you're reading...
Information Security, Information Security Governance, Information Technology, Mobile Technology, Teleccommunication

Information Security Governance – Telecommunication Industry

Last year, i’ve been thinking of writting this, but not much forum that discussed about regulations requirements for security governance for Telecommunication industry.

Telecommunication (Telecom) Industry in the Philippines and rest of the world has gone through dramatic transformation and significant expansion. In the advent of smartphones and tablets, industry has committed to remain on the fast growth path exploring new opportunities. The data services have become the main driver for the industry with limitless opportunities with increasing demand of internet connection and broadband (3G/4G) adaption. With demand of social networking, and other data services Telecom industry has evolved significantly over the past ten years and during this period there has been an increased requirement to have robust information security governance.


Figure 1- Wireless growth qorldwide




Telecommunication networks are today an inseparable part of social interaction and critical worldwide infrastructure. Protecting these networks from malicious attacks, that could lead to unavailability or loss of integrity and confidentiality of network services, applications, and critical business systems are thus an important aspect that cannot be ignored. An effective and robust security programme should be implemented to protect telecommunication networks from such attacks.

Traditionally, the old Public Switched Telephone Network (PSTN) has been the dominant type of public Telecommunications (telecom) network worldwide, and consists of telephone lines, fibre optic cables, microwave transmission links, communication satellites and undersea telephone cables.

The advent of cellular technologies led to the interconnection of the mobile phone (cellular) networks with PSTN. The PSTN was based on circuit-switched technology, which had been primarily developed for voice traffic. Technologies developed for data transmission like PSDN, ISDN, Dial-up, DSL and others also leverage the existing PSTN infrastructure. Due to the growing demand for data and video services and the limitations of the circuit-switched technology, telecom operators worldwide find it economically prohibitive to expand their circuit-switched networks to such meet demand. This has led to a gradual move towards the adoption of packet-based switching technology.

The birth of GSM (2G, 3G and 4G) mobile phone systems like GPRS, EDGE and HSPA that are designed for data transmissions are also based on packet-based switching technology. The term, Next Generation Network (NGN), is generally used to refer to these packet-based networks that transport all information and services – data, voice and media like videos. NGNs are most commonly based on the Internet Protocol (IP). NGN is expected to reshape the current structure of the telecom system and access to the Internet.

Network Components

Today’s telecom networks are a combination of several technologies – PSTN, 2G, 3G – that have evolved over a period of time. Generally speaking, the current telecom network comprises the following parts:

  • Access Network – This is the part of the network that connects the telecommunication equipment – fixed or mobile – to the core network for provision of services. This includes the local loop (telephone cables/fiber optic) of the fixed networks and the radio links in a mobile network, the radio towers, base stations and controllers.
  • Core Network – This consists of the network elements responsible for service delivery and setting up of the end-to-end connection and handovers, and may be classified into circuit-switched and packet-switched domains. The core network includes components such as switches, the Mobile Switching Centre (MSC), the Host Location Register (HLR), the Visitor Location Register, and the Authentication Centre.
  • Application and Management Network – This consists of end-user application servers, and systems and services that support the operation, administration and maintenance functions of the network.
  • Internal Network – This is the telecom operator’s internal network. This includes systems used by the operator’s employees.
  • External Network – This is the externally visible network, typically deployed in the De-Militarized Zone (DMZ). This includes the Web servers, application servers and mail servers that are hosted by the telecom operator.



Security Challenges

The structure and functioning of circuit-switched PSTN networks, traditionally controlled by the telecom operators, ensured fewer possibilities for misuse of the network, as compared to a packet-switched network based on an open protocol like the Internet Protocol (IP). However, the PSTN networks are increasingly being controlled and are dependent on software and on the operations networks. As a result, users now have greater access to functions that were previously restricted to telecom employees. This exposes the network to intruders and increases the potential for attacks caused by virus, worms and malicious software. GSM, which is a widely used mobile phone system, implements several security mechanisms designed to protect confidentiality over radio interfaces, subscriber authentication, subscriber anonymity to external parties, and prevent the use of stolen terminals . However, a speech call made between two GSM operator networks or between a GSM phone and a fixed phone traverses the fixed network, and is subject to the same security considerations in speech and signaling as for a fixed network. CDMA mobile networks are also exposed to the same threats and attack vectors as a GSM network.

Packet-based switching technology used in Next Generation Networks is usually implemented through the use of the Internet Protocol (IP) suite. The IP was based on open standards and not originally designed for security implementations. The weaknesses in the IP have been exploited since long, and add to the risks of adopting an IP-based network.

Both the traditional circuit-switched networks and the packet-based next generation networks are exposed to different threats and attacks – both from external and internal sources – that target the various parts of the telecom network. These attacks may be targeted at any part of the telecom network, including the radio path of the access network. Attacks on one telecom operator’s network could also spread to multiple networks over the interconnection interfaces.

Challenges in meeting security requirements

Vast spread of telecom network – Telecom network comprising of equipments from various vendors and spread across the country  they operate. As customers demands for more services, telecom equipments ever expanding network. Most often than not lack of clear visibility on equipments deployed and thus there security implications.

Business Driver — In ever changing technology and business architecture, as newer business requirements and new services technology often change to meet the customers demand thus increased the network architecture complexity.

Third-Party Management – Different services providers across zones, network equipments deployed by vendors mostly proprietary in nature. Unaware of all vulnerabilities due to uniqueness of these equipments.

High Cost of Implementation – Cost associated with security audit of all network equipments and cost for assessments across networks due to non-standardization across equipments. Cost of maintaining records of all calls & data for 12 months.

Operation sustenance of Security landscape – need for specialized skills and experience for critical activities.

Some of the threats to the telecom networks are listed in Table 1.


Threat Can result in
Unauthorized physical access to switching infrastructure, underground and local loop cable infrastructure and other critical telecom network equipment, for example, AuC, HLR and VLR Tampering, destruction or theft of information and equipment, illegal tapping and interception of the network traffic 
Interception of voice traffic or signaling system in PSTN networks due to absence of encryption for speech channels and inadequate authentication, integrity and confidentiality for the messages transmitted over the signaling system (which is based on the ITU-T SS7 specification)  Unauthorized access to telecom network traffic 
Use of modified mobile stations to exploit weaknesses in the authentication of messages received over the radio interface Spoofing of user de-registration and location update requests, leading to unreliable service/disruption
Use of modified base stations to entice users to attach to it Denial of service, interception of traffic 
Misuse of the lawful interception mechanism Illegal tapping/interception of telecom network traffic
Compromise of the AuC or SIM used for storing the shared secret for the challenge-response mechanism Identity theft (intruders masquerading as legitimate users)
Deployment of malicious applications on devices with always-on capabilities like smart phones and tablets Use of these compromised devices target the operator’s network (for example, by setting up botnets to carry out DDoS attacks)
Intrusions into the operations networks Unauthorized changes to the users’ service profiles, billing and routing systems, resulting in toll fraud and unreliable service
Compromises of network databases containing customer information Unauthorized access to personal and confidential data
Masquerading as authorized users, by gaining access to their credentials by means of malware, hacking tools, social engineering tools or other means Gain unauthorized access or greater privileges to the network systems, which can then be used to launch other attacks
Traffic analysis – observing the calling and called numbers, and the frequency and length of the calls Inference of activities that can be used against the Telecom or customers
Social engineering attacks on operator employees Unauthorized access to confidential information

Consequences for operators who fail to adequately protect their networks include:

  • Financial loss
  • Loss of reputation for the operators in the industry
  • Loss of customer confidence
  • Legal action and fines from regulatory bodies for failure to provide secure services

Apart from these, the weaknesses in the telecom networks may also be exploited by criminal elements and terrorist organizations for their own benefit by intercepting communications, causing denial of service during terror strikes and also using it as a platform to launch attacks.


Needs of Information Security Governance

The imports of telecom equipment from other countries that are antagonistic to a state’s strategic interests may lead to supply chain contamination by means of embedded logic bombs and malware. The dependence on telecommunication networks and the critical role that they play in the economic growth of a country has led to government regulations (if any) in the telecom industry, which include requirements for ensuring the security of the telecom equipment, networks and customer information.

The interconnection of the PSTN networks of fixed and mobile phone systems and the next generation network has increased the attack surface of the telecom networks. The wide range of end-user devices that can now connect to the telecom networks has added to the complexity of the networks, thereby increasing the risks and vulnerabilities as well.

As noted, the consequences of not implementing adequate security measures to deal with these could be heavy and desastrous to business.

Several international standard development organizations like ITU, ISO/IEC, 3GPP, 3GPP2 and ETSI have prescribed standards that are applicable to telecom networks. Also, many countries have legislations and regulations that the telecom operators must comply with, which may require the adoption of specific security standards.

Telecom operators should adopt a robust, managed security programme to ensure that their networks are protected against malicious attacks, both external and internal, while also ensuring compliance to the local regulatory environment. This requires a holistic approach to implementing security measures, based on globally accepted security standards and best practices.

A multi-pronged approach to security should be adopted by telecom operators to address the current and future security challenges. Industry-recognized standards, best practices and technologies must be adopted to build a robust security programme. In addition, all applicable legal and regulatory requirements should also be considered.



Adopting Information Security Framework

Organizations develop and implement security policies and procedures to address the security requirements for their environment. However, to be effective, these policies and procedures should be tightly coupled, and supported by industry-accepted guidelines, standards and best practices. There also should be a risk-based approach while developing these policies to ensure that the security measures are adequate to the address the perceived business risks.

Several IT Frameworks available today, like COSO, COBIT, ITIL, ISO27001 and others, can be adopted to formulate a security programme. The ISO 27001:2005 standard is one of the most widely accepted security standards across industries. This provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). For the telecom industry, this is further supported by ISO 27011:2008, which provides guidelines on information security management for telecommunication networks (jointly developed along with ITU-T).

The ISO 27001 standard is based on the Plan-Do-Check-Act (PDCA) model, which is applied to all ISMS processes. This PDCA model ensures that there is a continued focus on the security programme, and that it is not a one-time activity.


What is information security governance?

“Information Security governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk appropriately, uses organizational resources responsibility, and monitors the success or failure of the enterprise security programme.”

                                                                                                – IT Governance Institute


Why do we need information security governance?

According to Wikipedia, “Governance” relates to decisions that define expectations, grant power, or verify performance. It consists either of a separate process or of a specific part of management or leadership processes. Sometimes people set up a government to administer these processes and systems.

If you have real world experience implementing security governance practices in an organization, the thought might have come to you; “There has to be an easier way? Why is this so hard?” So in the interests of some chuckles for the experienced, and enlightenment for those new to governance, here are some common “bright ideas” and their real world implementation.


Security policy and compliance

Developing security policy, standards, guidelines  and procedures is easy, indeed, just identify the compliance requirements (if any) and align them to the business operations in the form of mission statements. Now try getting it endorsed! You will have to wrangle grammar via committees or focus groups— and beware of “watering down” the mission and vision statement so far they become useless—and then manage expectations of performing in-depth analysis on the cost/impact of implementing the standards.

Once that battle has been fought comes implementation. How do you assign the statements to stakeholders in order to implement them throughout the organization? Only once you have informed all the stakeholders sufficiently of their obligations (e.g. due care and due diligence), and they have implemented appropriate controls. If you start by doing a wide ranging gap analysis before implementation, you may just put everyone offside from the beginning. You need to post a speed limit before you get out the radar gun!


Identify all of the information assets, the associated risks, values, and effective security controls!

The risk-based rather than compliance-based approach! Maybe you can find a list of all the servers and network devices in your organization? But I challenge you to find an accurate database of which applications are hosted on that infrastructure. It always is claimed to be in a “CMDB” or similar, but when you go looking for it, it’s nowhere to be found. So what are the contents of each database? Is there data shared between databases/applications? And here’s the real challenge—try and find and identify all of the access databases, spreadsheets and word documents scattered across multiple file shares/servers and document management systems. It’s likely that some of the most sensitive information in your organization is sitting in your executives’ voicemail, or their inbox, or My Documents folder.

It’s likely you’ll need to drop some serious coin on a discovery activity using Data Leakage Prevention technology to be able to even get a picture of what data your organization is working with. A good first step is putting in place a data classification scheme and a mandatory requirement for data classification of new documents—perhaps in your main document management system. Then uplift the security controls on your document management system, use your “knowledge management team” to educate personnel to store all of their documents in it.


Focus security programme , critical business processes and critical applications

How often is the main business process responsible for all of the company’s profit documented? Almost never, unless the organization is heavily regulated (i.e. privacy law, data protection act and etc.). (Note the distinction made between revenue and profit. You can lose revenue and survive through some “right-sizing”, but if you lose profit you’re dead in the water.)

If your organization has undertaken a very involved modern business continuity program (BCP) you will have one of the best building blocks for a strategic security program already in place. A modern BCP program will identify key business processes and their importance to the organization by documenting agreed recovery requirements. A BCP program is a good start for an information security program, but don’t neglect non-critical business processes that deal with a lot of personally identifiable information or that may have a reputational impact.


Good Project Management Practice

What defines a project? Does your organization have a Project Management Office (PMO)? If not, how are you sure that you have captured all of the “formal projects” across your business? The next challenge after this is the volume of projects, how can you sort the risky projects from the safe-to-ignore ones?

Looking at projects in detail, you may discover that the vast majority of required security controls are not implemented in a project, but inherited from the existing environment. The more advanced your security program is, the more security controls will be inherited.

A good start is to require project managers to complete a risk assessment on security governance’s behalf, pushing the responsibility to them to engage with security governance if they have a high risk project. Another good step is to produce a methodology for quickly providing architects with relevant security controls they need to directly address in their design documents (e.g. use of a central identity management system) and key existing security controls they need to consider and integrate with (e.g. firewall rules).

Adapt Capacity Maturity Model

CMM can be use to determine the maturity of Information Security Governance in Telecom organizations. The rationale for using these standards and verification through CMM is to establish the notion of maturity, how well organizations are doing in adopting national and international standards and where they stand in terms of compliance. To determine the maturity of the organizations capability to deploy its Information Security and Risk Management Strategy (ISRM) successfully we have used CMM (Capability Maturity Model) (Paulk et. Al 1995). CMM is a tool developed by the Software Engineering Institute (SEI) at Carnegie Mellon University.

Capability Maturity Model

Maturity Level
0 Non-existent, intent and not identified Controls not presentNot implemented 
1 Initial, undefined and ad-hoc Not officially assigned to an individualNot documentedNot monitored 
2 Repeatable, reactive and intuitive Ownership is assignedDocumented via policies and guidelinesInconsistent implementation
3 Proactive, defined and implemented Owners are trained to operateDocumented standardsEvenly implemented
4 Managed, controlled and measureable Controls are audited and testedStandards in place and followedOperate within recognized processes 
5 Optimal, optimizing and business alignedControls are included in regular audit and assessmentMonitored and measuredComplete control quality assurance 

Control Objectives for Information and Related Technologies (CobiT) is created by the IT Governance Institute (ITGI) which is part of the Information Systems Audit and Control Association (ISACA). ISACA is the professional body of IT auditing Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications. There are 34 IT processes organised in four inter related domains in CobiT framework. Table 1 describes the four CobiT domains and number of processes in each domain. CobiT focuses specifically on controlling the entire IT function.

Table 1: CobiT domains

CobiT domains Description
Planning and organisation (PO)(10 processes) This domain covers strategy and tactics concerning the identification of ways IT can best contribute towards achievement of the business objectives. 
Acquisition and implementation (AI)(7 processes)  This domain concerns the acquisition and implementation of IT strategies and IT solutions. 
Delivery and support (DS)(13 processes)  This domain is concern with actual delivery of required services 
Monitoring and Evaluation (ME)(4 processes)  This domain addresses performance management, monitoring and control, regulator compliance and governance. 

ISO/IEC 27000 or ISO 27K is a series of standards for information security developed and being developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The first standard in the series was called ISO/IEC 17799. When it was decided to have all security standards begin with 27000, this standard was renamed to ISO/IEC 27002. In 2005, ISO/IEC 27001 was released to specify how to certify organizations as being compliant with ISO/IEC 27002. ISO/IEC 27002 divides security into 11 broad areas:

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance


ISO27011 ISO 27011 ISO/IEC 27011 ISM Guidelines for Telecommunications

This ISMS implementation guide for the telecomms industry was developed by ITU-T and ISO/IEC JTC1/SC27 and published jointly as both ITU-T X.1051 and ISO/IEC 27011. 

ITU-T Recommendation X.1051 Information security management system – Requirements for telecommunications (ISMS-T) was originally published in English in July 2004, followed by Spanish, French and Russian translations in 2005.  It is based on the ISMS standards extant at that time i.e.:

  • ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications.
  • ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end communications.
  • ISO 9001:2000, Quality management systems – Requirements.
  • ISO 14001:1996, Environmental management systems – Specification with guidance for use.
  • ISO/IEC 17799:2000, Information technology – Code of practice for information security management (now known as ISO/IEC 27002).
  • ISO/IEC Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards.
  • BS 7799-2:2002, Information Security Management Systems – Specification with Guidance for use (now known as ISO/IEC 27001).

The summary states:

“For telecommunications organizations, information and the supporting processes, telecommunications facilities, networks and lines are important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly and successfully continue their business activities, information security management is extremely necessary. This Recommendation provides the requirements on information security management for telecommunications organizations.

This Recommendation specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system (ISMS) within the context of the telecommunication’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual telecommunications or parts thereof.”

 ITU-T proposed extending ISO/IEC 27011 with two new parts, namely:

  • Security management Guidelines for Small and Medium-sized telecommunications organizations [X.sgsm]: a guide to the implementation of information security management based on X.1051 (ISO/IEC 27011);
  • Asset Management Guidelines [X.amg]: a guide to good asset management practices for telecoms organizations.

The scope of this international standard is to define guidelines supporting the implementation of information security management (ISM) in telecommunications organizations.

  1. Security policy
  2. Organization of information security
  3. Asset management
  4. Human resources security
  5. Physical and environmental security
  6. Communications and operations management
  7. Access control
  8. Information systems acquisition, development and maintenance
  9. Information security incident management
  10. Business continuity management
  11. Compliance

The adoption of this international standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

ISO/IEC 27011:2008 establishes guidelines and general principles for initiating, implementing, maintaining, and improving ISM in telecommunications organizations based on ISO/IEC 27002.

ISO/IEC 27011 now includes a telecommunications extended control set which provides new controls and implementation guidance for a telecommunications organization. This has been included in two new annexes.

This standards provides an implementation baseline of ISM within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services.

Telecommunications organizations that implement ISO/IEC 27011 both within and between jurisdictions will:

  • Be able to assure the confidentiality, integrity and availability of the global telecommunications facilities and services,
  • Have adopted secure collaborative processes and controls ensuring the lowering of risks in the delivery of telecommunications services,
  • Be able to redeploy resources to more productive activities,
  • Have adopted a consistent holistic approach to information security,
  • Be able to improve personal awareness and increase public trust.

What are the objectives of ISO/IEC 27011?

  • