the various security themes. This rise has been partially due to the emergence of two major recent challenges: the struggle to manage employees bringing in their personal devices (i.e. i-phones, tablets) into the corporate network and the rise of social media which can be viewed both as a communications tool but also as a security threat. The best practices are also discussed each year at a dedicated workshop hosted by TNO. While it is interesting to see the figures and best practices in the benchmark report there is also added value in physically discussing the those differences and comparing best practices. Work of this kind must be based on partnership. We thank TNO for producing the reports and and the ETIS Member companies that took part for their commitment and openness. Our slogan has always been ‘Sharing knowledge is our strength’ and using it is yours. We would like to encourage you to use this report to learn where you stand and to motivate improvements in your own companies. Yours sincerely, Fred Werner Communications & Programme Director ETIS
Successful Practices in Telco Security © ETIS 2012 5 / 23 Abbreviations BIA Business Impact Assessment CERT Computer Emergency Response Team CFO Chief Financial Officer CISO Chief Information Security Officer CSF Corporate Security Function CSO Chief Security Officer DSS Data Security Standard EFL Effective Fraud Loss IEC International Electrotechnical Commission ISMS Information Security Management System ISO International Organization for Standardisation KPI Key Performance Indicator NG Next Generation NOC Network Operations Center PCI Payment Card Industry PFL Prevented Fraud Loss RTP Risk Treatment Plan SIM Subscriber Identity Module SOC Security Operations Center SP Successful Practice USP Unique Selling Point
Successful Practices in Telco Security © ETIS 2012 6 / 23 1 Introduction 1.1 Background ETIS, the Global IT Association for Telecommunications, is a membership based organisation in which major European telecoms providers exchange views on delivering and using ICT effectively. Much of this information exchange takes place through working groups that gather several times per year for this purpose. Among these groups is the Information Security Working Group (henceforth referred to as the ETIS Security Group), in which telcos and vendors exchange knowledge and experiences concerning information security related matters. Early 2009, the ETIS Security Group decided to set up a yearly security benchmark activity with the objective of comparing security strategies and approaches among ETIS member telcos, thus enabling these telcos to determine which specific aspects of security require attention within their respective organisations. Executing a security benchmark within the ETIS context has proven a successful formula, among other things because such a benchmark can be focused on telco specific security issues. Between 2009 and 2012, a total of 16 European telcos took part in the benchmark endeavour. All benchmark activity is conducted and coordinated by TNO, an independent research and consulting organisation from The Netherlands and also an active participant in the ETIS Security Group. A well-received element in the ETIS Security Benchmark is the concept of so called successful practices. This refers to strategies, approaches or methods that have proven successful at specific benchmark participants and might be (partly) adopted by others. Whilst benchmark results are generally restricted to the participating companies, it was decided to share successful practices identified between 2010 and 2012 with the entire ETIS community. 1.2 About this document This document presents the 33 successful practices in telco security that were identified in the security benchmark effort between 2010 and 2012. In the following chapters, these practices are structured according to the security themes addressed in the benchmark: 1. Corporate Security Function 2. Security Management 3. Commercial role of security 4. Fraud Management 5. Security in the development process 6. Security monitoring and incident management The numbering of practices in this document corresponds directly to the SPxx codes assigned in the benchmark reports of 2010-2012. Note that these codes follow the years in which respective practices were identified and are thus non- linear across the various themes.
Successful Practices in Telco Security © ETIS 2012 7 / 23 1.3 About TNO The Netherlands Organisation for Applied Scientific Research (TNO) is one of Europe's leading independent research and consulting organisations. TNO was founded in 1932 by an act of the Dutch parliament to make scientific research and high end knowledge accessible and applicable for businesses and government. TNO is a not for profit organisation which by law is required to operate independently and objectively. TNO has organised its expertise and competences in seven themes. Each theme is divided into a number of innovation and consulting areas, as illustrated in the following figure. TNO provides research, development, engineering and consultancy services to government and industry, to assist in solving complex and challenging technical problems and establish technological innovation. TNO’s staff presently encompasses some 4400 employees and includes 50 university professors. TNO has a versatile customer base that includes local and national government bodies in The Netherlands (e.g. the Ministry of Defence and the Ministry of Economic Affairs), large corporates in industries such as finance, oil and gas and telecommunications and several European Union bodies.
Successful Practices in Telco Security © ETIS 2012 8 / 23 2 Corporate Security Function This chapter describes successful practices within the context of a Corporate Security Function (CSF), as observed at telcos participating in the ETIS Security Benchmark. Here, the term CSF is defined as follows: Definition The Corporate Security Function is defined as the total of people and duties residing under the direct responsibility of a CSO, CISO or equivalent. Whilst the above definition turned out practicable in most cases, TNO encountered some telcos that had both a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO) and one telco where the position of C(I)SO was completely absent. In such instances, TNO and the telco concerned jointly assessed which security team in that telco’s organisation best qualified as a CSF. SP01: Baseline Corporate Security Function setup The various benchmarks have shown that there is no single optimum setup of a Corporate Security Function. Important factors to this end are size and (management) culture of the respective telco, which obviously vary greatly. Nonetheless, the following baseline characteristics will enhance the success of any CSF, irrespective of its specific context: a. The highest security official (CSO/CISO) should reside directly beneath or at least have direct (functional) access to executive management to ensure sufficient span of control and visibility. b. The CSF should not limit itself to development and maintenance of company wide security policies, but also provide active and visible support to business through tactical (e.g. risk assessment) and perhaps even operational (e.g. maintain security operations center) duties. c. The CSF should preferably not be incorporated in an IT or other technical unit, but visibly have a broader focus to avoid the risk of being regarded as or even becoming a solely technical body. d. The CSF should exploit the potential of bundling interrelated security areas by at least taking responsibility for information security, IT & network security and Business Continuity Management and closely aligning objectives, strategies and actions for these areas. Note that ad. d should be addressed with due care, since senior management might see such bundling as an opportunity to reduce headcounts. Some benchmark participants have had this experience. In addition to the above, it is usually helpful to incorporate certain legal duties (e.g. lawful interception or data retention) within the CSF structure to enhance its visibility and strategic weight. SP02: Strategic security board Setting up a strategic security board as a business driven platform for strategic
Successful Practices in Telco Security © ETIS 2012 9 / 23 security governance has been a very successful step at some of the participating operators. If implemented well, such a body ensures that strategic security choices are ultimately governed by senior business managers, thereby establishing intrinsic business involvement and commitment. A strategic security board should preferably consist of senior management (e.g. business unit directors) and be chaired by a motivated board member. Its primary task should be to govern strategic security objectives, priorities and budgets based on input and proposals put forward by the highest security official (CSO/CISO). A strategic security board will only function well if guided by a decent strategic security plan, for instance with a 2-3 year time span. Establishing such a plan and getting senior management’s attention for it (i.e. lobbying), should be a priority for any CSO with the ambition of getting such senior management actively involved. SP14: Employ social media to enhance security involvement Setting up social media on the internal intranet has been a successful step at one of the participants to enhance security involvement of employees throughout the organisation. Having officials such as the CSO actively interact with the organisation through a blog or perhaps an internal version of Twitter or Facebook offers the following opportunities: • Employees throughout the organisation can be reached with a single action, thereby raising security awareness at a large scale with very limited effort • Information posted by the CSO will often trigger interesting responses from employees in all layers of the organisation, including many that the CSF would usually not interact with directly. Such responses provide insight into current issues and sentiments with respect to security and will help the CSF to identify any actions required. Note that some operators have a policy to block the use of social media on their corporate internet. However, this practice specifically pertains to a local implementation of such social media on the native intranet, which is available to the operator’s employees only. Moreover, to avoid undesired use of such media it is recommendable to ensure that the identity of employees posting information or participating in discussions is always revealed (i.e. not allow anonymous use). SP15: Monitor relevant security discussions on external social media Social media on the public internet are often host to interesting discussions on a company and/or its products and services. As shown by one of the benchmark participants, it can be worthwhile to monitor such discussions specifically from a security perspective to discover current issues, sentiments and even vulnerabilities the company needs to act upon. Social media monitoring can be bought as a service from specialised companies, who will scan the Internet in search of predefined keywords that relate to security and periodically report their findings. Use of such services has already been popular among marketing and PR departments (to name a few) for
Successful Practices in Telco Security © ETIS 2012 10 / 23 some time. SP22: Establish measurable targets in which security is a dominant factor Whilst factors such as employee satisfaction and budget discipline are by all means relevant, CSF performance should ultimately be appraised on the basis of actual security targets. Moreover, various benchmark participants have observed that senior management is most receptive for quantitative information. Targets should hence be measurable in nature. Based on the experiences of some benchmark participants, management involvement will increase substantially if they acknowledge the security objectives and are provided with frequent (weekly/ monthly) status updates. In turn, such management involvement is crucial for receiving adequate support and resourcing. .
Successful Practices in Telco Security © ETIS 2012 11 / 23 3 Security management This chapter describes successful practices with respect to security management, as observed at the benchmark participants. Here, security management is defined as follows: Definition Security management is the process of operating, monitoring, reviewing, maintaining and improving security within a certain context and scope. In the ETIS benchmark, several factors of security management systems in telco organisations have been considered: • scope of the security management system • extent to which security management processes are defined and documented • extent to which security responsibilities have been clearly laid down • approaches to governing compliance with security policies. Successful practices observed mostly relate to the first and the last bullet. SP03: Security management based on combined methods It is apparent from several benchmark results that a combination of a risk based and best practice based approach for security management is usually most effective. The best practice approach is cost efficient and easy to check on compliance, hence it is suitable for ‘normal’ daily operations. At the same time it leaves little room for business to accept possible risks to increase profitability. The risk based approach usually requires more effort and should thus be applied in particular to special cases (new areas) or high impact situations. The risk based approach offers flexibility to business to have a better balance between risks and costs to reduce risks. Special attention should be given to the choice where to go for the best practice approach and where to use a risk based approach. To begin with, this could be done by expert opinion or based on experience. More formal methods could include Business Impact Assessment (BIA) or a split into ‘high level’ Risk assessment on business processes and a more detailed risk assessment on technical level, the latter based on the risks found in the high level risk assessment. SP04: Use of security Key Performance Indicators Use of Key Performance Indicators (KPIs) for security allows better reporting and offers more insight in the status of security and compliance, both internally and to the outside world (like regulators and customers). The use of KPIs also improves possibilities to control the state of compliance and to formulate and monitor improvement actions.
