Successful practices in telco security - TNO v3c.ymcdn.com/.../resource/resmgr/docs/etis_information_… · · 2013-11-28KPI Key Performance Indicator ... the ETIS Security Group),

© ETIS 2012

Successful Practices in Telco Security Benchmark observations 2010 - 2012

Date October 7th 2012 Authors H. Kerkdijk M.Sc. and R. Wolthuis M.Sc. Version: FINAL

Successful Practices in Telco Security

© ETIS 2012 2 / 23


Produced by TNO

PO Box 1416

9701 BK Groningen

The Netherlands

www.tno.nl

Authors H. Kerkdijk and R. Wolthuis

Project manager H. Kerkdijk

Project owner Terje Tøndel, ETIS

Status FINAL

Date October 7th 2012

© 2012 ETIS Disclaimer

All rights reserved. No part of this document may be reproduced and/or published in any form by print, photoprint, microfilm or any other means without the previous written permission from ETIS. The commercial use of any information contained in this document is strictly prohibited.


© ETIS 2012 3 / 23

Contents

Preface 4

Abbreviations ..................................... ...................................................................................... 5

1 Introduction ...................................... ........................................................................ 6

1.1 Background ................................................................................................................ 6

1.2 About this document .................................................................................................. 6

1.3 About TNO ................................................................................................................. 7

2 Corporate Security Function ....................... ........................................................... 8

3 Security management ............................... ............................................................ 11

4 Commercial role of security ....................... .......................................................... 15

5 Fraud management................................... ............................................................. 17

6 Security in the development process ............... ................................................... 19

7 Security monitoring and incident management ....... .......................................... 22


© ETIS 2012 4 / 23

Preface

Already in its fourth year, the ETIS Information Security Benchmark is motivated by the prevailing absence of Telco specific security benchmarks focusing on the industry in Europe. Between 2009 and 2012, the Benchmark has incorporated a total of 16 European Telecom providers, many of which are now repeat participants. This continuity not only lends more value to the results as it allows for a good degree of comparability with previous years, but it also enables one to track the evolution of the security landscape and best practices. As a complement to the Security Benchmark, we have also produced a Successful Practices Executive Report that is publicly available to highlight our work and also attract potential participants. Over the years, the survey has been exceptionally rich with interesting practices that Telcos might adopt from one another. The results is 33 best practices distributed over the various security themes. This rise has been partially due to the emergence of two major recent challenges: the struggle to manage employees bringing in their personal devices (i.e. i-phones, tablets) into the corporate network and the rise of social media which can be viewed both as a communications tool but also as a security threat. The best practices are also discussed each year at a dedicated workshop hosted by TNO. While it is interesting to see the figures and best practices in the benchmark report there is also added value in physically discussing the those differences and comparing best practices. Work of this kind must be based on partnership. We thank TNO for producing the reports and and the ETIS Member companies that took part for their commitment and openness. Our slogan has always been ‘Sharing knowledge is our strength’ and using it is yours. We would like to encourage you to use this report to learn where you stand and to motivate improvements in your own companies.

Yours sincerely,

Fred Werner Communications & Programme Director ETIS


© ETIS 2012 5 / 23

Abbreviations

BIA Business Impact Assessment CERT Computer Emergency Response Team CFO Chief Financial Officer CISO Chief Information Security Officer CSF Corporate Security Function CSO Chief Security Officer DSS Data Security Standard EFL Effective Fraud Loss IEC International Electrotechnical Commission ISMS Information Security Management System ISO International Organization for Standardisation KPI Key Performance Indicator NG Next Generation NOC Network Operations Center PCI Payment Card Industry PFL Prevented Fraud Loss RTP Risk Treatment Plan SIM Subscriber Identity Module SOC Security Operations Center SP Successful Practice USP Unique Selling Point


