© ETIS 2012Successful Practices in Telco SecurityBenchmark observations 2010 - 2012Date October 7th 2012Authors H. Kerkdij...
Successful Practices in Telco Security© ETIS 2012 2 / 23Successful Practices in Telco SecurityProduced by TNOPO Box 141697...
Successful Practices in Telco Security© ETIS 2012 3 / 23ContentsPreface 4Abbreviations ......................................
Successful Practices in Telco Security© ETIS 2012 4 / 23PrefaceAlready in its fourth year, the ETIS Information Security B...
Successful Practices in Telco Security© ETIS 2012 5 / 23AbbreviationsBIA Business Impact AssessmentCERT Computer Emergency...
Successful Practices in Telco Security© ETIS 2012 6 / 231 Introduction1.1 BackgroundETIS, the Global IT Association for Te...
Successful Practices in Telco Security© ETIS 2012 7 / 231.3 About TNOThe Netherlands Organisation for Applied Scientific R...
Successful Practices in Telco Security© ETIS 2012 8 / 232 Corporate Security FunctionThis chapter describes successful pra...
Successful Practices in Telco Security© ETIS 2012 9 / 23security governance has been a very successful step at some of the...
Successful Practices in Telco Security© ETIS 2012 10 / 23some time.SP22: Establish measurable targets in which security is...
Successful Practices in Telco Security© ETIS 2012 11 / 233 Security managementThis chapter describes successful practices ...
Successful Practices in Telco Security© ETIS 2012 12 / 23KPIs should be defined in such a way that they support the implem...
Successful Practices in Telco Security© ETIS 2012 13 / 23accesses an operator’s systems or buildings.SP17: Position audits...
Successful Practices in Telco Security© ETIS 2012 14 / 23recognize the potential in this area. Benefits include automation...
Successful Practices in Telco Security© ETIS 2012 15 / 234 Commercial role of securitySecurity is often seen as a burden a...
Successful Practices in Telco Security© ETIS 2012 16 / 23SP18: Sell your customers “assurance” instead of “security”Tradit...
Successful Practices in Telco Security© ETIS 2012 17 / 235 Fraud managementEffectively tackling financial losses and other...
Successful Practices in Telco Security© ETIS 2012 18 / 23screening” questionnaire, consisting of questions that can be fil...
Successful Practices in Telco Security© ETIS 2012 19 / 236 Security in the development processAs history has proven, new p...
Successful Practices in Telco Security© ETIS 2012 20 / 23SP12: Next generation security architecture that transcends techn...
Successful Practices in Telco Security© ETIS 2012 21 / 23SP29: Maintain tangible security design guidelinesOperators could...
Successful Practices in Telco Security© ETIS 2012 22 / 237 Security monitoring and incident managementThis chapter present...
Successful Practices in Telco Security© ETIS 2012 23 / 23SP21: Reuse 24/7 capability of NOC for first line monitoring in S...
Upcoming SlideShare
Loading in …5
×

ETIS Information Security Benchmark Successful Practices in telco security

806 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
806
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ETIS Information Security Benchmark Successful Practices in telco security

  1. 1. © ETIS 2012Successful Practices in Telco SecurityBenchmark observations 2010 - 2012Date October 7th 2012Authors H. Kerkdijk M.Sc. and R. Wolthuis M.Sc.Version: FINAL
  2. 2. Successful Practices in Telco Security© ETIS 2012 2 / 23Successful Practices in Telco SecurityProduced by TNOPO Box 14169701 BK GroningenThe Netherlandswww.tno.nlAuthors H. Kerkdijk and R. WolthuisProject manager H. KerkdijkProject owner Terje Tøndel, ETISStatus FINALDate October 7th 2012© 2012 ETISDisclaimerAll rights reserved. No part of this document may be reproduced and/or published inany form by print, photoprint, microfilm or any other means without the previouswritten permission from ETIS.The commercial use of any information contained in this document is strictlyprohibited.
  3. 3. Successful Practices in Telco Security© ETIS 2012 3 / 23ContentsPreface 4Abbreviations ........................................................................................................................... 51 Introduction.............................................................................................................. 61.1 Background................................................................................................................ 61.2 About this document.................................................................................................. 61.3 About TNO................................................................................................................. 72 Corporate Security Function.................................................................................. 83 Security management ........................................................................................... 114 Commercial role of security ................................................................................. 155 Fraud management................................................................................................ 176 Security in the development process.................................................................. 197 Security monitoring and incident management................................................. 22
  4. 4. Successful Practices in Telco Security© ETIS 2012 4 / 23PrefaceAlready in its fourth year, the ETIS Information Security Benchmark is motivated bythe prevailing absence of Telco specific security benchmarks focusing on theindustry in Europe. Between 2009 and 2012, the Benchmark has incorporated atotal of 16 European Telecom providers, many of which are now repeat participants.This continuity not only lends more value to the results as it allows for a gooddegree of comparability with previous years, but it also enables one to track theevolution of the security landscape and best practices.As a complement to the Security Benchmark, we have also produced a SuccessfulPractices Executive Report that is publicly available to highlight our work and alsoattract potential participants. Over the years, the survey has been exceptionally richwith interesting practices that Telcos might adopt from one another. The results is33 best practices distributed over the various security themes. This rise has beenpartially due to the emergence of two major recent challenges: the struggle tomanage employees bringing in their personal devices (i.e. i-phones, tablets) into thecorporate network and the rise of social media which can be viewed both as acommunications tool but also as a security threat.The best practices are also discussed each year at a dedicated workshop hosted byTNO. While it is interesting to see the figures and best practices in the benchmarkreport there is also added value in physically discussing the those differences andcomparing best practices.Work of this kind must be based on partnership. We thank TNO for producing thereports and and the ETIS Member companies that took part for their commitmentand openness. Our slogan has always been ‘Sharing knowledge is our strength’and using it is yours. We would like to encourage you to use this report to learnwhere you stand and to motivate improvements in your own companies.Yours sincerely,Fred WernerCommunications & Programme DirectorETIS
  5. 5. Successful Practices in Telco Security© ETIS 2012 5 / 23AbbreviationsBIA Business Impact AssessmentCERT Computer Emergency Response TeamCFO Chief Financial OfficerCISO Chief Information Security OfficerCSF Corporate Security FunctionCSO Chief Security OfficerDSS Data Security StandardEFL Effective Fraud LossIEC International Electrotechnical CommissionISMS Information Security Management SystemISO International Organization for StandardisationKPI Key Performance IndicatorNG Next GenerationNOC Network Operations CenterPCI Payment Card IndustryPFL Prevented Fraud LossRTP Risk Treatment PlanSIM Subscriber Identity ModuleSOC Security Operations CenterSP Successful PracticeUSP Unique Selling Point
  6. 6. Successful Practices in Telco Security© ETIS 2012 6 / 231 Introduction1.1 BackgroundETIS, the Global IT Association for Telecommunications, is a membership basedorganisation in which major European telecoms providers exchange views ondelivering and using ICT effectively. Much of this information exchange takes placethrough working groups that gather several times per year for this purpose. Amongthese groups is the Information Security Working Group (henceforth referred to asthe ETIS Security Group), in which telcos and vendors exchange knowledge andexperiences concerning information security related matters.Early 2009, the ETIS Security Group decided to set up a yearly security benchmarkactivity with the objective of comparing security strategies and approaches amongETIS member telcos, thus enabling these telcos to determine which specificaspects of security require attention within their respective organisations. Executinga security benchmark within the ETIS context has proven a successful formula,among other things because such a benchmark can be focused on telco specificsecurity issues. Between 2009 and 2012, a total of 16 European telcos took part inthe benchmark endeavour. All benchmark activity is conducted and coordinated byTNO, an independent research and consulting organisation from The Netherlandsand also an active participant in the ETIS Security Group.A well-received element in the ETIS Security Benchmark is the concept of so calledsuccessful practices. This refers to strategies, approaches or methods that haveproven successful at specific benchmark participants and might be (partly) adoptedby others. Whilst benchmark results are generally restricted to the participatingcompanies, it was decided to share successful practices identified between 2010and 2012 with the entire ETIS community.1.2 About this documentThis document presents the 33 successful practices in telco security that wereidentified in the security benchmark effort between 2010 and 2012. In the followingchapters, these practices are structured according to the security themesaddressed in the benchmark:1. Corporate Security Function2. Security Management3. Commercial role of security4. Fraud Management5. Security in the development process6. Security monitoring and incident managementThe numbering of practices in this document corresponds directly to the SPxxcodes assigned in the benchmark reports of 2010-2012. Note that these codesfollow the years in which respective practices were identified and are thus non-linear across the various themes.
  7. 7. Successful Practices in Telco Security© ETIS 2012 7 / 231.3 About TNOThe Netherlands Organisation for Applied Scientific Research (TNO) is one ofEuropes leading independent research and consulting organisations. TNO wasfounded in 1932 by an act of the Dutch parliament to make scientific research andhigh end knowledge accessible and applicable for businesses and government.TNO is a not for profit organisation which by law is required to operateindependently and objectively. TNO has organised its expertise and competencesin seven themes. Each theme is divided into a number of innovation and consultingareas, as illustrated in the following figure.TNO provides research, development, engineering and consultancy services togovernment and industry, to assist in solving complex and challenging technicalproblems and establish technological innovation. TNO’s staff presentlyencompasses some 4400 employees and includes 50 university professors. TNOhas a versatile customer base that includes local and national government bodies inThe Netherlands (e.g. the Ministry of Defence and the Ministry of Economic Affairs),large corporates in industries such as finance, oil and gas and telecommunicationsand several European Union bodies.
  8. 8. Successful Practices in Telco Security© ETIS 2012 8 / 232 Corporate Security FunctionThis chapter describes successful practices within the context of a CorporateSecurity Function (CSF), as observed at telcos participating in the ETIS SecurityBenchmark. Here, the term CSF is defined as follows:DefinitionThe Corporate Security Function is defined as the total of people and dutiesresiding under the direct responsibility of a CSO, CISO or equivalent.Whilst the above definition turned out practicable in most cases, TNO encounteredsome telcos that had both a Chief Security Officer (CSO) and a Chief InformationSecurity Officer (CISO) and one telco where the position of C(I)SO was completelyabsent. In such instances, TNO and the telco concerned jointly assessed whichsecurity team in that telco’s organisation best qualified as a CSF.SP01: Baseline Corporate Security Function setupThe various benchmarks have shown that there is no single optimum setup of aCorporate Security Function. Important factors to this end are size and(management) culture of the respective telco, which obviously vary greatly.Nonetheless, the following baseline characteristics will enhance the success ofany CSF, irrespective of its specific context:a. The highest security official (CSO/CISO) should reside directly beneath or atleast have direct (functional) access to executive management to ensuresufficient span of control and visibility.b. The CSF should not limit itself to development and maintenance of companywide security policies, but also provide active and visible support to businessthrough tactical (e.g. risk assessment) and perhaps even operational (e.g.maintain security operations center) duties.c. The CSF should preferably not be incorporated in an IT or other technicalunit, but visibly have a broader focus to avoid the risk of being regarded asor even becoming a solely technical body.d. The CSF should exploit the potential of bundling interrelated security areasby at least taking responsibility for information security, IT & network securityand Business Continuity Management and closely aligning objectives,strategies and actions for these areas.Note that ad. d should be addressed with due care, since senior managementmight see such bundling as an opportunity to reduce headcounts. Somebenchmark participants have had this experience.In addition to the above, it is usually helpful to incorporate certain legal duties(e.g. lawful interception or data retention) within the CSF structure to enhance itsvisibility and strategic weight.SP02: Strategic security boardSetting up a strategic security board as a business driven platform for strategic
  9. 9. Successful Practices in Telco Security© ETIS 2012 9 / 23security governance has been a very successful step at some of the participatingoperators. If implemented well, such a body ensures that strategic securitychoices are ultimately governed by senior business managers, therebyestablishing intrinsic business involvement and commitment.A strategic security board should preferably consist of senior management (e.g.business unit directors) and be chaired by a motivated board member. Itsprimary task should be to govern strategic security objectives, priorities andbudgets based on input and proposals put forward by the highest security official(CSO/CISO).A strategic security board will only function well if guided by a decent strategicsecurity plan, for instance with a 2-3 year time span. Establishing such a planand getting senior management’s attention for it (i.e. lobbying), should be apriority for any CSO with the ambition of getting such senior managementactively involved.SP14: Employ social media to enhance security involvementSetting up social media on the internal intranet has been a successful step atone of the participants to enhance security involvement of employees throughoutthe organisation. Having officials such as the CSO actively interact with theorganisation through a blog or perhaps an internal version of Twitter orFacebook offers the following opportunities:• Employees throughout the organisation can be reached with a single action,thereby raising security awareness at a large scale with very limited effort• Information posted by the CSO will often trigger interesting responses fromemployees in all layers of the organisation, including many that the CSFwould usually not interact with directly. Such responses provide insight intocurrent issues and sentiments with respect to security and will help the CSFto identify any actions required.Note that some operators have a policy to block the use of social media on theircorporate internet. However, this practice specifically pertains to a localimplementation of such social media on the native intranet, which is available tothe operator’s employees only. Moreover, to avoid undesired use of such mediait is recommendable to ensure that the identity of employees posting informationor participating in discussions is always revealed (i.e. not allow anonymous use).SP15: Monitor relevant security discussions on external social mediaSocial media on the public internet are often host to interesting discussions on acompany and/or its products and services. As shown by one of the benchmarkparticipants, it can be worthwhile to monitor such discussions specifically from asecurity perspective to discover current issues, sentiments and evenvulnerabilities the company needs to act upon.Social media monitoring can be bought as a service from specialisedcompanies, who will scan the Internet in search of predefined keywords thatrelate to security and periodically report their findings. Use of such services hasalready been popular among marketing and PR departments (to name a few) for
  10. 10. Successful Practices in Telco Security© ETIS 2012 10 / 23some time.SP22: Establish measurable targets in which security is a dominant factorWhilst factors such as employee satisfaction and budget discipline are by allmeans relevant, CSF performance should ultimately be appraised on the basisof actual security targets. Moreover, various benchmark participants haveobserved that senior management is most receptive for quantitative information.Targets should hence be measurable in nature.Based on the experiences of some benchmark participants, managementinvolvement will increase substantially if they acknowledge the securityobjectives and are provided with frequent (weekly/ monthly) status updates. Inturn, such management involvement is crucial for receiving adequate supportand resourcing..
  11. 11. Successful Practices in Telco Security© ETIS 2012 11 / 233 Security managementThis chapter describes successful practices with respect to security management,as observed at the benchmark participants. Here, security management is definedas follows:DefinitionSecurity management is the process of operating, monitoring, reviewing,maintaining and improving security within a certain context and scope.In the ETIS benchmark, several factors of security management systems in telcoorganisations have been considered:• scope of the security management system• extent to which security management processes are defined and documented• extent to which security responsibilities have been clearly laid down• approaches to governing compliance with security policies.Successful practices observed mostly relate to the first and the last bullet.SP03: Security management based on combined methodsIt is apparent from several benchmark results that a combination of a risk basedand best practice based approach for security management is usually mosteffective. The best practice approach is cost efficient and easy to check oncompliance, hence it is suitable for ‘normal’ daily operations. At the same time itleaves little room for business to accept possible risks to increase profitability.The risk based approach usually requires more effort and should thus be appliedin particular to special cases (new areas) or high impact situations. The riskbased approach offers flexibility to business to have a better balance betweenrisks and costs to reduce risks.Special attention should be given to the choice where to go for the best practiceapproach and where to use a risk based approach. To begin with, this could bedone by expert opinion or based on experience. More formal methods couldinclude Business Impact Assessment (BIA) or a split into ‘high level’ Riskassessment on business processes and a more detailed risk assessment ontechnical level, the latter based on the risks found in the high level riskassessment.SP04: Use of security Key Performance IndicatorsUse of Key Performance Indicators (KPIs) for security allows better reportingand offers more insight in the status of security and compliance, both internallyand to the outside world (like regulators and customers). The use of KPIs alsoimproves possibilities to control the state of compliance and to formulate andmonitor improvement actions.
  12. 12. Successful Practices in Telco Security© ETIS 2012 12 / 23KPIs should be defined in such a way that they support the implementation ofthe security policy. KPIs must integrate logically in operations, not placing a toohigh load on the organisation. Another important aspect is that KPIs must beformulated in such a way that they are of interest to the business. KPIs that areformulated too technical will not have its effect on business and therefore will nothelp to raise priority of compliance to the security policy.SP05: Business drivers for security policy complianceMaking sure also business departments have the willingness to comply,compliance should be made interesting to them. This can be done in two ways.The first one is to make sure that they realize that customers ask for security andthe second one is to make sure implementation and use of the security policy isas efficient and easy as possible.Business departments are looking for ways to satisfy their customers and as aresult of that, increase their turnover and profit. A good business driver forcompliance to the security policy therefore is demand from customers. It isapparent that if customer requirements show a demand for security, the interestof business to comply with the security policy will grow. Two operators had agood experience in this area, performing a survey among their customers. Theresult of the survey indicated that a majority of their customers see security asan important factor in the decision where to buy their services. These particularoperators experienced a boost in business interest in security.The other aspect is simplification of the process of reporting. An example issuccessful integration with other compliance processes, which will simplifycompliance for the business and operational units (avoiding multiple reports withthe same content) and therefore improve the willingness to comply. Anotherexample is the introduction of tools that will help to collect evidence forcompliance.SP16: Web based security training for employees of suppliersAwareness activity is usually limited to the internal scope of a company. Onesuccessful practice we have seen in the benchmarks is the introduction of a webbased training programme for employees of suppliers. This was especiallydeveloped, on top of addressing security aspects in contracts with suppliers, toaccommodate awareness of the employees of suppliers. This far stretchingmethod of trying to achieve awareness is a good example of looking beyond theboundaries of a company, which is worth to consider, taking into account themany outsourcing deals going on at telecommunication companies.The content of the training should be targeted at specific topics of the securitypolicy of the operator; generic security knowledge should be considered theresponsibility of the supplier itself, which can be recorded in the contracts. Alsosome proof should be available (e.g. lists of employees that have done thetraining) to show that the training is effective.This successful practice, combined with the proper contractual agreements, canbe an effective approach to ensure that only security (policy) aware personnel
  13. 13. Successful Practices in Telco Security© ETIS 2012 13 / 23accesses an operator’s systems or buildings.SP17: Position audits as an instrument of improvement, not punishmentAudits, both internal and external of nature, have a tendency to focus ratherstrongly on the weak points of the auditee and magnify shortcomings. Inaddition, audit reports are all too often used to sanction an auditee. A successfulpractice we have seen in the benchmarks is conducting internal audits (or alsocalled reviews) that have a different approach – not only identify and reportshortcomings, but focus on cooperation with the auditee and jointly establish abalanced picture of the situation that also reflects strong points.If a culture is created in which audits are seen as a means of improvementrather than sanctioning, this will result in more openness, more cooperativeauditees and more effective improvement.SP23: Embrace outsourcing security as an explicit security objectiveFor some time now, most operators tend to outsource more and more activities,including traditional telco core activities such as managing telecommunicationnetworks. Many participating CSFs recognize this trend, which obviouslyintroduces security risks with regulatory and customer impact. Based on thebenchmark findings, it is apparent that a shift in approach is needed, from aninternal security perspective towards security governance of externalrelationships.Activities required to stay in control include specific policy making, securitysupport in contract negotiations and structural attention to governance &compliance during the operational contract period. One particular approach seenin the benchmarks is the establishment of a risk management & security board inwhich the operator and a major outsourcing partner jointly reside. Securityissues can be discussed on a regular basis and output of this meeting can beone of the inputs for the CSF report.Another issue with outsourcing concerns the possible disappearance of availablesecurity competences. While the number of outsourced activities increases,keeping security competence at the operator at an acceptable level might be aproblem. In outsourcing deals, usually (security) knowledge flows from theoperator to the outsourcing partner. It is essential to retain sufficient securitycompetences to understand and challenge the information behind the reportsthat are delivered by outsourcing partners.SP24: Employ ISMS support toolingMaintaining a security management system is a complex and time consumingtask. The use of supporting tooling specifically targeted at security managementand supporting the ISMS is seen to be a good approach to relieve security staff.As experienced by some of the participating operators, use of tooling inmaintaining the ISMS can be very helpful and efficient. Other operators
  14. 14. Successful Practices in Telco Security© ETIS 2012 14 / 23recognize the potential in this area. Benefits include automation of processes,continuous compliance, single means to comply with multiple regulations (e.g.ISO/IEC 27001, PCI DSS, Sarbanes Oxley, Basel II) and built-in compliancechecklists.Tools that are employed by operators include risk management toolingcombined with information asset management tooling and a specific complianceand risk management solution called SecureAware. Attention should be given tothe burden that these tools place upon the telco’s staff. Use of tooling shouldhelp them achieving goals, not introduce administrative (often seen asunnecessary) overhead.SP25: Complement security awareness with security empowermentTelcos generally recognize the importance of user awareness. Securityawareness activities however, usually focus on achieving a learning effectamong employees. But raising awareness can only be effective when employeeshave a feeling that they are supported in their security activities. Being aware isone thing, being supported is one step further. One of the operators thereforeemploys what can be called ‘security empowerment’. This is a more activeapproach, complementing awareness actions. With security empowerment,employees are really supported in making the right security decisions andapplying the right security measures. Examples of security empowerment are:• Supplying employees with tools and tangible guidance that enable them toperform security duties effectively• Offering the right means to make security practicable for non-specialistsMany operators share the experience that offering practical means to their staffhas a strong motivational effect.
  15. 15. Successful Practices in Telco Security© ETIS 2012 15 / 234 Commercial role of securitySecurity is often seen as a burden and a source of cost, but can also be embracedas a Unique Selling Point (USP) by which an operator distinguishes itself in themarket. Moreover, selling specific security services might directly increase anoperator’s revenues. Over the years, the ETIS Security Benchmark has exploredhow telcos address security from a commercial point of view. This chapterdescribes successful practices encountered in this area.SP06: Business involvement and security portfolioThe benchmarks have shown that business involvement in the strategic securityapproach of the operator is crucial. Without business involvement, the driver foroffering high quality security in the services portfolio is very weak. Essential todevelop business involvement is to make the business aware that security is nolonger an internal quality parameter, but a stringent business requirement.Marketing and sales people should know the highlights of the security strategy ofthe operator. It should be good practice that marketing and sales people, whenvisiting large customers, are regularly accompanied by security consultants thatcan explain the operator’s vision and strategy with respect to security. Theseconsultants can be situated in the commercial departments, but there must be atight connection to the CSF (see also SP26).Besides positioning security consultancy as an added value to marketing andsales, security consulting can also be offered as a separate security service.Also in marketing campaigns, security should be addressed prominently. It doesnot matter whether the strategy of an operator is to offer security services oroffer secure services. In both cases, the message should be that the operatorknows his business, also in the security area.General consent is that commercial role of security will grow. Difference inopinion exists on the question whether this will be in the area of “secureservices” or in the area of dedicated security services. In any case, the numberand type of specific security services in portfolio should be considered carefully.SP07: Certification and third party auditsThe benchmarks have shown that the number of customers requesting auditswill grow; this development also is triggered by more regulatory pressure oncustomers of the operator. Audits generally take considerable effort at theoperator side. Some operators successfully have countered this development bycertification and by third party audits. If a service or department is certified, acustomer has proof, provided by an independent party that the operatorcomplies with a certain standard, such as the ISO/IEC 27001. An alternative,equal successful approach for an operator is to have an independent, third partyauditor, perform an audit. This report can then be given or sold to customers thatrequire an independent check. The advantage is that the audit process can bemanaged by the operator itself and the operator will not be flooded with auditors,sent by their customers.
  16. 16. Successful Practices in Telco Security© ETIS 2012 16 / 23SP18: Sell your customers “assurance” instead of “security”Traditionally, commercial communication to customers involves mainlyinformation on threats, measures and security. This usually does not appeal towhat a customer really wants: the customer wants to be reassured. Therefore itcan be better to communicate to customers with words like ‘assurance’. Acustomer does not want good security, but a customer wants assurance thateverything is in good hands and taken care of. Of course, ‘assurance’ impliessomething more than good security alone. It also implies good communication,providing proof and reports and communicating in the language that thecustomer speaks. Realising this will require quite a change in communicationand appointments with customers and suppliers.SP26: Offer CSF support to commercial staffThere is an increasing attention of customers for security and security services.But selling security is complex, due to the often technical nature and absence ofimmediate quantitative customer benefits. It is hard to properly address benefitsand justify potential extra costs for customers. Therefore, sales staff should besupported in selling security.Security expertise, security competence and specific knowledge concerningtelecom security issues, is usually available within the CSF. CSF staff is able tobridge the gap between the security world and the business world. CSF staff cansupport sales with internal consultancy, educate sales staff and accompanysales teams on customer visits. This support function can be expanded to acommercial security consultancy service, but such consultancy could best berestricted to existing customers who also purchase other services of the operatorand should be related to their own portfolio. This is the (niche) area where theoperator (understanding his customer and having knowledge of telecomservices) can commercially distinguish himself from general security consultingcompanies. Some of the operators have very good experience with this model of‘consultative selling’.
  17. 17. Successful Practices in Telco Security© ETIS 2012 17 / 235 Fraud managementEffectively tackling financial losses and other damage that may result fromtelecommunications fraud has been an important issue for telecoms providers sincethe market liberalised in the early 1990s. Here, telecommunications fraud is definedas follows:DefinitionTelecommunications fraud is the abuse of telecoms infrastructure and/orservices with the intention of obtaining financial gain at the expense of telecomsproviders and/or their customers.This chapter describes successful practices within the context of telecoms fraudmanagement, as observed at telcos participating in the ETIS Security BenchmarkSP08: Fully specialised fraud management teamSetting up a specialised fraud management team has been successful at manyof the participating operators. Such a specialised team will provide moreaccurate insight into fraud losses and generally constitutes a more future proofsituation.A fraud management team will only function well if it maintains active workingrelationships with bad debt and revenue assurance teams. Additionally it shouldbe self-sufficient in terms of manpower, expertise and tooling.SP09: Fraud risk assessment for new products and servicesAssessing fraud risk in new products/services requires specialist fraud expertise.Leaving such assessments up to regular project teams might cause fraud risksto be overlooked or underestimated. Direct involvement of the fraud teamensures accurate assessment of risks and equally adequate follow-up.For assessing fraud risks for new products/services a structured methodologyshould be adopted. Such a methodology should encompass at least checkingthe attractiveness to fraudsters, customer acceptance procedures, billingmechanisms, partner settlement procedures, technical issues and monitoringcapabilities.SP19: Fraud risk assessment questionnaire for development projectsAs described in SP09 (see above), fraud risk assessments should preferably beconducted by specialists from the fraud team. However, whilst these expertshave the skills and expertise to perform such an assessment, resources in thefraud team are often too limited to be involved in every single developmentproject initiated within the operator’s organisation.Experience at one operator shows the possibility of developing a fraud “pre-
  18. 18. Successful Practices in Telco Security© ETIS 2012 18 / 23screening” questionnaire, consisting of questions that can be filled in by theproject team. Such questionnaires can be evaluated by the fraud team to filterout the most severe cases and focus their effort on these specific projects.Note that this practice might combine well with SP11, as described in thefollowing chapter.SP27: Seek fraud dialogue with broad set of stakeholdersIt is quite common for fraud teams to maintain active working relationships withbad debt and revenue assurance units in their companies, since the subjectmatter addressed by these teams shows great overlap. However, effective fraudoperations also require interworking with various other units. Examples includebilling, invoice management and the company’s legal department. Activedialogue across all relevant stakeholders will enhance overall fraud awarenessand enable fine-tuning of working procedures with relevant entities.Fraud teams are recommended to look beyond the traditional partnerships withbad debt and revenue assurance teams and also put effort into relationships withother stakeholders in their companies. One possible approach is to organise aperiodic get-together with a broad selection of stakeholders to jointly evaluatesome of the major fraud cases that have taken place.SP28: Base fraud reporting on structured KPIs and target broad audienceWhilst many telcos limit fraud reporting to their CFO and possible the full board,such reports are also significant for various other entities within the telcoorganisation. Business owners form an evident target audience, but one mightalso consider billing and legal departments or even commercial outlets. Astructured set of fraud KPIs seems the most suitable basis for an effective fraudoperations report. Examples of viable KPIs include:- Effective Fraud Loss (EFL)- Prevented Fraud Loss (PFL)- Revenue recovered- number of cases handled in reporting periodTelcos generally indicate that their (senior) management is most receptive toquantitative information and fraud seems a particularly suitable area to addressthis information desire.
  19. 19. Successful Practices in Telco Security© ETIS 2012 19 / 236 Security in the development processAs history has proven, new products, systems and services are often accompaniedby unforeseen vulnerabilities and are therefore at the source of many securityincidents. The ETIS Security Benchmark has explored how operators address thesecurity risks associated with such new products and services in their developmentprocesses. This chapter describes successful practices observed in this area.SP10: Integral embedding of security in developmentTelcos that participated in the benchmark generally agree that security should beaddressed integrally throughout the process of developing a product or service.This means that:a. Each stage of the formal development process at a telco should includesecurity activityb. Each decision tollgate in the formal development process should includespecific security deliverables suitable to the preceding stageThe net result should be a process where security requirements are defined inthe earliest project stages and the remainder of the project incorporates aconsistent level of attention towards ensuring that these requirements are met.This means that security should still be a topic of interest once the projectreaches such phases as testing, piloting and handover to operational units.Experiences indicate that a process for managing security in development willonly work well if the governing authority (in most cases the CSF) actually has thepossibility of stopping a project if security is somehow not addressedappropriately. This should include a strong vote at the launch gate. Here, pleasebear in mind that this possibility of stopping projects should of course only beexerted in extreme cases to avoid a situation where the CSF is seen as ahindrance to business.SP11: Project rating determines security approachAn approach seen at several operators is to assign a security rating to a projectin its early stages. This rating subsequently determines the (detail of the)security approach for the remainder of the project. One might for instancedistinguish projects that require a thorough risk assessment from those that canfollow a standard security baseline based on the risk profile of the product orservice under development.Differentiating security approaches among projects on the basis of a security/riskrating is found to be an effective provision for balancing the effect of riskmanagement activity with the effort required to this end.
  20. 20. Successful Practices in Telco Security© ETIS 2012 20 / 23SP12: Next generation security architecture that transcends technologyWhen developing NG1(Next Generation) infrastructure and services, it is wise toaddress the specific nature of NG security through a specific NG securityarchitecture. Here, the following practices are instrumental for achievingadequate results:a. The NG security architecture should not be limited to technological issues,but also reflect the impact of NG on such issues as governance, policies andprocesses.b. Explicitly distinguish security provisions at the level of networks andservices, respectively, to account for the new setup in which a singlenetwork will provision a variety of services.c. Rather than mandating specific security measures, the NG securityarchitecture should predominantly consist of design principles and commonsecurity provisions. The latter refers to shared security provisions thataccommodate many services, for instance a central identity and accessmanagement module.For any NG security architecture to function well, it should be set up as a jointeffort of various competences within the operator organisation. This includes IT,infrastructure and commercial departments.SP20: Maintain Risk Treatment Plan (RTP) during developmentMaintaining a so called Risk Treatment Plan (RTP) in development projects is apromising concept that could be successful at many operators. Such a RiskTreatment Plan should at least document the following:• An overview of primary (top 5 or top 10) risks with respect to the product orservice under development and• The risk treatment strategy (accept, mitigate, avoid, …) selected for each ofthe acknowledged risks• A summary of security measures embraced and the corresponding securityinvestment (financial, man hours, time) required in the project• An indication of risk severity both before and after risk treatment, both inqualitative (type of damage) as well as quantitative (financial) termsProjects should ideally be required to produce a first version of the RTP early onin the project and establish updates at each subsequent project tollgate.Through this approach, the RTP is enhanced and refined as the innovation iselaborated in more detail.Apart from guiding the general process of security risk management, the RTPcould also facilitate decision making and business involvement. To achieve this,business owners of the product under development should be required to signoff each version of the RTP, thus declaring that they agree with the risktreatment decisions and security investments specified.1Within this context, NG refers to the packet-based successor of traditional telecommunicationswhere internet technology is predominant and typical service portfolios include multiplay (voice,TV, internet) and 3G data services.
  21. 21. Successful Practices in Telco Security© ETIS 2012 21 / 23SP29: Maintain tangible security design guidelinesOperators could greatly benefit from developing and mandating security designguidelines that define a standard (minimum) security configuration for systemsand networks. Such guidelines could serve as a reference for development staffand for instance address system hardening, network segmentation, webapplication development, access control and authentication protocols.Within operator organisations, specific IT departments will often develop designguidelines for their own local context that could also be of value for other ITunits. CSF teams could facilitate this by compiling available guidelines,generalising them where necessary and subsequently incorporating them in theirpolicy and guidance structures. This approach is often effective, since ITdepartments have more in depth knowledge of the actual technologies whilst theCSF will have a broader view on the areas of application.SP30: Conduct hacking contests among developersAn interesting approach towards achieving security awareness is to organisehacking contests among development staff. Apart from raising awareness,contests such as these also reveal which developers are interested in and havea certain talent for security matters.As an example, development staff might be offered a web portal thatincorporates several vulnerabilities and be challenged to identify the gaps.SP31: Maintain library of standardised security requirementsEstablishing and maintaining a library of (standardised) security requirementsthat can be matched onto specific projects has worked out well at severaloperators. Selection of such generic security requirements can becomplemented with specific requisites to address needs of individual projects.Expert opinion appraisal or risk assessment could form the basis for this.
  22. 22. Successful Practices in Telco Security© ETIS 2012 22 / 237 Security monitoring and incident managementThis chapter presents successful practices observed at the benchmark participantsin the areas of security monitoring and incident management. Factors addressed inthe benchmark under this denominator include:• Nature and setup of incident management provisions in the operator’sorganisation, where “security incident” is defined as any accidental orintentional breach of (information) security in information systems, services andnetworks and “incident management” refers to the process of analysing,correcting and reporting such security incidents• Duties, approaches and methodologies of the Computer Emergency ResponseTeam (CERT) and Security Operations Center (SOC) to the extent that theseare present in the organisations of participating telcos.Where present, CERT teams and SOC units usually play an important role withrespect to security monitoring and incident management. Thus the benchmarkaddressed such provisions through specific questions.SP13: SOC for both internal and commercial purposesThe transition to full-IP infrastructures has made telcos susceptible to on-lineattacks. What’s more, such attacks are continuously becoming more complexand large scale, thus increasingly requiring specialised expertise to managethem. Many benchmark participants have had good experiences with setting upa so called Security Operations Center (SOC), defined as a dedicated,centralised function for continuously monitoring and managing attacks on telcoinfrastructure. Here, the following is of importance:a. Benchmark participants generally agree that centralisation is a key successfactor for security monitoring, if only because it enforces bundling of the(scarce) expertise an operator has available to this end.b. Competences already available in CERT teams will usually offer a goodstarting point to establish the requirements for a SOC. Once in operation,SOC and CERT staff should maintain a close working relationship (possiblyby integrating both into one unit)c. It is usually attractive to widen the objectives of a SOC beyond internalhygiene and also exploit it as a commercial service. However, care shouldbe taken when approaching customers with this possibility, since they mightbe unpleasantly surprised when made aware of possible security events ontheir network.When considering commercial exploitation of a SOC, its primary purpose ofprotecting an operator’s service infrastructure should not disappear to thebackground. A possible approach to this end is to establish separate SOC unitsfor internal and external purposes, respectively. Whilst this may not directlyseem the most efficient approach, we have observed several operatorsemploying this to great satisfaction.
  23. 23. Successful Practices in Telco Security© ETIS 2012 23 / 23SP21: Reuse 24/7 capability of NOC for first line monitoring in SOCMost operators already have a Network Operations Center (NOC) in place thatmonitors the (continuity of the) telco infrastructure on a 24/7 basis. Thiscapability might to some extent be reused in the SOC, thereby establishing initial24/7 operations at no or limited investment in additional personnel.NOC personnel might be trained to provide at least first line monitoring andsupport during nightly hours. Getting this level of service up on a 24/7 basis willalready greatly enhance the effectiveness and value of the SOC. To enhancethe capabilities of the SOC even further, one might consider the concept of anon call security specialist that is standby in case severe incidents arise.SP32: Provide crisis team members with 3rd party SIM in address cardIt is already good practice for members of crisis teams to have a SIM card of athird party operator on them. With such a SIM card in their possession, they cankeep communicating, even if a large disturbance hits their own mobile network.One benchmark participant integrated this SIM with an address card containingcontact information for the other team members and a crisis managementprocess description. This can be considered as a small and handy “crisismanagement team member toolkit”. The operator that developed this concepthas had good experiences with this solution.SP33: Establish active cooperation with other SOCsSome telcos have had good cooperation experiences among their internallyoriented and commercial SOCs. Such cooperation allows for exchange ofknowledge, tooling, configurations and even people.Some participants indicate they would also like to explore cooperation withSOCs in other industries (e.g. banking SOCs). Such cooperation acrossindustries might give interesting (fresh) perspectives on threats, priorities andSOC operations in general.

×