Successful Practices in Telco Security © ETIS 2012 12 / 23 KPIs should be defined in such a way that they support the implementation of the security policy. KPIs must integrate logically in operations, not placing a too high load on the organisation. Another important aspect is that KPIs must be formulated in such a way that they are of interest to the business. KPIs that are formulated too technical will not have its effect on business and therefore will not help to raise priority of compliance to the security policy. SP05: Business drivers for security policy compliance Making sure also business departments have the willingness to comply, compliance should be made interesting to them. This can be done in two ways. The first one is to make sure that they realize that customers ask for security and the second one is to make sure implementation and use of the security policy is as efficient and easy as possible. Business departments are looking for ways to satisfy their customers and as a result of that, increase their turnover and profit. A good business driver for compliance to the security policy therefore is demand from customers. It is apparent that if customer requirements show a demand for security, the interest of business to comply with the security policy will grow. Two operators had a good experience in this area, performing a survey among their customers. The result of the survey indicated that a majority of their customers see security as an important factor in the decision where to buy their services. These particular operators experienced a boost in business interest in security. The other aspect is simplification of the process of reporting. An example is successful integration with other compliance processes, which will simplify compliance for the business and operational units (avoiding multiple reports with the same content) and therefore improve the willingness to comply. Another example is the introduction of tools that will help to collect evidence for compliance. SP16: Web based security training for employees of suppliers Awareness activity is usually limited to the internal scope of a company. One successful practice we have seen in the benchmarks is the introduction of a web based training programme for employees of suppliers. This was especially developed, on top of addressing security aspects in contracts with suppliers, to accommodate awareness of the employees of suppliers. This far stretching method of trying to achieve awareness is a good example of looking beyond the boundaries of a company, which is worth to consider, taking into account the many outsourcing deals going on at telecommunication companies. The content of the training should be targeted at specific topics of the security policy of the operator; generic security knowledge should be considered the responsibility of the supplier itself, which can be recorded in the contracts. Also some proof should be available (e.g. lists of employees that have done the training) to show that the training is effective. This successful practice, combined with the proper contractual agreements, can be an effective approach to ensure that only security (policy) aware personnel
Successful Practices in Telco Security © ETIS 2012 13 / 23 accesses an operator’s systems or buildings. SP17: Position audits as an instrument of improvement, not punishment Audits, both internal and external of nature, have a tendency to focus rather strongly on the weak points of the auditee and magnify shortcomings. In addition, audit reports are all too often used to sanction an auditee. A successful practice we have seen in the benchmarks is conducting internal audits (or also called reviews) that have a different approach – not only identify and report shortcomings, but focus on cooperation with the auditee and jointly establish a balanced picture of the situation that also reflects strong points. If a culture is created in which audits are seen as a means of improvement rather than sanctioning, this will result in more openness, more cooperative auditees and more effective improvement. SP23: Embrace outsourcing security as an explicit security objective For some time now, most operators tend to outsource more and more activities, including traditional telco core activities such as managing telecommunication networks. Many participating CSFs recognize this trend, which obviously introduces security risks with regulatory and customer impact. Based on the benchmark findings, it is apparent that a shift in approach is needed, from an internal security perspective towards security governance of external relationships. Activities required to stay in control include specific policy making, security support in contract negotiations and structural attention to governance & compliance during the operational contract period. One particular approach seen in the benchmarks is the establishment of a risk management & security board in which the operator and a major outsourcing partner jointly reside. Security issues can be discussed on a regular basis and output of this meeting can be one of the inputs for the CSF report. Another issue with outsourcing concerns the possible disappearance of available security competences. While the number of outsourced activities increases, keeping security competence at the operator at an acceptable level might be a problem. In outsourcing deals, usually (security) knowledge flows from the operator to the outsourcing partner. It is essential to retain sufficient security competences to understand and challenge the information behind the reports that are delivered by outsourcing partners. SP24: Employ ISMS support tooling Maintaining a security management system is a complex and time consuming task. The use of supporting tooling specifically targeted at security management and supporting the ISMS is seen to be a good approach to relieve security staff. As experienced by some of the participating operators, use of tooling in maintaining the ISMS can be very helpful and efficient. Other operators
Successful Practices in Telco Security © ETIS 2012 14 / 23 recognize the potential in this area. Benefits include automation of processes, continuous compliance, single means to comply with multiple regulations (e.g. ISO/IEC 27001, PCI DSS, Sarbanes Oxley, Basel II) and built-in compliance checklists. Tools that are employed by operators include risk management tooling combined with information asset management tooling and a specific compliance and risk management solution called SecureAware. Attention should be given to the burden that these tools place upon the telco’s staff. Use of tooling should help them achieving goals, not introduce administrative (often seen as unnecessary) overhead. SP25: Complement security awareness with security empowerment Telcos generally recognize the importance of user awareness. Security awareness activities however, usually focus on achieving a learning effect among employees. But raising awareness can only be effective when employees have a feeling that they are supported in their security activities. Being aware is one thing, being supported is one step further. One of the operators therefore employs what can be called ‘security empowerment’. This is a more active approach, complementing awareness actions. With security empowerment, employees are really supported in making the right security decisions and applying the right security measures. Examples of security empowerment are: • Supplying employees with tools and tangible guidance that enable them to perform security duties effectively • Offering the right means to make security practicable for non-specialists Many operators share the experience that offering practical means to their staff has a strong motivational effect.
Successful Practices in Telco Security © ETIS 2012 15 / 23 4 Commercial role of security Security is often seen as a burden and a source of cost, but can also be embraced as a Unique Selling Point (USP) by which an operator distinguishes itself in the market. Moreover, selling specific security services might directly increase an operator’s revenues. Over the years, the ETIS Security Benchmark has explored how telcos address security from a commercial point of view. This chapter describes successful practices encountered in this area. SP06: Business involvement and security portfolio The benchmarks have shown that business involvement in the strategic security approach of the operator is crucial. Without business involvement, the driver for offering high quality security in the services portfolio is very weak. Essential to develop business involvement is to make the business aware that security is no longer an internal quality parameter, but a stringent business requirement. Marketing and sales people should know the highlights of the security strategy of the operator. It should be good practice that marketing and sales people, when visiting large customers, are regularly accompanied by security consultants that can explain the operator’s vision and strategy with respect to security. These consultants can be situated in the commercial departments, but there must be a tight connection to the CSF (see also SP26). Besides positioning security consultancy as an added value to marketing and sales, security consulting can also be offered as a separate security service. Also in marketing campaigns, security should be addressed prominently. It does not matter whether the strategy of an operator is to offer security services or offer secure services. In both cases, the message should be that the operator knows his business, also in the security area. General consent is that commercial role of security will grow. Difference in opinion exists on the question whether this will be in the area of “secure services” or in the area of dedicated security services. In any case, the number and type of specific security services in portfolio should be considered carefully. SP07: Certification and third party audits The benchmarks have shown that the number of customers requesting audits will grow; this development also is triggered by more regulatory pressure on customers of the operator. Audits generally take considerable effort at the operator side. Some operators successfully have countered this development by certification and by third party audits. If a service or department is certified, a customer has proof, provided by an independent party that the operator complies with a certain standard, such as the ISO/IEC 27001. An alternative, equal successful approach for an operator is to have an independent, third party auditor, perform an audit. This report can then be given or sold to customers that require an independent check. The advantage is that the audit process can be managed by the operator itself and the operator will not be flooded with auditors, sent by their customers.
Successful Practices in Telco Security © ETIS 2012 16 / 23 SP18: Sell your customers “assurance” instead of “security” Traditionally, commercial communication to customers involves mainly information on threats, measures and security. This usually does not appeal to what a customer really wants: the customer wants to be reassured. Therefore it can be better to communicate to customers with words like ‘assurance’. A customer does not want good security, but a customer wants assurance that everything is in good hands and taken care of. Of course, ‘assurance’ implies something more than good security alone. It also implies good communication, providing proof and reports and communicating in the language that the customer speaks. Realising this will require quite a change in communication and appointments with customers and suppliers. SP26: Offer CSF support to commercial staff There is an increasing attention of customers for security and security services. But selling security is complex, due to the often technical nature and absence of immediate quantitative customer benefits. It is hard to properly address benefits and justify potential extra costs for customers. Therefore, sales staff should be supported in selling security. Security expertise, security competence and specific knowledge concerning telecom security issues, is usually available within the CSF. CSF staff is able to bridge the gap between the security world and the business world. CSF staff can support sales with internal consultancy, educate sales staff and accompany sales teams on customer visits. This support function can be expanded to a commercial security consultancy service, but such consultancy could best be restricted to existing customers who also purchase other services of the operator and should be related to their own portfolio. This is the (niche) area where the operator (understanding his customer and having knowledge of telecom services) can commercially distinguish himself from general security consulting companies. Some of the operators have very good experience with this model of ‘consultative selling’.
Successful Practices in Telco Security © ETIS 2012 17 / 23 5 Fraud management Effectively tackling financial losses and other damage that may result from telecommunications fraud has been an important issue for telecoms providers since the market liberalised in the early 1990s. Here, telecommunications fraud is defined as follows: Definition Telecommunications fraud is the abuse of telecoms infrastructure and/or services with the intention of obtaining financial gain at the expense of telecoms providers and/or their customers. This chapter describes successful practices within the context of telecoms fraud management, as observed at telcos participating in the ETIS Security Benchmark SP08: Fully specialised fraud management team Setting up a specialised fraud management team has been successful at many of the participating operators. Such a specialised team will provide more accurate insight into fraud losses and generally constitutes a more future proof situation. A fraud management team will only function well if it maintains active working relationships with bad debt and revenue assurance teams. Additionally it should be self-sufficient in terms of manpower, expertise and tooling. SP09: Fraud risk assessment for new products and services Assessing fraud risk in new products/services requires specialist fraud expertise. Leaving such assessments up to regular project teams might cause fraud risks to be overlooked or underestimated. Direct involvement of the fraud team ensures accurate assessment of risks and equally adequate follow-up. For assessing fraud risks for new products/services a structured methodology should be adopted. Such a methodology should encompass at least checking the attractiveness to fraudsters, customer acceptance procedures, billing mechanisms, partner settlement procedures, technical issues and monitoring capabilities. SP19: Fraud risk assessment questionnaire for development projects As described in SP09 (see above), fraud risk assessments should preferably be conducted by specialists from the fraud team. However, whilst these experts have the skills and expertise to perform such an assessment, resources in the fraud team are often too limited to be involved in every single development project initiated within the operator’s organisation. Experience at one operator shows the possibility of developing a fraud “pre-
Successful Practices in Telco Security © ETIS 2012 18 / 23 screening” questionnaire, consisting of questions that can be filled in by the project team. Such questionnaires can be evaluated by the fraud team to filter out the most severe cases and focus their effort on these specific projects. Note that this practice might combine well with SP11, as described in the following chapter. SP27: Seek fraud dialogue with broad set of stakeholders It is quite common for fraud teams to maintain active working relationships with bad debt and revenue assurance units in their companies, since the subject matter addressed by these teams shows great overlap. However, effective fraud operations also require interworking with various other units. Examples include billing, invoice management and the company’s legal department. Active dialogue across all relevant stakeholders will enhance overall fraud awareness and enable fine-tuning of working procedures with relevant entities. Fraud teams are recommended to look beyond the traditional partnerships with bad debt and revenue assurance teams and also put effort into relationships with other stakeholders in their companies. One possible approach is to organise a periodic get-together with a broad selection of stakeholders to jointly evaluate some of the major fraud cases that have taken place. SP28: Base fraud reporting on structured KPIs and target broad audience Whilst many telcos limit fraud reporting to their CFO and possible the full board, such reports are also significant for various other entities within the telco organisation. Business owners form an evident target audience, but one might also consider billing and legal departments or even commercial outlets. A structured set of fraud KPIs seems the most suitable basis for an effective fraud operations report. Examples of viable KPIs include: - Effective Fraud Loss (EFL) - Prevented Fraud Loss (PFL) - Revenue recovered - number of cases handled in reporting period Telcos generally indicate that their (senior) management is most receptive to quantitative information and fraud seems a particularly suitable area to address this information desire.
Successful Practices in Telco Security © ETIS 2012 19 / 23 6 Security in the development process As history has proven, new products, systems and services are often accompanied by unforeseen vulnerabilities and are therefore at the source of many security incidents. The ETIS Security Benchmark has explored how operators address the security risks associated with such new products and services in their development processes. This chapter describes successful practices observed in this area. SP10: Integral embedding of security in development Telcos that participated in the benchmark generally agree that security should be addressed integrally throughout the process of developing a product or service. This means that: a. Each stage of the formal development process at a telco should include security activity b. Each decision tollgate in the formal development process should include specific security deliverables suitable to the preceding stage The net result should be a process where security requirements are defined in the earliest project stages and the remainder of the project incorporates a consistent level of attention towards ensuring that these requirements are met. This means that security should still be a topic of interest once the project reaches such phases as testing, piloting and handover to operational units. Experiences indicate that a process for managing security in development will only work well if the governing authority (in most cases the CSF) actually has the possibility of stopping a project if security is somehow not addressed appropriately. This should include a strong vote at the launch gate. Here, please bear in mind that this possibility of stopping projects should of course only be exerted in extreme cases to avoid a situation where the CSF is seen as a hindrance to business. SP11: Project rating determines security approach An approach seen at several operators is to assign a security rating to a project in its early stages. This rating subsequently determines the (detail of the) security approach for the remainder of the project. One might for instance distinguish projects that require a thorough risk assessment from those that can follow a standard security baseline based on the risk profile of the product or service under development. Differentiating security approaches among projects on the basis of a security/risk rating is found to be an effective provision for balancing the effect of risk management activity with the effort required to this end.
Successful Practices in Telco Security © ETIS 2012 20 / 23 SP12: Next generation security architecture that transcends technology When developing NG 1 (Next Generation) infrastructure and services, it is wise to address the specific nature of NG security through a specific NG security architecture. Here, the following practices are instrumental for achieving adequate results: a. The NG security architecture should not be limited to technological issues, but also reflect the impact of NG on such issues as governance, policies and processes. b. Explicitly distinguish security provisions at the level of networks and services, respectively, to account for the new setup in which a single network will provision a variety of services. c. Rather than mandating specific security measures, the NG security architecture should predominantly consist of design principles and common security provisions. The latter refers to shared security provisions that accommodate many services, for instance a central identity and access management module. For any NG security architecture to function well, it should be set up as a joint effort of various competences within the operator organisation. This includes IT, infrastructure and commercial departments. SP20: Maintain Risk Treatment Plan (RTP) during development Maintaining a so called Risk Treatment Plan (RTP) in development projects is a promising concept that could be successful at many operators. Such a Risk Treatment Plan should at least document the following: • An overview of primary (top 5 or top 10) risks with respect to the product or service under development and • The risk treatment strategy (accept, mitigate, avoid, …) selected for each of the acknowledged risks • A summary of security measures embraced and the corresponding security investment (financial, man hours, time) required in the project • An indication of risk severity both before and after risk treatment, both in qualitative (type of damage) as well as quantitative (financial) terms Projects should ideally be required to produce a first version of the RTP early on in the project and establish updates at each subsequent project tollgate. Through this approach, the RTP is enhanced and refined as the innovation is elaborated in more detail. Apart from guiding the general process of security risk management, the RTP could also facilitate decision making and business involvement. To achieve this, business owners of the product under development should be required to sign off each version of the RTP, thus declaring that they agree with the risk treatment decisions and security investments specified. 1 Within this context, NG refers to the packet-based successor of traditional telecommunications where internet technology is predominant and typical service portfolios include multiplay (voice, TV, internet) and 3G data services.
Successful Practices in Telco Security © ETIS 2012 21 / 23 SP29: Maintain tangible security design guidelines Operators could greatly benefit from developing and mandating security design guidelines that define a standard (minimum) security configuration for systems and networks. Such guidelines could serve as a reference for development staff and for instance address system hardening, network segmentation, web application development, access control and authentication protocols. Within operator organisations, specific IT departments will often develop design guidelines for their own local context that could also be of value for other IT units. CSF teams could facilitate this by compiling available guidelines, generalising them where necessary and subsequently incorporating them in their policy and guidance structures. This approach is often effective, since IT departments have more in depth knowledge of the actual technologies whilst the CSF will have a broader view on the areas of application. SP30: Conduct hacking contests among developers An interesting approach towards achieving security awareness is to organise hacking contests among development staff. Apart from raising awareness, contests such as these also reveal which developers are interested in and have a certain talent for security matters. As an example, development staff might be offered a web portal that incorporates several vulnerabilities and be challenged to identify the gaps. SP31: Maintain library of standardised security requirements Establishing and maintaining a library of (standardised) security requirements that can be matched onto specific projects has worked out well at several operators. Selection of such generic security requirements can be complemented with specific requisites to address needs of individual projects. Expert opinion appraisal or risk assessment could form the basis for this.
Successful Practices in Telco Security © ETIS 2012 22 / 23 7 Security monitoring and incident management This chapter presents successful practices observed at the benchmark participants in the areas of security monitoring and incident management. Factors addressed in the benchmark under this denominator include: • Nature and setup of incident management provisions in the operator’s organisation, where “security incident” is defined as any accidental or intentional breach of (information) security in information systems, services and networks and “incident management” refers to the process of analysing, correcting and reporting such security incidents • Duties, approaches and methodologies of the Computer Emergency Response Team (CERT) and Security Operations Center (SOC) to the extent that these are present in the organisations of participating telcos. Where present, CERT teams and SOC units usually play an important role with respect to security monitoring and incident management. Thus the benchmark addressed such provisions through specific questions. SP13: SOC for both internal and commercial purposes The transition to full-IP infrastructures has made telcos susceptible to on-line attacks. What’s more, such attacks are continuously becoming more complex and large scale, thus increasingly requiring specialised expertise to manage them. Many benchmark participants have had good experiences with setting up a so called Security Operations Center (SOC), defined as a dedicated, centralised function for continuously monitoring and managing attacks on telco infrastructure. Here, the following is of importance: a. Benchmark participants generally agree that centralisation is a key success factor for security monitoring, if only because it enforces bundling of the (scarce) expertise an operator has available to this end. b. Competences already available in CERT teams will usually offer a good starting point to establish the requirements for a SOC. Once in operation, SOC and CERT staff should maintain a close working relationship (possibly by integrating both into one unit) c. It is usually attractive to widen the objectives of a SOC beyond internal hygiene and also exploit it as a commercial service. However, care should be taken when approaching customers with this possibility, since they might be unpleasantly surprised when made aware of possible security events on their network. When considering commercial exploitation of a SOC, its primary purpose of protecting an operator’s service infrastructure should not disappear to the background. A possible approach to this end is to establish separate SOC units for internal and external purposes, respectively. Whilst this may not directly seem the most efficient approach, we have observed several operators employing this to great satisfaction.
Successful Practices in Telco Security © ETIS 2012 23 / 23 SP21: Reuse 24/7 capability of NOC for first line monitoring in SOC Most operators already have a Network Operations Center (NOC) in place that monitors the (continuity of the) telco infrastructure on a 24/7 basis. This capability might to some extent be reused in the SOC, thereby establishing initial 24/7 operations at no or limited investment in additional personnel. NOC personnel might be trained to provide at least first line monitoring and support during nightly hours. Getting this level of service up on a 24/7 basis will already greatly enhance the effectiveness and value of the SOC. To enhance the capabilities of the SOC even further, one might consider the concept of an on call security specialist that is standby in case severe incidents arise. SP32: Provide crisis team members with 3rd party SIM in address card It is already good practice for members of crisis teams to have a SIM card of a third party operator on them. With such a SIM card in their possession, they can keep communicating, even if a large disturbance hits their own mobile network. One benchmark participant integrated this SIM with an address card containing contact information for the other team members and a crisis management process description. This can be considered as a small and handy “crisis management team member toolkit”. The operator that developed this concept has had good experiences with this solution. SP33: Establish active cooperation with other SOCs Some telcos have had good cooperation experiences among their internally oriented and commercial SOCs. Such cooperation allows for exchange of knowledge, tooling, configurations and even people. Some participants indicate they would also like to explore cooperation with SOCs in other industries (e.g. banking SOCs). Such cooperation across industries might give interesting (fresh) perspectives on threats, priorities and SOC operations in general.

Recommended

N-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysN-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysSolarwinds N-able
 
Book
BookBook
BookUlf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Future data security ‘will come from several sources’
Future data security ‘will come from several sources’Future data security ‘will come from several sources’
Future data security ‘will come from several sources’John Davis
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 

Recommended

N-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysN-able webinar:Build recurring revenue in 45 days
N-able webinar:Build recurring revenue in 45 daysSolarwinds N-able
 
Book
BookBook
BookUlf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Future data security ‘will come from several sources’
Future data security ‘will come from several sources’Future data security ‘will come from several sources’
Future data security ‘will come from several sources’John Davis
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloudUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...IJECEIAES
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 
The journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTThe journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTOmid Mogharian
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 

More Related Content

What's hot

Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...IJECEIAES
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 
The journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTThe journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTOmid Mogharian
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCUlf Mattsson
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 

What's hot (20)

Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computation
 
An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...An extensive research survey on data integrity and deduplication towards priv...
An extensive research survey on data integrity and deduplication towards priv...
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
 
The journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLTThe journey to Private AI, where Privacy-Preserving ML meets DLT
The journey to Private AI, where Privacy-Preserving ML meets DLT
 
Isaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacyIsaca atlanta - practical data security and privacy
Isaca atlanta - practical data security and privacy
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
Securing data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYCSecuring data today and in the future - Oracle NYC
Securing data today and in the future - Oracle NYC
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Protecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine LearningProtecting Data Privacy in Analytics and Machine Learning
Protecting Data Privacy in Analytics and Machine Learning
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
 
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 

Viewers also liked

IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Mike Marin
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceJim Meyer
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 

Viewers also liked (12)

IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management Program
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross Reference
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 

Similar to ETIS Information Security Benchmark Successful Practices in telco security

Cloud Computing Adoption for SMEs Challenges, Barriers and Ou
Cloud Computing Adoption for SMEs Challenges, Barriers and OuCloud Computing Adoption for SMEs Challenges, Barriers and Ou
Cloud Computing Adoption for SMEs Challenges, Barriers and OuWilheminaRossi174
 
Cyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperCyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperMicrosoft
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfyashapnt
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU
 
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...Christian Wernberg-Tougaard
 
Master\'s Thesis
Master\'s ThesisMaster\'s Thesis
Master\'s Thesistaco_dols
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docxjesusamckone
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docxRAJU852744
 
DTT_IE_2016_FS_RegTech_is_the_new_FinTech
DTT_IE_2016_FS_RegTech_is_the_new_FinTechDTT_IE_2016_FS_RegTech_is_the_new_FinTech
DTT_IE_2016_FS_RegTech_is_the_new_FinTechFederico Giuntini
 
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001IJNSA Journal
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Future Cloud Action Line - EIT ICT Labs
Future Cloud Action Line - EIT ICT Labs Future Cloud Action Line - EIT ICT Labs
Future Cloud Action Line - EIT ICT Labs Digital Catapult
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steve Hood
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steven Pearson
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Alan Coleman
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - GuidelinesPedro Espinosa
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementchristophefeltus
 

Similar to ETIS Information Security Benchmark Successful Practices in telco security (20)

Cloud Computing Adoption for SMEs Challenges, Barriers and Ou
Cloud Computing Adoption for SMEs Challenges, Barriers and OuCloud Computing Adoption for SMEs Challenges, Barriers and Ou
Cloud Computing Adoption for SMEs Challenges, Barriers and Ou
 
Cyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paperCyber Security Conference - Trustworthy computing cybersecurity white paper
Cyber Security Conference - Trustworthy computing cybersecurity white paper
 
ico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdfico-future-tech-report-20221214.pdf
ico-future-tech-report-20221214.pdf
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
 
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...
Digitalization of Public Sector: How to LeapFrog with ICT - global best pract...
 
Master\'s Thesis
Master\'s ThesisMaster\'s Thesis
Master\'s Thesis
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx2019 14th Iberian Conference on Information Systems and Tech.docx
2019 14th Iberian Conference on Information Systems and Tech.docx
 
DTT_IE_2016_FS_RegTech_is_the_new_FinTech
DTT_IE_2016_FS_RegTech_is_the_new_FinTechDTT_IE_2016_FS_RegTech_is_the_new_FinTech
DTT_IE_2016_FS_RegTech_is_the_new_FinTech
 
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
 
IT compliance
IT complianceIT compliance
IT compliance
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018
 
Future Cloud Action Line - EIT ICT Labs
Future Cloud Action Line - EIT ICT Labs Future Cloud Action Line - EIT ICT Labs
Future Cloud Action Line - EIT ICT Labs
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

ETIS Information Security Benchmark Successful Practices in telco security

  • 1. © ETIS 2012 Successful Practices in Telco Security Benchmark observations 2010 - 2012 Date October 7th 2012 Authors H. Kerkdijk M.Sc. and R. Wolthuis M.Sc. Version: FINAL
  • 2. Successful Practices in Telco Security © ETIS 2012 2 / 23 Successful Practices in Telco Security Produced by TNO PO Box 1416 9701 BK Groningen The Netherlands www.tno.nl Authors H. Kerkdijk and R. Wolthuis Project manager H. Kerkdijk Project owner Terje Tøndel, ETIS Status FINAL Date October 7th 2012 © 2012 ETIS Disclaimer All rights reserved. No part of this document may be reproduced and/or published in any form by print, photoprint, microfilm or any other means without the previous written permission from ETIS. The commercial use of any information contained in this document is strictly prohibited.
  • 3. Successful Practices in Telco Security © ETIS 2012 3 / 23 Contents Preface 4 Abbreviations ........................................................................................................................... 5 1 Introduction.............................................................................................................. 6 1.1 Background................................................................................................................ 6 1.2 About this document.................................................................................................. 6 1.3 About TNO................................................................................................................. 7 2 Corporate Security Function.................................................................................. 8 3 Security management ........................................................................................... 11 4 Commercial role of security ................................................................................. 15 5 Fraud management................................................................................................ 17 6 Security in the development process.................................................................. 19 7 Security monitoring and incident management................................................. 22
  • 4. Successful Practices in Telco Security © ETIS 2012 4 / 23 Preface Already in its fourth year, the ETIS Information Security Benchmark is motivated by the prevailing absence of Telco specific security benchmarks focusing on the industry in Europe. Between 2009 and 2012, the Benchmark has incorporated a total of 16 European Telecom providers, many of which are now repeat participants. This continuity not only lends more value to the results as it allows for a good degree of comparability with previous years, but it also enables one to track the evolution of the security landscape and best practices. As a complement to the Security Benchmark, we have also produced a Successful Practices Executive Report that is publicly available to highlight our work and also attract potential participants. Over the years, the survey has been exceptionally rich with interesting practices that Telcos might adopt from one another. The results is 33 best practices distributed over the various security themes. This rise has been partially due to the emergence of two major recent challenges: the struggle to manage employees bringing in their personal devices (i.e. i-phones, tablets) into the corporate network and the rise of social media which can be viewed both as a communications tool but also as a security threat. The best practices are also discussed each year at a dedicated workshop hosted by TNO. While it is interesting to see the figures and best practices in the benchmark report there is also added value in physically discussing the those differences and comparing best practices. Work of this kind must be based on partnership. We thank TNO for producing the reports and and the ETIS Member companies that took part for their commitment and openness. Our slogan has always been ‘Sharing knowledge is our strength’ and using it is yours. We would like to encourage you to use this report to learn where you stand and to motivate improvements in your own companies. Yours sincerely, Fred Werner Communications & Programme Director ETIS
  • 5. Successful Practices in Telco Security © ETIS 2012 5 / 23 Abbreviations BIA Business Impact Assessment CERT Computer Emergency Response Team CFO Chief Financial Officer CISO Chief Information Security Officer CSF Corporate Security Function CSO Chief Security Officer DSS Data Security Standard EFL Effective Fraud Loss IEC International Electrotechnical Commission ISMS Information Security Management System ISO International Organization for Standardisation KPI Key Performance Indicator NG Next Generation NOC Network Operations Center PCI Payment Card Industry PFL Prevented Fraud Loss RTP Risk Treatment Plan SIM Subscriber Identity Module SOC Security Operations Center SP Successful Practice USP Unique Selling Point
  • 6. Successful Practices in Telco Security © ETIS 2012 6 / 23 1 Introduction 1.1 Background ETIS, the Global IT Association for Telecommunications, is a membership based organisation in which major European telecoms providers exchange views on delivering and using ICT effectively. Much of this information exchange takes place through working groups that gather several times per year for this purpose. Among these groups is the Information Security Working Group (henceforth referred to as the ETIS Security Group), in which telcos and vendors exchange knowledge and experiences concerning information security related matters. Early 2009, the ETIS Security Group decided to set up a yearly security benchmark activity with the objective of comparing security strategies and approaches among ETIS member telcos, thus enabling these telcos to determine which specific aspects of security require attention within their respective organisations. Executing a security benchmark within the ETIS context has proven a successful formula, among other things because such a benchmark can be focused on telco specific security issues. Between 2009 and 2012, a total of 16 European telcos took part in the benchmark endeavour. All benchmark activity is conducted and coordinated by TNO, an independent research and consulting organisation from The Netherlands and also an active participant in the ETIS Security Group. A well-received element in the ETIS Security Benchmark is the concept of so called successful practices. This refers to strategies, approaches or methods that have proven successful at specific benchmark participants and might be (partly) adopted by others. Whilst benchmark results are generally restricted to the participating companies, it was decided to share successful practices identified between 2010 and 2012 with the entire ETIS community. 1.2 About this document This document presents the 33 successful practices in telco security that were identified in the security benchmark effort between 2010 and 2012. In the following chapters, these practices are structured according to the security themes addressed in the benchmark: 1. Corporate Security Function 2. Security Management 3. Commercial role of security 4. Fraud Management 5. Security in the development process 6. Security monitoring and incident management The numbering of practices in this document corresponds directly to the SPxx codes assigned in the benchmark reports of 2010-2012. Note that these codes follow the years in which respective practices were identified and are thus non- linear across the various themes.
  • 7. Successful Practices in Telco Security © ETIS 2012 7 / 23 1.3 About TNO The Netherlands Organisation for Applied Scientific Research (TNO) is one of Europe's leading independent research and consulting organisations. TNO was founded in 1932 by an act of the Dutch parliament to make scientific research and high end knowledge accessible and applicable for businesses and government. TNO is a not for profit organisation which by law is required to operate independently and objectively. TNO has organised its expertise and competences in seven themes. Each theme is divided into a number of innovation and consulting areas, as illustrated in the following figure. TNO provides research, development, engineering and consultancy services to government and industry, to assist in solving complex and challenging technical problems and establish technological innovation. TNO’s staff presently encompasses some 4400 employees and includes 50 university professors. TNO has a versatile customer base that includes local and national government bodies in The Netherlands (e.g. the Ministry of Defence and the Ministry of Economic Affairs), large corporates in industries such as finance, oil and gas and telecommunications and several European Union bodies.
  • 8. Successful Practices in Telco Security © ETIS 2012 8 / 23 2 Corporate Security Function This chapter describes successful practices within the context of a Corporate Security Function (CSF), as observed at telcos participating in the ETIS Security Benchmark. Here, the term CSF is defined as follows: Definition The Corporate Security Function is defined as the total of people and duties residing under the direct responsibility of a CSO, CISO or equivalent. Whilst the above definition turned out practicable in most cases, TNO encountered some telcos that had both a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO) and one telco where the position of C(I)SO was completely absent. In such instances, TNO and the telco concerned jointly assessed which security team in that telco’s organisation best qualified as a CSF. SP01: Baseline Corporate Security Function setup The various benchmarks have shown that there is no single optimum setup of a Corporate Security Function. Important factors to this end are size and (management) culture of the respective telco, which obviously vary greatly. Nonetheless, the following baseline characteristics will enhance the success of any CSF, irrespective of its specific context: a. The highest security official (CSO/CISO) should reside directly beneath or at least have direct (functional) access to executive management to ensure sufficient span of control and visibility. b. The CSF should not limit itself to development and maintenance of company wide security policies, but also provide active and visible support to business through tactical (e.g. risk assessment) and perhaps even operational (e.g. maintain security operations center) duties. c. The CSF should preferably not be incorporated in an IT or other technical unit, but visibly have a broader focus to avoid the risk of being regarded as or even becoming a solely technical body. d. The CSF should exploit the potential of bundling interrelated security areas by at least taking responsibility for information security, IT & network security and Business Continuity Management and closely aligning objectives, strategies and actions for these areas. Note that ad. d should be addressed with due care, since senior management might see such bundling as an opportunity to reduce headcounts. Some benchmark participants have had this experience. In addition to the above, it is usually helpful to incorporate certain legal duties (e.g. lawful interception or data retention) within the CSF structure to enhance its visibility and strategic weight. SP02: Strategic security board Setting up a strategic security board as a business driven platform for strategic
  • 9. Successful Practices in Telco Security © ETIS 2012 9 / 23 security governance has been a very successful step at some of the participating operators. If implemented well, such a body ensures that strategic security choices are ultimately governed by senior business managers, thereby establishing intrinsic business involvement and commitment. A strategic security board should preferably consist of senior management (e.g. business unit directors) and be chaired by a motivated board member. Its primary task should be to govern strategic security objectives, priorities and budgets based on input and proposals put forward by the highest security official (CSO/CISO). A strategic security board will only function well if guided by a decent strategic security plan, for instance with a 2-3 year time span. Establishing such a plan and getting senior management’s attention for it (i.e. lobbying), should be a priority for any CSO with the ambition of getting such senior management actively involved. SP14: Employ social media to enhance security involvement Setting up social media on the internal intranet has been a successful step at one of the participants to enhance security involvement of employees throughout the organisation. Having officials such as the CSO actively interact with the organisation through a blog or perhaps an internal version of Twitter or Facebook offers the following opportunities: • Employees throughout the organisation can be reached with a single action, thereby raising security awareness at a large scale with very limited effort • Information posted by the CSO will often trigger interesting responses from employees in all layers of the organisation, including many that the CSF would usually not interact with directly. Such responses provide insight into current issues and sentiments with respect to security and will help the CSF to identify any actions required. Note that some operators have a policy to block the use of social media on their corporate internet. However, this practice specifically pertains to a local implementation of such social media on the native intranet, which is available to the operator’s employees only. Moreover, to avoid undesired use of such media it is recommendable to ensure that the identity of employees posting information or participating in discussions is always revealed (i.e. not allow anonymous use). SP15: Monitor relevant security discussions on external social media Social media on the public internet are often host to interesting discussions on a company and/or its products and services. As shown by one of the benchmark participants, it can be worthwhile to monitor such discussions specifically from a security perspective to discover current issues, sentiments and even vulnerabilities the company needs to act upon. Social media monitoring can be bought as a service from specialised companies, who will scan the Internet in search of predefined keywords that relate to security and periodically report their findings. Use of such services has already been popular among marketing and PR departments (to name a few) for
  • 10. Successful Practices in Telco Security © ETIS 2012 10 / 23 some time. SP22: Establish measurable targets in which security is a dominant factor Whilst factors such as employee satisfaction and budget discipline are by all means relevant, CSF performance should ultimately be appraised on the basis of actual security targets. Moreover, various benchmark participants have observed that senior management is most receptive for quantitative information. Targets should hence be measurable in nature. Based on the experiences of some benchmark participants, management involvement will increase substantially if they acknowledge the security objectives and are provided with frequent (weekly/ monthly) status updates. In turn, such management involvement is crucial for receiving adequate support and resourcing. .
  • 11. Successful Practices in Telco Security © ETIS 2012 11 / 23 3 Security management This chapter describes successful practices with respect to security management, as observed at the benchmark participants. Here, security management is defined as follows: Definition Security management is the process of operating, monitoring, reviewing, maintaining and improving security within a certain context and scope. In the ETIS benchmark, several factors of security management systems in telco organisations have been considered: • scope of the security management system • extent to which security management processes are defined and documented • extent to which security responsibilities have been clearly laid down • approaches to governing compliance with security policies. Successful practices observed mostly relate to the first and the last bullet. SP03: Security management based on combined methods It is apparent from several benchmark results that a combination of a risk based and best practice based approach for security management is usually most effective. The best practice approach is cost efficient and easy to check on compliance, hence it is suitable for ‘normal’ daily operations. At the same time it leaves little room for business to accept possible risks to increase profitability. The risk based approach usually requires more effort and should thus be applied in particular to special cases (new areas) or high impact situations. The risk based approach offers flexibility to business to have a better balance between risks and costs to reduce risks. Special attention should be given to the choice where to go for the best practice approach and where to use a risk based approach. To begin with, this could be done by expert opinion or based on experience. More formal methods could include Business Impact Assessment (BIA) or a split into ‘high level’ Risk assessment on business processes and a more detailed risk assessment on technical level, the latter based on the risks found in the high level risk assessment. SP04: Use of security Key Performance Indicators Use of Key Performance Indicators (KPIs) for security allows better reporting and offers more insight in the status of security and compliance, both internally and to the outside world (like regulators and customers). The use of KPIs also improves possibilities to control the state of compliance and to formulate and monitor improvement actions.
  • 12. Successful Practices in Telco Security © ETIS 2012 12 / 23 KPIs should be defined in such a way that they support the implementation of the security policy. KPIs must integrate logically in operations, not placing a too high load on the organisation. Another important aspect is that KPIs must be formulated in such a way that they are of interest to the business. KPIs that are formulated too technical will not have its effect on business and therefore will not help to raise priority of compliance to the security policy. SP05: Business drivers for security policy compliance Making sure also business departments have the willingness to comply, compliance should be made interesting to them. This can be done in two ways. The first one is to make sure that they realize that customers ask for security and the second one is to make sure implementation and use of the security policy is as efficient and easy as possible. Business departments are looking for ways to satisfy their customers and as a result of that, increase their turnover and profit. A good business driver for compliance to the security policy therefore is demand from customers. It is apparent that if customer requirements show a demand for security, the interest of business to comply with the security policy will grow. Two operators had a good experience in this area, performing a survey among their customers. The result of the survey indicated that a majority of their customers see security as an important factor in the decision where to buy their services. These particular operators experienced a boost in business interest in security. The other aspect is simplification of the process of reporting. An example is successful integration with other compliance processes, which will simplify compliance for the business and operational units (avoiding multiple reports with the same content) and therefore improve the willingness to comply. Another example is the introduction of tools that will help to collect evidence for compliance. SP16: Web based security training for employees of suppliers Awareness activity is usually limited to the internal scope of a company. One successful practice we have seen in the benchmarks is the introduction of a web based training programme for employees of suppliers. This was especially developed, on top of addressing security aspects in contracts with suppliers, to accommodate awareness of the employees of suppliers. This far stretching method of trying to achieve awareness is a good example of looking beyond the boundaries of a company, which is worth to consider, taking into account the many outsourcing deals going on at telecommunication companies. The content of the training should be targeted at specific topics of the security policy of the operator; generic security knowledge should be considered the responsibility of the supplier itself, which can be recorded in the contracts. Also some proof should be available (e.g. lists of employees that have done the training) to show that the training is effective. This successful practice, combined with the proper contractual agreements, can be an effective approach to ensure that only security (policy) aware personnel
  • 13. Successful Practices in Telco Security © ETIS 2012 13 / 23 accesses an operator’s systems or buildings. SP17: Position audits as an instrument of improvement, not punishment Audits, both internal and external of nature, have a tendency to focus rather strongly on the weak points of the auditee and magnify shortcomings. In addition, audit reports are all too often used to sanction an auditee. A successful practice we have seen in the benchmarks is conducting internal audits (or also called reviews) that have a different approach – not only identify and report shortcomings, but focus on cooperation with the auditee and jointly establish a balanced picture of the situation that also reflects strong points. If a culture is created in which audits are seen as a means of improvement rather than sanctioning, this will result in more openness, more cooperative auditees and more effective improvement. SP23: Embrace outsourcing security as an explicit security objective For some time now, most operators tend to outsource more and more activities, including traditional telco core activities such as managing telecommunication networks. Many participating CSFs recognize this trend, which obviously introduces security risks with regulatory and customer impact. Based on the benchmark findings, it is apparent that a shift in approach is needed, from an internal security perspective towards security governance of external relationships. Activities required to stay in control include specific policy making, security support in contract negotiations and structural attention to governance & compliance during the operational contract period. One particular approach seen in the benchmarks is the establishment of a risk management & security board in which the operator and a major outsourcing partner jointly reside. Security issues can be discussed on a regular basis and output of this meeting can be one of the inputs for the CSF report. Another issue with outsourcing concerns the possible disappearance of available security competences. While the number of outsourced activities increases, keeping security competence at the operator at an acceptable level might be a problem. In outsourcing deals, usually (security) knowledge flows from the operator to the outsourcing partner. It is essential to retain sufficient security competences to understand and challenge the information behind the reports that are delivered by outsourcing partners. SP24: Employ ISMS support tooling Maintaining a security management system is a complex and time consuming task. The use of supporting tooling specifically targeted at security management and supporting the ISMS is seen to be a good approach to relieve security staff. As experienced by some of the participating operators, use of tooling in maintaining the ISMS can be very helpful and efficient. Other operators
  • 14. Successful Practices in Telco Security © ETIS 2012 14 / 23 recognize the potential in this area. Benefits include automation of processes, continuous compliance, single means to comply with multiple regulations (e.g. ISO/IEC 27001, PCI DSS, Sarbanes Oxley, Basel II) and built-in compliance checklists. Tools that are employed by operators include risk management tooling combined with information asset management tooling and a specific compliance and risk management solution called SecureAware. Attention should be given to the burden that these tools place upon the telco’s staff. Use of tooling should help them achieving goals, not introduce administrative (often seen as unnecessary) overhead. SP25: Complement security awareness with security empowerment Telcos generally recognize the importance of user awareness. Security awareness activities however, usually focus on achieving a learning effect among employees. But raising awareness can only be effective when employees have a feeling that they are supported in their security activities. Being aware is one thing, being supported is one step further. One of the operators therefore employs what can be called ‘security empowerment’. This is a more active approach, complementing awareness actions. With security empowerment, employees are really supported in making the right security decisions and applying the right security measures. Examples of security empowerment are: • Supplying employees with tools and tangible guidance that enable them to perform security duties effectively • Offering the right means to make security practicable for non-specialists Many operators share the experience that offering practical means to their staff has a strong motivational effect.
  • 15. Successful Practices in Telco Security © ETIS 2012 15 / 23 4 Commercial role of security Security is often seen as a burden and a source of cost, but can also be embraced as a Unique Selling Point (USP) by which an operator distinguishes itself in the market. Moreover, selling specific security services might directly increase an operator’s revenues. Over the years, the ETIS Security Benchmark has explored how telcos address security from a commercial point of view. This chapter describes successful practices encountered in this area. SP06: Business involvement and security portfolio The benchmarks have shown that business involvement in the strategic security approach of the operator is crucial. Without business involvement, the driver for offering high quality security in the services portfolio is very weak. Essential to develop business involvement is to make the business aware that security is no longer an internal quality parameter, but a stringent business requirement. Marketing and sales people should know the highlights of the security strategy of the operator. It should be good practice that marketing and sales people, when visiting large customers, are regularly accompanied by security consultants that can explain the operator’s vision and strategy with respect to security. These consultants can be situated in the commercial departments, but there must be a tight connection to the CSF (see also SP26). Besides positioning security consultancy as an added value to marketing and sales, security consulting can also be offered as a separate security service. Also in marketing campaigns, security should be addressed prominently. It does not matter whether the strategy of an operator is to offer security services or offer secure services. In both cases, the message should be that the operator knows his business, also in the security area. General consent is that commercial role of security will grow. Difference in opinion exists on the question whether this will be in the area of “secure services” or in the area of dedicated security services. In any case, the number and type of specific security services in portfolio should be considered carefully. SP07: Certification and third party audits The benchmarks have shown that the number of customers requesting audits will grow; this development also is triggered by more regulatory pressure on customers of the operator. Audits generally take considerable effort at the operator side. Some operators successfully have countered this development by certification and by third party audits. If a service or department is certified, a customer has proof, provided by an independent party that the operator complies with a certain standard, such as the ISO/IEC 27001. An alternative, equal successful approach for an operator is to have an independent, third party auditor, perform an audit. This report can then be given or sold to customers that require an independent check. The advantage is that the audit process can be managed by the operator itself and the operator will not be flooded with auditors, sent by their customers.
  • 16. Successful Practices in Telco Security © ETIS 2012 16 / 23 SP18: Sell your customers “assurance” instead of “security” Traditionally, commercial communication to customers involves mainly information on threats, measures and security. This usually does not appeal to what a customer really wants: the customer wants to be reassured. Therefore it can be better to communicate to customers with words like ‘assurance’. A customer does not want good security, but a customer wants assurance that everything is in good hands and taken care of. Of course, ‘assurance’ implies something more than good security alone. It also implies good communication, providing proof and reports and communicating in the language that the customer speaks. Realising this will require quite a change in communication and appointments with customers and suppliers. SP26: Offer CSF support to commercial staff There is an increasing attention of customers for security and security services. But selling security is complex, due to the often technical nature and absence of immediate quantitative customer benefits. It is hard to properly address benefits and justify potential extra costs for customers. Therefore, sales staff should be supported in selling security. Security expertise, security competence and specific knowledge concerning telecom security issues, is usually available within the CSF. CSF staff is able to bridge the gap between the security world and the business world. CSF staff can support sales with internal consultancy, educate sales staff and accompany sales teams on customer visits. This support function can be expanded to a commercial security consultancy service, but such consultancy could best be restricted to existing customers who also purchase other services of the operator and should be related to their own portfolio. This is the (niche) area where the operator (understanding his customer and having knowledge of telecom services) can commercially distinguish himself from general security consulting companies. Some of the operators have very good experience with this model of ‘consultative selling’.
  • 17. Successful Practices in Telco Security © ETIS 2012 17 / 23 5 Fraud management Effectively tackling financial losses and other damage that may result from telecommunications fraud has been an important issue for telecoms providers since the market liberalised in the early 1990s. Here, telecommunications fraud is defined as follows: Definition Telecommunications fraud is the abuse of telecoms infrastructure and/or services with the intention of obtaining financial gain at the expense of telecoms providers and/or their customers. This chapter describes successful practices within the context of telecoms fraud management, as observed at telcos participating in the ETIS Security Benchmark SP08: Fully specialised fraud management team Setting up a specialised fraud management team has been successful at many of the participating operators. Such a specialised team will provide more accurate insight into fraud losses and generally constitutes a more future proof situation. A fraud management team will only function well if it maintains active working relationships with bad debt and revenue assurance teams. Additionally it should be self-sufficient in terms of manpower, expertise and tooling. SP09: Fraud risk assessment for new products and services Assessing fraud risk in new products/services requires specialist fraud expertise. Leaving such assessments up to regular project teams might cause fraud risks to be overlooked or underestimated. Direct involvement of the fraud team ensures accurate assessment of risks and equally adequate follow-up. For assessing fraud risks for new products/services a structured methodology should be adopted. Such a methodology should encompass at least checking the attractiveness to fraudsters, customer acceptance procedures, billing mechanisms, partner settlement procedures, technical issues and monitoring capabilities. SP19: Fraud risk assessment questionnaire for development projects As described in SP09 (see above), fraud risk assessments should preferably be conducted by specialists from the fraud team. However, whilst these experts have the skills and expertise to perform such an assessment, resources in the fraud team are often too limited to be involved in every single development project initiated within the operator’s organisation. Experience at one operator shows the possibility of developing a fraud “pre-
  • 18. Successful Practices in Telco Security © ETIS 2012 18 / 23 screening” questionnaire, consisting of questions that can be filled in by the project team. Such questionnaires can be evaluated by the fraud team to filter out the most severe cases and focus their effort on these specific projects. Note that this practice might combine well with SP11, as described in the following chapter. SP27: Seek fraud dialogue with broad set of stakeholders It is quite common for fraud teams to maintain active working relationships with bad debt and revenue assurance units in their companies, since the subject matter addressed by these teams shows great overlap. However, effective fraud operations also require interworking with various other units. Examples include billing, invoice management and the company’s legal department. Active dialogue across all relevant stakeholders will enhance overall fraud awareness and enable fine-tuning of working procedures with relevant entities. Fraud teams are recommended to look beyond the traditional partnerships with bad debt and revenue assurance teams and also put effort into relationships with other stakeholders in their companies. One possible approach is to organise a periodic get-together with a broad selection of stakeholders to jointly evaluate some of the major fraud cases that have taken place. SP28: Base fraud reporting on structured KPIs and target broad audience Whilst many telcos limit fraud reporting to their CFO and possible the full board, such reports are also significant for various other entities within the telco organisation. Business owners form an evident target audience, but one might also consider billing and legal departments or even commercial outlets. A structured set of fraud KPIs seems the most suitable basis for an effective fraud operations report. Examples of viable KPIs include: - Effective Fraud Loss (EFL) - Prevented Fraud Loss (PFL) - Revenue recovered - number of cases handled in reporting period Telcos generally indicate that their (senior) management is most receptive to quantitative information and fraud seems a particularly suitable area to address this information desire.
  • 19. Successful Practices in Telco Security © ETIS 2012 19 / 23 6 Security in the development process As history has proven, new products, systems and services are often accompanied by unforeseen vulnerabilities and are therefore at the source of many security incidents. The ETIS Security Benchmark has explored how operators address the security risks associated with such new products and services in their development processes. This chapter describes successful practices observed in this area. SP10: Integral embedding of security in development Telcos that participated in the benchmark generally agree that security should be addressed integrally throughout the process of developing a product or service. This means that: a. Each stage of the formal development process at a telco should include security activity b. Each decision tollgate in the formal development process should include specific security deliverables suitable to the preceding stage The net result should be a process where security requirements are defined in the earliest project stages and the remainder of the project incorporates a consistent level of attention towards ensuring that these requirements are met. This means that security should still be a topic of interest once the project reaches such phases as testing, piloting and handover to operational units. Experiences indicate that a process for managing security in development will only work well if the governing authority (in most cases the CSF) actually has the possibility of stopping a project if security is somehow not addressed appropriately. This should include a strong vote at the launch gate. Here, please bear in mind that this possibility of stopping projects should of course only be exerted in extreme cases to avoid a situation where the CSF is seen as a hindrance to business. SP11: Project rating determines security approach An approach seen at several operators is to assign a security rating to a project in its early stages. This rating subsequently determines the (detail of the) security approach for the remainder of the project. One might for instance distinguish projects that require a thorough risk assessment from those that can follow a standard security baseline based on the risk profile of the product or service under development. Differentiating security approaches among projects on the basis of a security/risk rating is found to be an effective provision for balancing the effect of risk management activity with the effort required to this end.
  • 20. Successful Practices in Telco Security © ETIS 2012 20 / 23 SP12: Next generation security architecture that transcends technology When developing NG 1 (Next Generation) infrastructure and services, it is wise to address the specific nature of NG security through a specific NG security architecture. Here, the following practices are instrumental for achieving adequate results: a. The NG security architecture should not be limited to technological issues, but also reflect the impact of NG on such issues as governance, policies and processes. b. Explicitly distinguish security provisions at the level of networks and services, respectively, to account for the new setup in which a single network will provision a variety of services. c. Rather than mandating specific security measures, the NG security architecture should predominantly consist of design principles and common security provisions. The latter refers to shared security provisions that accommodate many services, for instance a central identity and access management module. For any NG security architecture to function well, it should be set up as a joint effort of various competences within the operator organisation. This includes IT, infrastructure and commercial departments. SP20: Maintain Risk Treatment Plan (RTP) during development Maintaining a so called Risk Treatment Plan (RTP) in development projects is a promising concept that could be successful at many operators. Such a Risk Treatment Plan should at least document the following: • An overview of primary (top 5 or top 10) risks with respect to the product or service under development and • The risk treatment strategy (accept, mitigate, avoid, …) selected for each of the acknowledged risks • A summary of security measures embraced and the corresponding security investment (financial, man hours, time) required in the project • An indication of risk severity both before and after risk treatment, both in qualitative (type of damage) as well as quantitative (financial) terms Projects should ideally be required to produce a first version of the RTP early on in the project and establish updates at each subsequent project tollgate. Through this approach, the RTP is enhanced and refined as the innovation is elaborated in more detail. Apart from guiding the general process of security risk management, the RTP could also facilitate decision making and business involvement. To achieve this, business owners of the product under development should be required to sign off each version of the RTP, thus declaring that they agree with the risk treatment decisions and security investments specified. 1 Within this context, NG refers to the packet-based successor of traditional telecommunications where internet technology is predominant and typical service portfolios include multiplay (voice, TV, internet) and 3G data services.
  • 21. Successful Practices in Telco Security © ETIS 2012 21 / 23 SP29: Maintain tangible security design guidelines Operators could greatly benefit from developing and mandating security design guidelines that define a standard (minimum) security configuration for systems and networks. Such guidelines could serve as a reference for development staff and for instance address system hardening, network segmentation, web application development, access control and authentication protocols. Within operator organisations, specific IT departments will often develop design guidelines for their own local context that could also be of value for other IT units. CSF teams could facilitate this by compiling available guidelines, generalising them where necessary and subsequently incorporating them in their policy and guidance structures. This approach is often effective, since IT departments have more in depth knowledge of the actual technologies whilst the CSF will have a broader view on the areas of application. SP30: Conduct hacking contests among developers An interesting approach towards achieving security awareness is to organise hacking contests among development staff. Apart from raising awareness, contests such as these also reveal which developers are interested in and have a certain talent for security matters. As an example, development staff might be offered a web portal that incorporates several vulnerabilities and be challenged to identify the gaps. SP31: Maintain library of standardised security requirements Establishing and maintaining a library of (standardised) security requirements that can be matched onto specific projects has worked out well at several operators. Selection of such generic security requirements can be complemented with specific requisites to address needs of individual projects. Expert opinion appraisal or risk assessment could form the basis for this.
  • 22. Successful Practices in Telco Security © ETIS 2012 22 / 23 7 Security monitoring and incident management This chapter presents successful practices observed at the benchmark participants in the areas of security monitoring and incident management. Factors addressed in the benchmark under this denominator include: • Nature and setup of incident management provisions in the operator’s organisation, where “security incident” is defined as any accidental or intentional breach of (information) security in information systems, services and networks and “incident management” refers to the process of analysing, correcting and reporting such security incidents • Duties, approaches and methodologies of the Computer Emergency Response Team (CERT) and Security Operations Center (SOC) to the extent that these are present in the organisations of participating telcos. Where present, CERT teams and SOC units usually play an important role with respect to security monitoring and incident management. Thus the benchmark addressed such provisions through specific questions. SP13: SOC for both internal and commercial purposes The transition to full-IP infrastructures has made telcos susceptible to on-line attacks. What’s more, such attacks are continuously becoming more complex and large scale, thus increasingly requiring specialised expertise to manage them. Many benchmark participants have had good experiences with setting up a so called Security Operations Center (SOC), defined as a dedicated, centralised function for continuously monitoring and managing attacks on telco infrastructure. Here, the following is of importance: a. Benchmark participants generally agree that centralisation is a key success factor for security monitoring, if only because it enforces bundling of the (scarce) expertise an operator has available to this end. b. Competences already available in CERT teams will usually offer a good starting point to establish the requirements for a SOC. Once in operation, SOC and CERT staff should maintain a close working relationship (possibly by integrating both into one unit) c. It is usually attractive to widen the objectives of a SOC beyond internal hygiene and also exploit it as a commercial service. However, care should be taken when approaching customers with this possibility, since they might be unpleasantly surprised when made aware of possible security events on their network. When considering commercial exploitation of a SOC, its primary purpose of protecting an operator’s service infrastructure should not disappear to the background. A possible approach to this end is to establish separate SOC units for internal and external purposes, respectively. Whilst this may not directly seem the most efficient approach, we have observed several operators employing this to great satisfaction.
  • 23. Successful Practices in Telco Security © ETIS 2012 23 / 23 SP21: Reuse 24/7 capability of NOC for first line monitoring in SOC Most operators already have a Network Operations Center (NOC) in place that monitors the (continuity of the) telco infrastructure on a 24/7 basis. This capability might to some extent be reused in the SOC, thereby establishing initial 24/7 operations at no or limited investment in additional personnel. NOC personnel might be trained to provide at least first line monitoring and support during nightly hours. Getting this level of service up on a 24/7 basis will already greatly enhance the effectiveness and value of the SOC. To enhance the capabilities of the SOC even further, one might consider the concept of an on call security specialist that is standby in case severe incidents arise. SP32: Provide crisis team members with 3rd party SIM in address card It is already good practice for members of crisis teams to have a SIM card of a third party operator on them. With such a SIM card in their possession, they can keep communicating, even if a large disturbance hits their own mobile network. One benchmark participant integrated this SIM with an address card containing contact information for the other team members and a crisis management process description. This can be considered as a small and handy “crisis management team member toolkit”. The operator that developed this concept has had good experiences with this solution. SP33: Establish active cooperation with other SOCs Some telcos have had good cooperation experiences among their internally oriented and commercial SOCs. Such cooperation allows for exchange of knowledge, tooling, configurations and even people. Some participants indicate they would also like to explore cooperation with SOCs in other industries (e.g. banking SOCs). Such cooperation across industries might give interesting (fresh) perspectives on threats, priorities and SOC operations in general.