Product Assurance

               Guidelines for Product Assurance, Risk
               and Fraud Assurance for all new pr...
Product & Service Risk Assessment – Questions




      Within the Econet is the “Product Manager” made
      responsible ...
Product & Service Risk Assessment – Introduction



      Fraud & Security Risk Assessments – why?
      Enables the creat...
Product & Service Risk Assessment – Introduction



        Product assurance MUST become an integral part of the
        ...
Product Risk Lifecycle


                          Marketing &
                          Development
       Recovery of
  ...
Product Evaluation Process




                www.yu.co.ke   Revenue Assurance & Fraud
Syed Thameem
Fraud Risks with New Products & Services

      Each product & service in the market represents a potential
      new oppo...
Fraud Risk Assessment – Stages

       Evaluation of risks in new products/services must take place
       at each main ph...
Before Starting Assessment

      Maintain a database of all the products/services the Fraud
      Team receives – via the...
Defining the High Level Framework

     Product and service risk assessment will need to include
     analysis of the foll...
Defining the High Level Framework cont’d

       Process & Technology Risks are likely to come from the
       following a...
Product & Service Fraud and Security Assessment

       C u st o m e r A cq u is it io n




   A cc e s s t o d a t a , c...
FRA Checklists

   Benefits:


      To determine the scope of the proposed audit – technology and personnel
      Provide...
FRA Checklists

   Details:

      Prepare and use standard PDN audit templates
      When developing the re audit program...
Stage 1 – Information Gathering
      Essential for earliest possible visibility.
      Obtain information about the produ...
Stage 2 – Analysis
      Information obtained MUST be analysed from a risk perspective,
      considering the known fraud ...
Stage 3 – Risk Assessment
      The main objective of the FRA will be to determine, based on the information
      analyse...
Stage 3 – Risk Assessment – cont’d

      The FRA is a “Team” based activity involving the product owners,
      personnel...
Stage 4 – Risk Assessment Matrix
       The FRA Matrix should include:
       Threats
       Vulnerabilities
       Impact...
Stage 4 – Risk Qualification Matrix
       Develop a simple and visual way to assess risk, using a summary of the
       r...
Usage Completeness – Purpose & Value

      More precisely, what are we looking for
      during the Risk Assessment proce...
Usage Completeness – cont’d

      Ensure that Mediation rules will be changed accordingly, if required
      – looking fo...
Billing Accuracy – Purpose & Value

       Ensure that it will not interfere with existing products and
       services – ...
Usage Visibility and Reporting

        Fraud Team relies heavily on information being VISIBLE.
        If records are not...
Service Access Control
      Who is using the service and how? – the Fraud Team NEED TO
      KNOW THIS!!
      Check the ...
Third Party Requirements

       Ensure clear requirements are included in the contract with any 3rd
       party – do’s a...
Technical Requirements

       Check and assess the security of the product in terms of customer
       authentication, en...
Testing Requirements

       Fraud Team MUST be part of the Testing Team to
       assess both risks and customer experien...
Specifying Controls
      Develop a Risk/Control Matrix to determine overall fraud protection for the product
      or ser...
Specifying Controls cont’d

      System Based Controls – e.g. application configurable controls –
      more reliable tha...
Fraud Risk Assessment Output

      It will be essential to communicate with the business:–
      Example methods are:
   ...
Fraud Risk Assessment Handling

     There are several ways to handle the Fraud Risk,
     once identified – the main meth...
Monitoring & Measurement – Post Launch
       Fraud Team MUST monitor progress – usability of product after
       launch....
Balanced Approach – Session Summary

      Cost of Prevention / Detection /
      Investigation
      Software will not pr...
End


 We can stop revenue leakage by proactively, kindly involve
          RA in all our new product/service launch.

   ...
Upcoming SlideShare
Loading in …5
×

Product Assurance Guideliness For Telecom

2,708 views
2,619 views

Published on

This presentation will assist you to helping to protect your revenues.

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,708
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
184
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Product Assurance Guideliness For Telecom

  1. 1. Product Assurance Guidelines for Product Assurance, Risk and Fraud Assurance for all new products/ service launch for Telecom. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem 1
  2. 2. Product & Service Risk Assessment – Questions Within the Econet is the “Product Manager” made responsible for the loss as well as profit? Who has ownership and responsibility for ensuring products are launched with fraud protection built in? What financial figure is placed upon potential fraud losses? When is the Fraud Team involved within the process? Is the Fraud Team actually listened to or does marketing rule? Is the Fraud Team playing catch up when defining fraud controls? Is the Fraud Team viewed as being the enemy or a valuable part of the end to end process? www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  3. 3. Product & Service Risk Assessment – Introduction Fraud & Security Risk Assessments – why? Enables the creation of fraud resistant products and services. Prevents and mitigates against losses caused by fraud. Far more cost effective to implement controls and measures at the beginning. Minimise the effects of fraud on genuine customers and protects the brand image. Utilised to determine fraud strategy and operational changes needed relating to working practices and detection tools. Develops and encourages a coherent approach Company/Group wide on fraud knowledge and awareness. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  4. 4. Product & Service Risk Assessment – Introduction Product assurance MUST become an integral part of the new and existing product development process. Revenue protection features (incl. fraud) should be assessed for all products/services launched. Required protection levels, controls and enhancements to existing services should also be identified & implemented. Activation, service delivery, billing etc for all products should be tested to ensure accuracy and that the service can be charged for! It is and cannot ever be a single or one off activity and requires input from different business areas to succeed. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  5. 5. Product Risk Lifecycle Marketing & Development Recovery of Money, Equipment & Dealer / Sales Service Channel Fraud Department Billing & Activations & Collections Fulfillment Customer Care www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  6. 6. Product Evaluation Process www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  7. 7. Fraud Risks with New Products & Services Each product & service in the market represents a potential new opportunity for fraudulent attack. Pressure to launch new services to gain competitive advantage often results in little attention to security or fraud initiatives. This risk is compounded when these services are offered by new operators or in highly competitive markets. Key aspect of fraud management role is to be an integral part of the new product and service development process. The Fraud Team needs to ensure they can determine the required points of control, measurement, and monitoring to ensure appropriate prevention initiatives are in place. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  8. 8. Fraud Risk Assessment – Stages Evaluation of risks in new products/services must take place at each main phase that the product/service passes through, meaning: ◦ CONCEPT ◦ DESIGN ◦ IMPLEMENTATION ◦ LAUNCH ◦ POST LAUNCH At each gate, the Fraud Team should assess and determine the potential risks and consider what new characteristics of the proposed product/service are likely to be abused – this will be based on the available documentation, namely the Business Requirements Specification. Product/Service characteristics will usually vary significantly from one phase to another, so evaluation has to be thoroughly performed each time. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  9. 9. Before Starting Assessment Maintain a database of all the products/services the Fraud Team receives – via the concept. Assign a PRIORITY based on the information you have at Design Phase – you will not want to have to look at EVERYTHING! Estimate the level of resources required, level of experience needed in various fields, and the time at hand. Assign a project risk code for tracking purposes - for future monitoring and follow up of actions/responsibilities. Communicate first decisions to Marketing – for some products you will have a “no-go” decision, Marketing should know your position and reasoning. When agreed commence the FRA – remember, the same points need to be re-assessed at each Phase/Gate!! www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  10. 10. Defining the High Level Framework Product and service risk assessment will need to include analysis of the following areas: ◦ Technical infrastructure – service delivery mechanisms ◦ Acquisition – service offering & intended market ◦ Registration process – fulfilment of service requirements ◦ Pricing structure – assuring the revenue as opposed to potential for abuse ◦ Billing – integrity ◦ Charging/billing – methodology and completeness ◦ Customer confidentiality – protection of information ◦ Legal and regulatory – requirements fully met ◦ Authority levels/approval/sign off – compliance ◦ Escalation paths, contingency planning etc – strategy ◦ Security policies & practices – specific to the product www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  11. 11. Defining the High Level Framework cont’d Process & Technology Risks are likely to come from the following areas: ◦ Requirements management ◦ Product/services process design ◦ Product customisation ◦ Program change/ version control ◦ System/configuration data control ◦ Transaction data control ◦ Security architecture ◦ Functionality testing & compliance ◦ Data conversions ◦ End user acceptance ◦ System cutover /going live ◦ Operational support/back up www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  12. 12. Product & Service Fraud and Security Assessment C u st o m e r A cq u is it io n A cc e s s t o d a t a , c o n tr o ls & a u d itin g B u s in e s s p ro c e ss e s & F ra u d & S e cu r i ty P o lic y B illin g , c o lle ct io n s & p a ym e n t K n o w n w e a kn e s s e s/ vu ln e ra b i litie s C u s to m e r ty p e (m a s s / P r o d u ct A ss u ra n c e & m ic ro / co rp ) S e r v ice I n te g r it y S e cu r ity s tru c t u re ( p h ys ic a l, I T & n e t w o r k ) O p e ra t io n a l p ro ce d u r e s a n d w o rkin g p ra c tic e s S o l u tio n s tra t e g y P ro d u c t o r se r v ice f e a tu r e s S ys t e m s & P la tf o rm s www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  13. 13. FRA Checklists Benefits: To determine the scope of the proposed audit – technology and personnel Provide a standard methodology and approach to performing the PDN audits To determine the points to prove/disprove To provide a point of reference for developing the interviews To facilitate supplementary actions To prevent future security breaches developing in the business To eradicate weaknesses in systems, processes and practices Means of ensuring all aspects of the audit will and have been covered To be used to produce management reports - facts that will support decision on security standards compliance www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  14. 14. FRA Checklists Details: Prepare and use standard PDN audit templates When developing the re audit program look to enhance existing MBSS check lists Record all details– network platforms, data sources etc Detail the information sources used - business & vendor documentation (internally/externally) Logically detail technical equipment and processes to be audited Identify the assets, evaluate likelihood of the risk, severity, risk factor and audit method e.g. interview, technical scan, document Grade the management of the perceived risk (high/medium/low) Create details for system/data: confidentiality, reliability, integrity, availability www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  15. 15. Stage 1 – Information Gathering Essential for earliest possible visibility. Obtain information about the product/service owners and their involvement in the product/service delivery – WHO are your business partners. Obtain background information on the product/service functional elements and their interoperability, including their interaction with other systems, and general product/service characteristics. Ensure that you have a thorough understanding on the main attributes of the product/service , for example, how will the product be offered, the proposed market segment (corporate/business/residential), the billing/charging requirements, collection of revenue or any third party relationship. Information gathering MUST be performed at all stages of risk assessment - good communication must be established and maintained with the other parties involved in the product launch. When conducting feasibility studies issue Fraud Questionnaire as soon as new product or risk discovered. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  16. 16. Stage 2 – Analysis Information obtained MUST be analysed from a risk perspective, considering the known fraud instances to date, system’s characteristics and known fraud trends. When changes occur in the process design, delivery or implementation method, etc, then the analysis MUST be redone. When product is complex, the Analysis stage can be split into smaller entities for separate analyses or even by different people, if they require different set of skills, such as: ◦ Technical specification – engineering for network services and platforms and IT for billing requirements ◦ Registration process – sales from a customer acquisition perspective and customer care from a customer handling perspective ◦ Data integrity – engineering for network services and platforms and IT for billing requirements ◦ Charging flow - engineering for network services and platforms, IT for billing requirements and RA & FM for revenue protection ◦ Payment reconciliation – Credit & Collections, IT and RA & FM for revenue protection www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  17. 17. Stage 3 – Risk Assessment The main objective of the FRA will be to determine, based on the information analysed on the previous stage, what, why and how fraud risks can occur. The following aspects MUST be taken into account: ◦ The nature of the service being provided ◦ The revenue requirements vs. acceptable losses ◦ How the product/service will be securely provisioned ◦ How it will be billed and payment received ◦ How different business systems will interact to ensure revenue integrity ◦ How customer care issues will be handled ◦ The development of necessary audit trails ◦ Reporting on revenue vs. losses including reconciliation practices www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  18. 18. Stage 3 – Risk Assessment – cont’d The FRA is a “Team” based activity involving the product owners, personnel performing the work (likely to be technical/IT) and colleagues from other departments that the product or service impacts upon (likely to be customer care/finance/ credit & collections – Fraud & RA). Several techniques should be used during FRAs, these will vary according to each product’s specifics, but will have to include: ◦ Structured interviews with relevant interested parties (technical/procedural) ◦ Specific focus groups within the operations ◦ Individual assessment using questionnaires (where appropriate) ◦ External information sources – GSMFF , FMS User Groups, other operators etc ◦ Fraud workshops with Development Teams – demonstrate fraud loss potential ◦ Fraud Team to promote an open door in return for assistance www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  19. 19. Stage 4 – Risk Assessment Matrix The FRA Matrix should include: Threats Vulnerabilities Impact Controls Product/Service narrative FRAs should be regularly reviewed to ensure matrix is updated. Research & Intelligence gained MUST be fed into the matrix. Must encourage “feedback stage” – pooling of ideas. Study of emerging fraud techniques. Newly defined controls, points of measurement, reporting etc must be incorporated. Essentially FRA matrix should be evolving and usable to benefit all Fraud Team personnel – experienced and new entrants. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  20. 20. Stage 4 – Risk Qualification Matrix Develop a simple and visual way to assess risk, using a summary of the risks identified during the previous stages. Each risk area is scored on a scale of 0 to 3 for likelihood of fraud or leakage, where 3 will represent the greatest likelihood for fraud at the current time. Each risk area is again scored from 0 to 3 for the possible financial impact if revenue assurance/fraud is possible in that area. These two scores are then multiplied to give a score from 0 to 9. Score Colour Fraud & Revenue Assurance Risk 0-1 No colour Insignificant risk 2 Green Low risk 3-4 Yellow Moderate risk 6, 9 Red Severe risk www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  21. 21. Usage Completeness – Purpose & Value More precisely, what are we looking for during the Risk Assessment process? Firstly, we need to ensure a record will be generated – no XDR, no revenue – nothing to monitor! Need to determine the specific controls on the revenue path and that detection practices will exist - considering the product to be launched. Ensure that data reprocessing is available in case of error. Ensure the XDR generation process is tested and that there are backups available. Ensure Partial Records are generated if needed and that aggregation is correctly performed. Consider settlement issues. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  22. 22. Usage Completeness – cont’d Ensure that Mediation rules will be changed accordingly, if required – looking for wrongly rejected CDRs in Mediation! Check how the duration is being recorded and ensure it is correct. Look at CDR generation process at the Switch – can the CDRs be copied or transmitted to a 3rd party? Look at the controls on CDR path – can someone delete the records without you knowing? All these are RA related pointers .... BUT will turn to Fraud if the word gets out that systems can be abused!! Working together with Technical & RA Teams and replicating possible fraud scenarios, to ensure controls are working and effective. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  23. 23. Billing Accuracy – Purpose & Value Ensure that it will not interfere with existing products and services – can a fraudster use this service to prevent billing for other services? Ensure you can accurately identify the customer based on the records generated – especially in the IP area. Ensure that you can reprocess the data. Look for the Call Scenarios described in the documents – do they cover all possibilities? Ensure you have drill down capabilities to support fraud investigations. Perform tests to ensure that rating is done according to the published tariffs. Assess how billing is performed, based on what data – is it pure CDR based or are there discounts for volume. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  24. 24. Usage Visibility and Reporting Fraud Team relies heavily on information being VISIBLE. If records are not available to Fraud/RA systems or reports, basically there is no control over what is happening in the network – from a fraud and RA perspective. MUST ensure, as early as product design phase, that traffic is included in Fraud and Credit Reports. Need to ensure traffic is included as a feed into the FMS – if a new CDR generation platform is being used. Allow for time to develop decoders and parsers, if necessary. Ensure visibility is provided to all the operations the customer is making, not only to the access – DTMF analysis should be used for IVRs and Voicemail Systems. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  25. 25. Service Access Control Who is using the service and how? – the Fraud Team NEED TO KNOW THIS!! Check the network diagrams and proposed architecture layout to assess if proper segregation is in place – compartmentalisation. Check if customer can be attacked via IP while using the service. Check to ensure the new service will not allow a barred customer to make calls through it. Check the product will not allow other products to be accessed – for instance, if it’s a Data product, that Voice is barred. - Ensure Fair Usage Policy is deployed when offering “unlimited” service – assess opportunities for exploitation. Check that when service is provided based on a password/username, these are kept encrypted using good encryption – i.e. AES (Advanced Encryption System). www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  26. 26. Third Party Requirements Ensure clear requirements are included in the contract with any 3rd party – do’s and don’ts and extent of liability for fraud. Customer information and traffic MUST be protected from attack while using third party service, so protection MUST be built around that. Validate 3rd party working practices, procedures - perform site visits to assess the levels and standards of protection – leave nothing to trust. Check any CDR generation mechanism, authentication and monitoring capabilities. Especially in cases of Fraud, determine whether the contract allows for the money to be recovered from the third party or at least withheld where fraud is evidenced. Ensure there are reasonable traffic limits and the Fair Usage Policy is to be applied to the services offered by the 3rd party. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  27. 27. Technical Requirements Check and assess the security of the product in terms of customer authentication, encryption and network segregation. For IP products, check if the network can be attacked by using new deployed platform – e.g. A DOS attack. Ensure comprehensive Audit Trails are available and that there is a defined and workable process for reviewing them – fatal to find out later that nothing can be checked or validated. Ensure backups will be performed and that the data will be stored long enough to assist in fraud investigations. Perform Technical testing by using the product as part of the technical group and test its limits – stress hour. Keep in mind that network elements might behave different when traffic volumes are high. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  28. 28. Testing Requirements Fraud Team MUST be part of the Testing Team to assess both risks and customer experience while using the product. Check usage against billing to determine that rating is performed correctly. Use TCG if available to assess duration accuracy and rounding rules applied in rating. Perform regression tests of existing revenue streams to ensure nothing is being lost because of the new product/service. Test all defined controls to ensure they all work before product is launched! – remember, DO NOT ASSUME everything will work without CHECKING IT! www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  29. 29. Specifying Controls Develop a Risk/Control Matrix to determine overall fraud protection for the product or service. Ensure internal processes and procedures include the new product/service – for instance, that there is a suspension method available in case of fraud or evidence of non charging, service payment issues etc. Controls should fall into one of these categories: ◦ Procedural Controls – changes/improvements in the way things are being done ◦ System Controls – changes in the way the systems operate ◦ Physical and Logical Controls – generally built around the production systems, which may involve the use/creation of physical tokens, creation of secured areas, etc Identified Fraud Risks will be a combination of consequences and likelihood together with corresponding controls and providing advice and guidance on reducing or improving the position. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  30. 30. Specifying Controls cont’d System Based Controls – e.g. application configurable controls – more reliable than manual based controls. Automated Controls – e.g. controlled by application functionality. Manual Process Controls – e.g. critical manual controls that will operate outside of an application for integrity of data/reliability. Interface/Integration Controls – e.g. controls that will ensure data integrity of the interface – need to be identified and verified. Reporting Controls – to ensure that reports can be generated from an application and that they will be accurate. Application Security Controls – e.g. SOD with regard to segregation of duties - restrict inappropriate or excessive access privileges). www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  31. 31. Fraud Risk Assessment Output It will be essential to communicate with the business:– Example methods are: ◦ Inherent Risk: None/Low/Med/High – stating the risks as they exist in raw form – PRIOR to controls ◦ Residual Risk: None/Low/Med/High - Identified risks to be mitigated by proposed controls ◦ Assessment Rating: Med/High – Fraud Team RECOMMEND not to launch or alternatively define the NEED for “Specific Modifications/Controls” NB: The Product Owner must be in a position to request a further FRA if any agreed controls are not implemented or if the product is significantly changed. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  32. 32. Fraud Risk Assessment Handling There are several ways to handle the Fraud Risk, once identified – the main methods are: ◦ Avoid the Risk: by deciding not to proceed with the activity likely to generate the risk ◦ Reduce the likelihood: take actions to reduce or control the likelihood (such as additional levels of protection, segregation of duties, etc) ◦ Reduce the Consequences: take actions to reduce the consequences of a risk (define liability for losses, price and charging policy, etc) ◦ Transfer the Risk: This could involve another party bearing or sharing some element of the perceived risk – for instance, in case of web payments transferring the risk to an external merchant – PayPal, Paily, Moneybookers, etc. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  33. 33. Monitoring & Measurement – Post Launch Fraud Team MUST monitor progress – usability of product after launch. This is essential where a product or service was launched regardless of FRAUD RISK. Fraud Team MUST look to demonstrate “first fraud occurrence” and corrective actions now required. Fraud technique – modus operandi (external/internal/collusion etc). Value of losses being experienced – if any are evidenced. Effectiveness of controls defined and implemented. Define the time frames for “review and check” activities. Determine changes needed in fraud detection – new thresholds or alarms in FMS etc. Report over time on associated fraud losses by product or service. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  34. 34. Balanced Approach – Session Summary Cost of Prevention / Detection / Investigation Software will not prevent fraud People will not prevent fraud Need to work together Software to help people www.yu.co.ke Revenue Assurance & Fraud Syed Thameem
  35. 35. End We can stop revenue leakage by proactively, kindly involve RA in all our new product/service launch. Thank you for your attention and Support. www.yu.co.ke Revenue Assurance & Fraud Syed Thameem

×