© ETIS 2012 6 / 23

1 Introduction

1.1 Background

ETIS, the Global IT Association for Telecommunications, is a membership based organisation in which major European telecoms providers exchange views on delivering and using ICT effectively. Much of this information exchange takes place through working groups that gather several times per year for this purpose. Among these groups is the Information Security Working Group (henceforth referred to as the ETIS Security Group), in which telcos and vendors exchange knowledge and experiences concerning information security related matters. Early 2009, the ETIS Security Group decided to set up a yearly security benchmark activity with the objective of comparing security strategies and approaches among ETIS member telcos, thus enabling these telcos to determine which specific aspects of security require attention within their respective organisations. Executing a security benchmark within the ETIS context has proven a successful formula, among other things because such a benchmark can be focused on telco specific security issues. Between 2009 and 2012, a total of 16 European telcos took part in the benchmark endeavour. All benchmark activity is conducted and coordinated by TNO, an independent research and consulting organisation from The Netherlands and also an active participant in the ETIS Security Group. A well-received element in the ETIS Security Benchmark is the concept of so called successful practices. This refers to strategies, approaches or methods that have proven successful at specific benchmark participants and might be (partly) adopted by others. Whilst benchmark results are generally restricted to the participating companies, it was decided to share successful practices identified between 2010 and 2012 with the entire ETIS community.

1.2 About this document

This document presents the 33 successful practices in telco security that were identified in the security benchmark effort between 2010 and 2012. In the following chapters, these practices are structured according to the security themes addressed in the benchmark: 1. Corporate Security Function

2. Security Management

3. Commercial role of security

4. Fraud Management

5. Security in the development process

6. Security monitoring and incident management The numbering of practices in this document corresponds directly to the SPxx codes assigned in the benchmark reports of 2010-2012. Note that these codes follow the years in which respective practices were identified and are thus non-linear across the various themes.


© ETIS 2012 7 / 23

1.3 About TNO

The Netherlands Organisation for Applied Scientific Research (TNO) is one of Europe's leading independent research and consulting organisations. TNO was founded in 1932 by an act of the Dutch parliament to make scientific research and high end knowledge accessible and applicable for businesses and government. TNO is a not for profit organisation which by law is required to operate independently and objectively. TNO has organised its expertise and competences in seven themes. Each theme is divided into a number of innovation and consulting areas, as illustrated in the following figure.

TNO provides research, development, engineering and consultancy services to government and industry, to assist in solving complex and challenging technical problems and establish technological innovation. TNO’s staff presently encompasses some 4400 employees and includes 50 university professors. TNO has a versatile customer base that includes local and national government bodies in The Netherlands (e.g. the Ministry of Defence and the Ministry of Economic Affairs), large corporates in industries such as finance, oil and gas and telecommunications and several European Union bodies.


© ETIS 2012 8 / 23

2 Corporate Security Function

This chapter describes successful practices within the context of a Corporate Security Function (CSF), as observed at telcos participating in the ETIS Security Benchmark. Here, the term CSF is defined as follows:

Definition

The Corporate Security Function is defined as the total of people and duties residing under the direct responsibility of a CSO, CISO or equivalent.

Whilst the above definition turned out practicable in most cases, TNO encountered some telcos that had both a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO) and one telco where the position of C(I)SO was completely absent. In such instances, TNO and the telco concerned jointly assessed which security team in that telco’s organisation best qualified as a CSF.

SP01: Baseline Corporate Security Function setup

The various benchmarks have shown that there is no single optimum setup of a Corporate Security Function. Important factors to this end are size and (management) culture of the respective telco, which obviously vary greatly. Nonetheless, the following baseline characteristics will enhance the success of any CSF, irrespective of its specific context:

a. The highest security official (CSO/CISO) should reside directly beneath or at least have direct (functional) access to executive management to ensure sufficient span of control and visibility.

b. The CSF should not limit itself to development and maintenance of company wide security policies, but also provide active and visible support to business through tactical (e.g. risk assessment) and perhaps even operational (e.g. maintain security operations center) duties.

c. The CSF should preferably not be incorporated in an IT or other technical unit, but visibly have a broader focus to avoid the risk of being regarded as or even becoming a solely technical body.

d. The CSF should exploit the potential of bundling interrelated security areas by at least taking responsibility for information security, IT & network security and Business Continuity Management and closely aligning objectives, strategies and actions for these areas.

Note that ad. d should be addressed with due care, since senior management might see such bundling as an opportunity to reduce headcounts. Some benchmark participants have had this experience.

In addition to the above, it is usually helpful to incorporate certain legal duties (e.g. lawful interception or data retention) within the CSF structure to enhance its visibility and strategic weight.

SP02: Strategic security board

Setting up a strategic security board as a business driven platform for strategic


© ETIS 2012 9 / 23

security governance has been a very successful step at some of the participating operators. If implemented well, such a body ensures that strategic security choices are ultimately governed by senior business managers, thereby establishing intrinsic business involvement and commitment.

A strategic security board should preferably consist of senior management (e.g. business unit directors) and be chaired by a motivated board member. Its primary task should be to govern strategic security objectives, priorities and budgets based on input and proposals put forward by the highest security official (CSO/CISO).

A strategic security board will only function well if guided by a decent strategic security plan, for instance with a 2-3 year time span. Establishing such a plan and getting senior management’s attention for it (i.e. lobbying), should be a priority for any CSO with the ambition of getting such senior management actively involved.

SP14: Employ social media to enhance security invol vement

Setting up social media on the internal intranet has been a successful step at one of the participants to enhance security involvement of employees throughout the organisation. Having officials such as the CSO actively interact with the organisation through a blog or perhaps an internal version of Twitter or Facebook offers the following opportunities:

• Employees throughout the organisation can be reached with a single action, thereby raising security awareness at a large scale with very limited effort

• Information posted by the CSO will often trigger interesting responses from employees in all layers of the organisation, including many that the CSF would usually not interact with directly. Such responses provide insight into current issues and sentiments with respect to security and will help the CSF to identify any actions required.

Note that some operators have a policy to block the use of social media on their corporate internet. However, this practice specifically pertains to a local implementation of such social media on the native intranet, which is available to the operator’s employees only. Moreover, to avoid undesired use of such media it is recommendable to ensure that the identity of employees posting information or participating in discussions is always revealed (i.e. not allow anonymous use).

SP15: Monitor relevant security discussions on exte rnal social media

Social media on the public internet are often host to interesting discussions on a company and/or its products and services. As shown by one of the benchmark participants, it can be worthwhile to monitor such discussions specifically from a security perspective to discover current issues, sentiments and even vulnerabilities the company needs to act upon.

Social media monitoring can be bought as a service from specialised companies, who will scan the Internet in search of predefined keywords that relate to security and periodically report their findings. Use of such services has already been popular among marketing and PR departments (to name a few) for


© ETIS 2012 10 / 23

some time.

SP22: Establish measurable targets in which securit y is a dominant factor

Whilst factors such as employee satisfaction and budget discipline are by all means relevant, CSF performance should ultimately be appraised on the basis of actual security targets. Moreover, various benchmark participants have observed that senior management is most receptive for quantitative information. Targets should hence be measurable in nature.

Based on the experiences of some benchmark participants, management involvement will increase substantially if they acknowledge the security objectives and are provided with frequent (weekly/ monthly) status updates. In turn, such management involvement is crucial for receiving adequate support and resourcing.

.


© ETIS 2012 11 / 23

3 Security management

This chapter describes successful practices with respect to security management, as observed at the benchmark participants. Here, security management is defined as follows:

Definition

Security management is the process of operating, monitoring, reviewing, maintaining and improving security within a certain context and scope.

In the ETIS benchmark, several factors of security management systems in telco organisations have been considered: • scope of the security management system

• extent to which security management processes are defined and documented

• extent to which security responsibilities have been clearly laid down

• approaches to governing compliance with security policies. Successful practices observed mostly relate to the first and the last bullet.

SP03: Security management based on combined methods

It is apparent from several benchmark results that a combination of a risk based and best practice based approach for security management is usually most effective. The best practice approach is cost efficient and easy to check on compliance, hence it is suitable for ‘normal’ daily operations. At the same time it leaves little room for business to accept possible risks to increase profitability. The risk based approach usually requires more effort and should thus be applied in particular to special cases (new areas) or high impact situations. The risk based approach offers flexibility to business to have a better balance between risks and costs to reduce risks.

Special attention should be given to the choice where to go for the best practice approach and where to use a risk based approach. To begin with, this could be done by expert opinion or based on experience. More formal methods could include Business Impact Assessment (BIA) or a split into ‘high level’ Risk assessment on business processes and a more detailed risk assessment on technical level, the latter based on the risks found in the high level risk assessment.

SP04: Use of security Key Performance Indicators

Use of Key Performance Indicators (KPIs) for security allows better reporting and offers more insight in the status of security and compliance, both internally and to the outside world (like regulators and customers). The use of KPIs also improves possibilities to control the state of compliance and to formulate and monitor improvement actions.


© ETIS 2012 12 / 23

KPIs should be defined in such a way that they support the implementation of the security policy. KPIs must integrate logically in operations, not placing a too high load on the organisation. Another important aspect is that KPIs must be formulated in such a way that they are of interest to the business. KPIs that are formulated too technical will not have its effect on business and therefore will not help to raise priority of compliance to the security policy.

SP05: Business drivers for security policy complian ce

Making sure also business departments have the willingness to comply, compliance should be made interesting to them. This can be done in two ways. The first one is to make sure that they realize that customers ask for security and the second one is to make sure implementation and use of the security policy is as efficient and easy as possible.

Business departments are looking for ways to satisfy their customers and as a result of that, increase their turnover and profit. A good business driver for compliance to the security policy therefore is demand from customers. It is apparent that if customer requirements show a demand for security, the interest of business to comply with the security policy will grow. Two operators had a good experience in this area, performing a survey among their customers. The result of the survey indicated that a majority of their customers see security as an important factor in the decision where to buy their services. These particular operators experienced a boost in business interest in security.

The other aspect is simplification of the process of reporting. An example is successful integration with other compliance processes, which will simplify compliance for the business and operational units (avoiding multiple reports with the same content) and therefore improve the willingness to comply. Another example is the introduction of tools that will help to collect evidence for compliance.

SP16: Web based security training for employees of suppliers

Awareness activity is usually limited to the internal scope of a company. One successful practice we have seen in the benchmarks is the introduction of a web based training programme for employees of suppliers. This was especially developed, on top of addressing security aspects in contracts with suppliers, to accommodate awareness of the employees of suppliers. This far stretching method of trying to achieve awareness is a good example of looking beyond the boundaries of a company, which is worth to consider, taking into account the many outsourcing deals going on at telecommunication companies.

The content of the training should be targeted at specific topics of the security policy of the operator; generic security knowledge should be considered the responsibility of the supplier itself, which can be recorded in the contracts. Also some proof should be available (e.g. lists of employees that have done the training) to show that the training is effective.

This successful practice, combined with the proper contractual agreements, can be an effective approach to ensure that only security (policy) aware personnel


© ETIS 2012 13 / 23

accesses an operator’s systems or buildings.

SP17: Position audits as an instrument of improveme nt, not punishment

Audits, both internal and external of nature, have a tendency to focus rather strongly on the weak points of the auditee and magnify shortcomings. In addition, audit reports are all too often used to sanction an auditee. A successful practice we have seen in the benchmarks is conducting internal audits (or also called reviews) that have a different approach – not only identify and report shortcomings, but focus on cooperation with the auditee and jointly establish a balanced picture of the situation that also reflects strong points.

If a culture is created in which audits are seen as a means of improvement rather than sanctioning, this will result in more openness, more cooperative auditees and more effective improvement.

SP23: Embrace outsourcing security as an explicit s ecurity objective

For some time now, most operators tend to outsource more and more activities, including traditional telco core activities such as managing telecommunication networks. Many participating CSFs recognize this trend, which obviously introduces security risks with regulatory and customer impact. Based on the benchmark findings, it is apparent that a shift in approach is needed, from an internal security perspective towards security governance of external relationships.

Activities required to stay in control include specific policy making, security support in contract negotiations and structural attention to governance & compliance during the operational contract period. One particular approach seen in the benchmarks is the establishment of a risk management & security board in which the operator and a major outsourcing partner jointly reside. Security issues can be discussed on a regular basis and output of this meeting can be one of the inputs for the CSF report.

Another issue with outsourcing concerns the possible disappearance of available security competences. While the number of outsourced activities increases, keeping security competence at the operator at an acceptable level might be a problem. In outsourcing deals, usually (security) knowledge flows from the operator to the outsourcing partner. It is essential to retain sufficient security competences to understand and challenge the information behind the reports that are delivered by outsourcing partners.

SP24: Employ ISMS support tooling

Maintaining a security management system is a complex and time consuming task. The use of supporting tooling specifically targeted at security management and supporting the ISMS is seen to be a good approach to relieve security staff.

As experienced by some of the participating operators, use of tooling in maintaining the ISMS can be very helpful and efficient. Other operators


© ETIS 2012 14 / 23

recognize the potential in this area. Benefits include automation of processes, continuous compliance, single means to comply with multiple regulations (e.g. ISO/IEC 27001, PCI DSS, Sarbanes Oxley, Basel II) and built-in compliance checklists.

Tools that are employed by operators include risk management tooling combined with information asset management tooling and a specific compliance and risk management solution called SecureAware. Attention should be given to the burden that these tools place upon the telco’s staff. Use of tooling should help them achieving goals, not introduce administrative (often seen as unnecessary) overhead.

SP25: Complement security awareness with security e mpowerment

Telcos generally recognize the importance of user awareness. Security awareness activities however, usually focus on achieving a learning effect among employees. But raising awareness can only be effective when employees have a feeling that they are supported in their security activities. Being aware is one thing, being supported is one step further. One of the operators therefore employs what can be called ‘security empowerment’. This is a more active approach, complementing awareness actions. With security empowerment, employees are really supported in making the right security decisions and applying the right security measures. Examples of security empowerment are:

• Supplying employees with tools and tangible guidance that enable them to perform security duties effectively

• Offering the right means to make security practicable for non-specialists

Many operators share the experience that offering practical means to their staff has a strong motivational effect.


© ETIS 2012 15 / 23

4 Commercial role of security

Security is often seen as a burden and a source of cost, but can also be embraced as a Unique Selling Point (USP) by which an operator distinguishes itself in the market. Moreover, selling specific security services might directly increase an operator’s revenues. Over the years, the ETIS Security Benchmark has explored how telcos address security from a commercial point of view. This chapter describes successful practices encountered in this area.

SP06: Business involvement and security portfolio

The benchmarks have shown that business involvement in the strategic security approach of the operator is crucial. Without business involvement, the driver for offering high quality security in the services portfolio is very weak. Essential to develop business involvement is to make the business aware that security is no longer an internal quality parameter, but a stringent business requirement.

Marketing and sales people should know the highlights of the security strategy of the operator. It should be good practice that marketing and sales people, when visiting large customers, are regularly accompanied by security consultants that can explain the operator’s vision and strategy with respect to security. These consultants can be situated in the commercial departments, but there must be a tight connection to the CSF (see also SP26).

Besides positioning security consultancy as an added value to marketing and sales, security consulting can also be offered as a separate security service. Also in marketing campaigns, security should be addressed prominently. It does not matter whether the strategy of an operator is to offer security services or offer secure services. In both cases, the message should be that the operator knows his business, also in the security area.

General consent is that commercial role of security will grow. Difference in opinion exists on the question whether this will be in the area of “secure services” or in the area of dedicated security services. In any case, the number and type of specific security services in portfolio should be considered carefully.

SP07: Certification and third party audits

The benchmarks have shown that the number of customers requesting audits will grow; this development also is triggered by more regulatory pressure on customers of the operator. Audits generally take considerable effort at the operator side. Some operators successfully have countered this development by certification and by third party audits. If a service or department is certified, a customer has proof, provided by an independent party that the operator complies with a certain standard, such as the ISO/IEC 27001. An alternative, equal successful approach for an operator is to have an independent, third party auditor, perform an audit. This report can then be given or sold to customers that require an independent check. The advantage is that the audit process can be managed by the operator itself and the operator will not be flooded with auditors, sent by their customers.


© ETIS 2012 16 / 23

SP18: Sell your customers “assurance” instead of “s ecurity”

Traditionally, commercial communication to customers involves mainly information on threats, measures and security. This usually does not appeal to what a customer really wants: the customer wants to be reassured. Therefore it can be better to communicate to customers with words like ‘assurance’. A customer does not want good security, but a customer wants assurance that everything is in good hands and taken care of. Of course, ‘assurance’ implies something more than good security alone. It also implies good communication, providing proof and reports and communicating in the language that the customer speaks. Realising this will require quite a change in communication and appointments with customers and suppliers.

SP26: Offer CSF support to commercial staff

There is an increasing attention of customers for security and security services. But selling security is complex, due to the often technical nature and absence of immediate quantitative customer benefits. It is hard to properly address benefits and justify potential extra costs for customers. Therefore, sales staff should be supported in selling security.

Security expertise, security competence and specific knowledge concerning telecom security issues, is usually available within the CSF. CSF staff is able to bridge the gap between the security world and the business world. CSF staff can support sales with internal consultancy, educate sales staff and accompany sales teams on customer visits. This support function can be expanded to a commercial security consultancy service, but such consultancy could best be restricted to existing customers who also purchase other services of the operator and should be related to their own portfolio. This is the (niche) area where the operator (understanding his customer and having knowledge of telecom services) can commercially distinguish himself from general security consulting companies. Some of the operators have very good experience with this model of ‘consultative selling’.


© ETIS 2012 17 / 23

5 Fraud management

Effectively tackling financial losses and other damage that may result from telecommunications fraud has been an important issue for telecoms providers since the market liberalised in the early 1990s. Here, telecommunications fraud is defined as follows:

Definition

Telecommunications fraud is the abuse of telecoms infrastructure and/or services with the intention of obtaining financial gain at the expense of telecoms providers and/or their customers.

This chapter describes successful practices within the context of telecoms fraud management, as observed at telcos participating in the ETIS Security Benchmark

SP08: Fully specialised fraud management team

Setting up a specialised fraud management team has been successful at many of the participating operators. Such a specialised team will provide more accurate insight into fraud losses and generally constitutes a more future proof situation.

A fraud management team will only function well if it maintains active working relationships with bad debt and revenue assurance teams. Additionally it should be self-sufficient in terms of manpower, expertise and tooling.

SP09: Fraud risk assessment for new products and se rvices

Assessing fraud risk in new products/services requires specialist fraud expertise. Leaving such assessments up to regular project teams might cause fraud risks to be overlooked or underestimated. Direct involvement of the fraud team ensures accurate assessment of risks and equally adequate follow-up.

For assessing fraud risks for new products/services a structured methodology should be adopted. Such a methodology should encompass at least checking the attractiveness to fraudsters, customer acceptance procedures, billing mechanisms, partner settlement procedures, technical issues and monitoring capabilities.

SP19: Fraud risk assessment questionnaire for devel opment projects

As described in SP09 (see above), fraud risk assessments should preferably be conducted by specialists from the fraud team. However, whilst these experts have the skills and expertise to perform such an assessment, resources in the fraud team are often too limited to be involved in every single development project initiated within the operator’s organisation.

Experience at one operator shows the possibility of developing a fraud “pre-


© ETIS 2012 18 / 23

screening” questionnaire, consisting of questions that can be filled in by the project team. Such questionnaires can be evaluated by the fraud team to filter out the most severe cases and focus their effort on these specific projects.

Note that this practice might combine well with SP11, as described in the following chapter.

SP27: Seek fraud dialogue with broad set of stakeho lders

It is quite common for fraud teams to maintain active working relationships with bad debt and revenue assurance units in their companies, since the subject matter addressed by these teams shows great overlap. However, effective fraud operations also require interworking with various other units. Examples include billing, invoice management and the company’s legal department. Active dialogue across all relevant stakeholders will enhance overall fraud awareness and enable fine-tuning of working procedures with relevant entities.

Fraud teams are recommended to look beyond the traditional partnerships with bad debt and revenue assurance teams and also put effort into relationships with other stakeholders in their companies. One possible approach is to organise a periodic get-together with a broad selection of stakeholders to jointly evaluate some of the major fraud cases that have taken place.

SP28: Base fraud reporting on structured KPIs and t arget broad audience

Whilst many telcos limit fraud reporting to their CFO and possible the full board, such reports are also significant for various other entities within the telco organisation. Business owners form an evident target audience, but one might also consider billing and legal departments or even commercial outlets. A structured set of fraud KPIs seems the most suitable basis for an effective fraud operations report. Examples of viable KPIs include:

- Effective Fraud Loss (EFL)

- Prevented Fraud Loss (PFL)

- Revenue recovered

- number of cases handled in reporting period

Telcos generally indicate that their (senior) management is most receptive to quantitative information and fraud seems a particularly suitable area to address this information desire.


© ETIS 2012 19 / 23

6 Security in the development process

As history has proven, new products, systems and services are often accompanied by unforeseen vulnerabilities and are therefore at the source of many security incidents. The ETIS Security Benchmark has explored how operators address the security risks associated with such new products and services in their development processes. This chapter describes successful practices observed in this area.

SP10: Integral embedding of security in development

Telcos that participated in the benchmark generally agree that security should be addressed integrally throughout the process of developing a product or service. This means that:

a. Each stage of the formal development process at a telco should include security activity

b. Each decision tollgate in the formal development process should include specific security deliverables suitable to the preceding stage

The net result should be a process where security requirements are defined in the earliest project stages and the remainder of the project incorporates a consistent level of attention towards ensuring that these requirements are met. This means that security should still be a topic of interest once the project reaches such phases as testing, piloting and handover to operational units.

Experiences indicate that a process for managing security in development will only work well if the governing authority (in most cases the CSF) actually has the possibility of stopping a project if security is somehow not addressed appropriately. This should include a strong vote at the launch gate. Here, please bear in mind that this possibility of stopping projects should of course only be exerted in extreme cases to avoid a situation where the CSF is seen as a hindrance to business.

SP11: Project rating determines security approach

An approach seen at several operators is to assign a security rating to a project in its early stages. This rating subsequently determines the (detail of the) security approach for the remainder of the project. One might for instance distinguish projects that require a thorough risk assessment from those that can follow a standard security baseline based on the risk profile of the product or service under development.

Differentiating security approaches among projects on the basis of a security/risk rating is found to be an effective provision for balancing the effect of risk management activity with the effort required to this end.


© ETIS 2012 20 / 23

SP12: Next generation security architecture that tr anscends technology

When developing NG1 (Next Generation) infrastructure and services, it is wise to address the specific nature of NG security through a specific NG security architecture. Here, the following practices are instrumental for achieving adequate results:

a. The NG security architecture should not be limited to technological issues, but also reflect the impact of NG on such issues as governance, policies and processes.

b. Explicitly distinguish security provisions at the level of networks and services, respectively, to account for the new setup in which a single network will provision a variety of services.

c. Rather than mandating specific security measures, the NG security architecture should predominantly consist of design principles and common security provisions. The latter refers to shared security provisions that accommodate many services, for instance a central identity and access management module.

For any NG security architecture to function well, it should be set up as a joint effort of various competences within the operator organisation. This includes IT, infrastructure and commercial departments.

SP20: Maintain Risk Treatment Plan (RTP) during dev elopment

Maintaining a so called Risk Treatment Plan (RTP) in development projects is a promising concept that could be successful at many operators. Such a Risk Treatment Plan should at least document the following:

• An overview of primary (top 5 or top 10) risks with respect to the product or service under development and

• The risk treatment strategy (accept, mitigate, avoid, …) selected for each of the acknowledged risks

• A summary of security measures embraced and the corresponding security investment (financial, man hours, time) required in the project

• An indication of risk severity both before and after risk treatment, both in qualitative (type of damage) as well as quantitative (financial) terms

Projects should ideally be required to produce a first version of the RTP early on in the project and establish updates at each subsequent project tollgate. Through this approach, the RTP is enhanced and refined as the innovation is elaborated in more detail.

Apart from guiding the general process of security risk management, the RTP could also facilitate decision making and business involvement. To achieve this, business owners of the product under development should be required to sign off each version of the RTP, thus declaring that they agree with the risk treatment decisions and security investments specified.

1 Within this context, NG refers to the packet-based successor of traditional telecommunications where internet technology is predominant and typical service portfolios include multiplay (voice, TV, internet) and 3G data services.


© ETIS 2012 21 / 23

SP29: Maintain tangible security design guidelines

Operators could greatly benefit from developing and mandating security design guidelines that define a standard (minimum) security configuration for systems and networks. Such guidelines could serve as a reference for development staff and for instance address system hardening, network segmentation, web application development, access control and authentication protocols.

Within operator organisations, specific IT departments will often develop design guidelines for their own local context that could also be of value for other IT units. CSF teams could facilitate this by compiling available guidelines, generalising them where necessary and subsequently incorporating them in their policy and guidance structures. This approach is often effective, since IT departments have more in depth knowledge of the actual technologies whilst the CSF will have a broader view on the areas of application.

SP30: Conduct hacking contests among developers

An interesting approach towards achieving security awareness is to organise hacking contests among development staff. Apart from raising awareness, contests such as these also reveal which developers are interested in and have a certain talent for security matters.

As an example, development staff might be offered a web portal that incorporates several vulnerabilities and be challenged to identify the gaps.

SP31: Maintain library of standardised security req uirements

Establishing and maintaining a library of (standardised) security requirements that can be matched onto specific projects has worked out well at several operators. Selection of such generic security requirements can be complemented with specific requisites to address needs of individual projects. Expert opinion appraisal or risk assessment could form the basis for this.


© ETIS 2012 22 / 23

7 Security monitoring and incident management

This chapter presents successful practices observed at the benchmark participants in the areas of security monitoring and incident management. Factors addressed in the benchmark under this denominator include: • Nature and setup of incident management provisions in the operator’s

organisation, where “security incident” is defined as any accidental or intentional breach of (information) security in information systems, services and networks and “incident management” refers to the process of analysing, correcting and reporting such security incidents

• Duties, approaches and methodologies of the Computer Emergency Response Team (CERT) and Security Operations Center (SOC) to the extent that these are present in the organisations of participating telcos.

Where present, CERT teams and SOC units usually play an important role with respect to security monitoring and incident management. Thus the benchmark addressed such provisions through specific questions.

SP13: SOC for both internal and commercial purposes

The transition to full-IP infrastructures has made telcos susceptible to on-line attacks. What’s more, such attacks are continuously becoming more complex and large scale, thus increasingly requiring specialised expertise to manage them. Many benchmark participants have had good experiences with setting up a so called Security Operations Center (SOC), defined as a dedicated, centralised function for continuously monitoring and managing attacks on telco infrastructure. Here, the following is of importance:

a. Benchmark participants generally agree that centralisation is a key success factor for security monitoring, if only because it enforces bundling of the (scarce) expertise an operator has available to this end.

b. Competences already available in CERT teams will usually offer a good starting point to establish the requirements for a SOC. Once in operation, SOC and CERT staff should maintain a close working relationship (possibly by integrating both into one unit)

c. It is usually attractive to widen the objectives of a SOC beyond internal hygiene and also exploit it as a commercial service. However, care should be taken when approaching customers with this possibility, since they might be unpleasantly surprised when made aware of possible security events on their network.

When considering commercial exploitation of a SOC, its primary purpose of protecting an operator’s service infrastructure should not disappear to the background. A possible approach to this end is to establish separate SOC units for internal and external purposes, respectively. Whilst this may not directly seem the most efficient approach, we have observed several operators employing this to great satisfaction.


© ETIS 2012 23 / 23

SP21: Reuse 24/7 capability of NOC for first line m onitoring in SOC

Most operators already have a Network Operations Center (NOC) in place that monitors the (continuity of the) telco infrastructure on a 24/7 basis. This capability might to some extent be reused in the SOC, thereby establishing initial 24/7 operations at no or limited investment in additional personnel.

NOC personnel might be trained to provide at least first line monitoring and support during nightly hours. Getting this level of service up on a 24/7 basis will already greatly enhance the effectiveness and value of the SOC. To enhance the capabilities of the SOC even further, one might consider the concept of an on call security specialist that is standby in case severe incidents arise.

SP32: Provide crisis team members with 3rd party SI M in address card

It is already good practice for members of crisis teams to have a SIM card of a third party operator on them. With such a SIM card in their possession, they can keep communicating, even if a large disturbance hits their own mobile network. One benchmark participant integrated this SIM with an address card containing contact information for the other team members and a crisis management process description. This can be considered as a small and handy “crisis management team member toolkit”. The operator that developed this concept has had good experiences with this solution.

SP33: Establish active cooperation with other SOCs

Some telcos have had good cooperation experiences among their internally oriented and commercial SOCs. Such cooperation allows for exchange of knowledge, tooling, configurations and even people.

Some participants indicate they would also like to explore cooperation with SOCs in other industries (e.g. banking SOCs). Such cooperation across industries might give interesting (fresh) perspectives on threats, priorities and SOC operations in general.

Documents

Successful practices in telco security - TNO v3c.ymcdn.com/.../resource/resmgr/docs/etis_information_… · · 2013-11-28KPI Key Performance Indicator ... the ETIS Security Group),