Product Assurance Guideliness For Telecom

Product Assurance Product Assurance

� Guidelines for Product Assurance, Risk and Fraud Assurance for all new products/ service launch for Telecom.

Syed Thameem www.yu.co.ke Revenue Assurance & Fraud

1

Product & Service Risk Assessment Product & Service Risk Assessment –– QuestionsQuestionsProduct & Service Risk Assessment Product & Service Risk Assessment –– QuestionsQuestions

� Within the Econet is the “Product Manager” made responsible for the loss as well as profit?

� Who has ownership and responsibility for ensuring products are launched with fraud protection built in?

� What financial figure is placed upon potential fraud losses?


� When is the Fraud Team involved within the process?

� Is the Fraud Team actually listened to or does marketing rule?

� Is the Fraud Team playing catch up when defining fraud controls?

� Is the Fraud Team viewed as being the enemy or a valuable part of the end to end process?

Product & Service Risk Assessment Product & Service Risk Assessment –– IntroductionIntroductionProduct & Service Risk Assessment Product & Service Risk Assessment –– IntroductionIntroduction

� Fraud & Security Risk Assessments – why?

� Enables the creation of fraud resistant products and services.

� Prevents and mitigates against losses caused by fraud.

� Far more cost effective to implement controls and measures at the beginning.

� Minimise the effects of fraud on genuine customers and


� Minimise the effects of fraud on genuine customers and protects the brand image.

� Utilised to determine fraud strategy and operational changes needed relating to working practices and detection tools.

� Develops and encourages a coherent approach Company/Group wide on fraud knowledge and awareness.

Product & Service Risk Assessment Product & Service Risk Assessment –– IntroductionIntroductionProduct & Service Risk Assessment Product & Service Risk Assessment –– IntroductionIntroduction

� Product assurance MUST become an integral part of the

new and existing product development process.

� Revenue protection features (incl. fraud) should be

assessed for all products/services launched.

� Required protection levels, controls and enhancements to

existing services should also be identified & implemented.


existing services should also be identified & implemented.

� Activation, service delivery, billing etc for all products should

be tested to ensure accuracy and that the service can be

charged for!

� It is and cannot ever be a single or one off activity and

requires input from different business areas to succeed.

Product Risk LifecycleProduct Risk Lifecycle

Fraud

Recovery of Money,

Equipment & Service

Marketing & Development

Dealer / Sales Channel


Fraud

Department

Billing & Collections

Activations & Fulfillment

Customer Care

Product Evaluation ProcessProduct Evaluation Process


Fraud Risks with New Products & ServicesFraud Risks with New Products & Services

� Each product & service in the market represents a potential new opportunity for fraudulent attack.

� Pressure to launch new services to gain competitive advantage often results in little attention to security or fraud initiatives.

� This risk is compounded when these services are offered by new operators or in highly competitive markets.

� Key aspect of fraud management role is to be an integral part


� Key aspect of fraud management role is to be an integral part of the new product and service development process.

� The Fraud Team needs to ensure they can determine the required points of control, measurement, and monitoring to ensure appropriate prevention initiatives are in place.

Fraud Risk Assessment Fraud Risk Assessment –– Stages Stages

� Evaluation of risks in new products/services must take place at each main phase that the product/service passes through, meaning:◦ CONCEPT

◦ DESIGN

◦ IMPLEMENTATION

◦ LAUNCH

◦ POST LAUNCH

� At each gate, the Fraud Team should assess and determine


� At each gate, the Fraud Team should assess and determine the potential risks and consider what new characteristics of the proposed product/service are likely to be abused – this will be based on the available documentation, namely the Business Requirements Specification.

� Product/Service characteristics will usually vary significantly from one phase to another, so evaluation has to be thoroughly performed each time.

Before Starting AssessmentBefore Starting Assessment

� Maintain a database of all the products/services the Fraud Team receives – via the concept.

� Assign a PRIORITY based on the information you have at Design Phase – you will not want to have to look at EVERYTHING!

� Estimate the level of resources required, level of experience needed in various fields, and the time at hand.

� Assign a project risk code for tracking purposes - for future monitoring and follow up of actions/responsibilities.


monitoring and follow up of actions/responsibilities.� Communicate first decisions to Marketing – for some products

you will have a “no-go” decision, Marketing should know your position and reasoning.

� When agreed commence the FRA – remember, the same points need to be re-assessed at each Phase/Gate!!

Defining the High Level FrameworkDefining the High Level Framework

� Product and service risk assessment will need to include analysis of the following areas:◦ Technical infrastructure – service delivery mechanisms

◦ Acquisition – service offering & intended market

◦ Registration process – fulfilment of service requirements

◦ Pricing structure – assuring the revenue as opposed to potential for abuse

◦ Billing – integrity


◦ Billing – integrity

◦ Charging/billing – methodology and completeness

◦ Customer confidentiality – protection of information

◦ Legal and regulatory – requirements fully met

◦ Authority levels/approval/sign off – compliance

◦ Escalation paths, contingency planning etc – strategy

◦ Security policies & practices – specific to the product

Defining the High Level Framework cont’dDefining the High Level Framework cont’d

� Process & Technology Risks are likely to come from the following areas:◦ Requirements management

◦ Product/services process design

◦ Product customisation

◦ Program change/ version control

◦ System/configuration data control

◦ Transaction data control


◦ Transaction data control

◦ Security architecture

◦ Functionality testing & compliance

◦ Data conversions

◦ End user acceptance

◦ System cutover /going live

◦ Operational support/back up

Product & Service Fraud and Security AssessmentProduct & Service Fraud and Security Assessment

C u st o m e r A cq u is it io n

A cc e s s t o d a t a , c o n tro ls &

a u d itin g

B illin g , c o lle ct io n s & p a ym e n t

B u s in e s s p ro c e ss e s & Fra u d& S e cu r i ty P o lic y

K n o wn we a kn e s s e s/vu ln e ra b i litie s


O p e ra t io n a l p ro ce d u re s a n dw o rkin g p ra c tic e s

Cu s to m e r ty p e (m a s s /m ic ro / co rp )

P ro d u c t o r se rv ice f e a tu re s

S ys t e m s & P la tf o rm s

S e cu r ity s tru c t u re

(p h ys ic a l, I T& n e t wo rk )

S o l u tio n s tra t e g y

P ro d u ct A ss u ra n c e &S e rv ice I n te g r it y

FRA ChecklistsFRA Checklists

Benefits:

� To determine the scope of the proposed audit – technology and personnel

� Provide a standard methodology and approach to performing the PDN

audits

� To determine the points to prove/disprove

� To provide a point of reference for developing the interviews


� To facilitate supplementary actions

� To prevent future security breaches developing in the business

� To eradicate weaknesses in systems, processes and practices

� Means of ensuring all aspects of the audit will and have been covered

� To be used to produce management reports - facts that will support

decision on security standards compliance

FRA ChecklistsFRA Checklists

Details:

� Prepare and use standard PDN audit templates

� When developing the re audit program look to enhance existing MBSS check lists

� Record all details– network platforms, data sources etc

� Detail the information sources used - business & vendor documentation


� Detail the information sources used - business & vendor documentation (internally/externally)

� Logically detail technical equipment and processes to be audited

� Identify the assets, evaluate likelihood of the risk, severity, risk factor and audit method e.g. interview, technical scan, document

� Grade the management of the perceived risk (high/medium/low)

� Create details for system/data: confidentiality, reliability, integrity, availability

Stage 1 Stage 1 –– Information GatheringInformation Gathering

� Essential for earliest possible visibility.

� Obtain information about the product/service owners and their involvement in the product/service delivery – WHO are your business partners.

� Obtain background information on the product/service functional elements and their interoperability, including their interaction with other systems, and general product/service characteristics.

� Ensure that you have a thorough understanding on the main attributes of the product/service , for example, how will the product be offered, the proposed


market segment (corporate/business/residential), the billing/charging requirements, collection of revenue or any third party relationship.

� Information gathering MUST be performed at all stages of risk assessment -good communication must be established and maintained with the other parties involved in the product launch.

� When conducting feasibility studies issue Fraud Questionnaire as soon as new product or risk discovered.

Stage 2 Stage 2 –– AnalysisAnalysis

� Information obtained MUST be analysed from a risk perspective, considering the known fraud instances to date, system’s characteristics and known fraud trends.

� When changes occur in the process design, delivery or implementation method, etc, then the analysis MUST be redone.

� When product is complex, the Analysis stage can be split into smaller entities for separate analyses or even by different people, if they require different set of skills, such as:

◦ Technical specification – engineering for network services and platforms and IT for billing requirements


billing requirements

◦ Registration process – sales from a customer acquisition perspective and customer care from a customer handling perspective

◦ Data integrity – engineering for network services and platforms and IT for billing requirements

◦ Charging flow - engineering for network services and platforms, IT for billing requirements and RA & FM for revenue protection

◦ Payment reconciliation – Credit & Collections, IT and RA & FM for revenue protection

Stage 3 Stage 3 –– Risk AssessmentRisk Assessment

� The main objective of the FRA will be to determine, based on the information analysed on the previous stage, what, why and how fraud risks can occur.

� The following aspects MUST be taken into account:

◦ The nature of the service being provided

◦ The revenue requirements vs. acceptable losses

◦ How the product/service will be securely provisioned

◦ How it will be billed and payment received

◦ How different business systems will interact to ensure


◦ How different business systems will interact to ensure revenue integrity

◦ How customer care issues will be handled

◦ The development of necessary audit trails

◦ Reporting on revenue vs. losses including reconciliation practices

Stage 3 Stage 3 –– Risk Assessment Risk Assessment –– cont’dcont’d

� The FRA is a “Team” based activity involving the product owners, personnel performing the work (likely to be technical/IT) and colleagues from other departments that the product or service impacts upon (likely to be customer care/finance/ credit & collections – Fraud & RA).

� Several techniques should be used during FRAs, these will vary according to each product’s specifics, but will have to include:


according to each product’s specifics, but will have to include:

◦ Structured interviews with relevant interested parties (technical/procedural)

◦ Specific focus groups within the operations

◦ Individual assessment using questionnaires (where appropriate)

◦ External information sources – GSMFF , FMS User Groups, other operators etc

◦ Fraud workshops with Development Teams – demonstrate fraud loss potential

◦ Fraud Team to promote an open door in return for assistance

Stage 4 Stage 4 –– Risk Assessment MatrixRisk Assessment Matrix

� The FRA Matrix should include:

� Threats

� Vulnerabilities

� Impact

� Controls

� Product/Service narrative

� FRAs should be regularly reviewed to ensure matrix is updated.

� Research & Intelligence gained MUST be fed into the matrix.


� Research & Intelligence gained MUST be fed into the matrix.

� Must encourage “feedback stage” – pooling of ideas.

� Study of emerging fraud techniques.

� Newly defined controls, points of measurement, reporting etc must be incorporated.

� Essentially FRA matrix should be evolving and usable to benefit all Fraud Team personnel – experienced and new entrants.

Stage 4 Stage 4 –– Risk Qualification MatrixRisk Qualification Matrix

� Develop a simple and visual way to assess risk, using a summary of the

risks identified during the previous stages.

� Each risk area is scored on a scale of 0 to 3 for likelihood of fraud or

leakage, where 3 will represent the greatest likelihood for fraud at the

current time.

� Each risk area is again scored from 0 to 3 for the possible financial impact

if revenue assurance/fraud is possible in that area. These two scores are

then multiplied to give a score from 0 to 9.


Score Colour Fraud & Revenue Assurance Risk

0-1 No colour Insignificant risk

2 Green Low risk

3-4 Yellow Moderate risk

6, 9 Red Severe risk

Usage Completeness Usage Completeness –– Purpose & Value Purpose & Value

� More precisely, what are we looking for during the Risk Assessment process?

� Firstly, we need to ensure a record will be generated – no XDR, no revenue – nothing to monitor!

� Need to determine the specific controls on the revenue path and that detection practices will exist - considering the product to be


that detection practices will exist - considering the product to be launched.

� Ensure that data reprocessing is available in case of error.

� Ensure the XDR generation process is tested and that there are backups available.

� Ensure Partial Records are generated if needed and that aggregation is correctly performed.

� Consider settlement issues.

Usage Completeness Usage Completeness –– cont’dcont’d

� Ensure that Mediation rules will be changed accordingly, if required – looking for wrongly rejected CDRs in Mediation!

� Check how the duration is being recorded and ensure it is correct.

� Look at CDR generation process at the Switch – can the CDRs be copied or transmitted to a 3rd party?

� Look at the controls on CDR path – can someone delete the records without you knowing?


� All these are RA related pointers .... BUT will turn to Fraud if the word gets out that systems can be abused!!

� Working together with Technical & RA Teams and replicating possible fraud scenarios, to ensure controls are working and effective.

Billing Accuracy Billing Accuracy –– Purpose & Value Purpose & Value

� Ensure that it will not interfere with existing products and services – can a fraudster use this service to prevent billing for other services?

� Ensure you can accurately identify the customer based on the records generated – especially in the IP area.

� Ensure that you can reprocess the data.� Look for the Call Scenarios described in the documents – do

they cover all possibilities?� Ensure you have drill down capabilities to support fraud


� Ensure you have drill down capabilities to support fraud investigations.

� Perform tests to ensure that rating is done according to the published tariffs.

� Assess how billing is performed, based on what data – is it pure CDR based or are there discounts for volume.

Usage Visibility and ReportingUsage Visibility and Reporting

� Fraud Team relies heavily on information being VISIBLE.

� If records are not available to Fraud/RA systems or reports, basically there is no control over what is happening in the network – from a fraud and RA perspective.

� MUST ensure, as early as product design phase, that traffic is included in Fraud and Credit Reports.

� Need to ensure traffic is included as a feed into the FMS – if a new CDR generation platform is being used. Allow for time


Need to ensure traffic is included as a feed into the FMS – if a new CDR generation platform is being used. Allow for time to develop decoders and parsers, if necessary.

� Ensure visibility is provided to all the operations the customer is making, not only to the access – DTMF analysis should be used for IVRs and Voicemail Systems.

Service Access ControlService Access Control

� Who is using the service and how? – the Fraud Team NEED TO KNOW THIS!!

� Check the network diagrams and proposed architecture layout to assess if proper segregation is in place – compartmentalisation.

� Check if customer can be attacked via IP while using the service.

� Check to ensure the new service will not allow a barred customer to make calls through it.

� Check the product will not allow other products to be accessed –


� Check the product will not allow other products to be accessed –for instance, if it’s a Data product, that Voice is barred. -

� Ensure Fair Usage Policy is deployed when offering “unlimited” service – assess opportunities for exploitation.

� Check that when service is provided based on a password/username, these are kept encrypted using good encryption – i.e. AES (Advanced Encryption System).

Third Party RequirementsThird Party Requirements

� Ensure clear requirements are included in the contract with any 3rd

party – do’s and don’ts and extent of liability for fraud.

� Customer information and traffic MUST be protected from attack while using third party service, so protection MUST be built around that.

� Validate 3rd party working practices, procedures - perform site visits to assess the levels and standards of protection – leave nothing to trust.

� Check any CDR generation mechanism, authentication and


� Check any CDR generation mechanism, authentication and monitoring capabilities.

� Especially in cases of Fraud, determine whether the contract allows for the money to be recovered from the third party or at least withheld where fraud is evidenced.

� Ensure there are reasonable traffic limits and the Fair Usage Policy is to be applied to the services offered by the 3rd party.

Technical RequirementsTechnical Requirements

� Check and assess the security of the product in terms of customer authentication, encryption and network segregation. For IP products, check if the network can be attacked by using new deployed platform – e.g. A DOS attack.

� Ensure comprehensive Audit Trails are available and that there is a defined and workable process for reviewing them – fatal to find out later that nothing can be checked or validated.

� Ensure backups will be performed and that the data will be stored


� Ensure backups will be performed and that the data will be stored long enough to assist in fraud investigations.

� Perform Technical testing by using the product as part of the technical group and test its limits – stress hour. Keep in mind that network elements might behave different when traffic volumes are high.

Testing RequirementsTesting Requirements

� Fraud Team MUST be part of the Testing Team to assess both risks and customer experience while using the product.

� Check usage against billing to determine that rating is performed correctly.

� Use TCG if available to assess duration accuracy and rounding rules applied in rating.


rounding rules applied in rating.

� Perform regression tests of existing revenue streams to ensure nothing is being lost because of the new product/service.

� Test all defined controls to ensure they all work before product is launched! – remember, DO NOT ASSUME everything will work without CHECKING IT!

Specifying ControlsSpecifying Controls

� Develop a Risk/Control Matrix to determine overall fraud protection for the product or service.

� Ensure internal processes and procedures include the new product/service – for instance, that there is a suspension method available in case of fraud or evidence of non charging, service payment issues etc.

� Controls should fall into one of these categories:

◦ Procedural Controls – changes/improvements in the way things are being done

◦ System Controls – changes in the way the systems operate


operate

◦ Physical and Logical Controls – generally built around the production systems, which may involve the use/creation of physical tokens, creation of secured areas, etc

� Identified Fraud Risks will be a combination of consequences and likelihood together with corresponding controls and providing advice and guidance on reducing or improving the position.

Specifying Controls cont’dSpecifying Controls cont’d

� System Based Controls – e.g. application configurable controls –more reliable than manual based controls.

� Automated Controls – e.g. controlled by application functionality.

� Manual Process Controls – e.g. critical manual controls that will operate outside of an application for integrity of data/reliability.

� Interface/Integration Controls – e.g. controls that will ensure data integrity of the interface – need to be identified and verified.


� Reporting Controls – to ensure that reports can be generated from an application and that they will be accurate.

� Application Security Controls – e.g. SOD with regard to segregation of duties - restrict inappropriate or excessive access privileges).

Fraud Risk Assessment OutputFraud Risk Assessment Output

� It will be essential to communicate with the business:–

Example methods are:◦ Inherent Risk: None/Low/Med/High – stating the

risks as they exist in raw form – PRIOR to controls

◦ Residual Risk: None/Low/Med/High - Identified risks to be mitigated by proposed controls


risks to be mitigated by proposed controls

◦ Assessment Rating: Med/High – Fraud Team RECOMMEND not to launch or alternatively define the NEED for “Specific Modifications/Controls”

NB: The Product Owner must be in a position to request a further FRA if any agreed controls are not implemented or if the product is significantly changed.

Fraud Risk Assessment HandlingFraud Risk Assessment Handling

� There are several ways to handle the Fraud Risk, once identified – the main methods are:◦ Avoid the Risk: by deciding not to proceed with the

activity likely to generate the risk

◦ Reduce the likelihood: take actions to reduce or control the likelihood (such as additional levels of protection, segregation of duties, etc)

◦ Reduce the Consequences: take actions to reduce the


◦ Reduce the Consequences: take actions to reduce the consequences of a risk (define liability for losses, price and charging policy, etc)

◦ Transfer the Risk: This could involve another party bearing or sharing some element of the perceived risk –for instance, in case of web payments transferring the risk to an external merchant – PayPal, Paily, Moneybookers, etc.

Monitoring & Measurement Monitoring & Measurement –– Post Launch Post Launch

� Fraud Team MUST monitor progress – usability of product after launch.

� This is essential where a product or service was launched regardless of FRAUD RISK.

� Fraud Team MUST look to demonstrate “first fraud occurrence” and corrective actions now required.

� Fraud technique – modus operandi (external/internal/collusion etc).

� Value of losses being experienced – if any are evidenced.


� Value of losses being experienced – if any are evidenced.

� Effectiveness of controls defined and implemented.

� Define the time frames for “review and check” activities.

� Determine changes needed in fraud detection – new thresholds or alarms in FMS etc.

� Report over time on associated fraud losses by product or service.

Balanced Approach Balanced Approach –– Session SummarySession Summary

�Cost of Prevention / Detection / Investigation

�Software will not prevent fraud

�People will not prevent fraud


�People will not prevent fraud

�Need to work together

�Software to help people

EndEnd

We can stop revenue leakage by proactively, kindly involve

RA in all our new product/service launch.

Thank you for your attention and Support.
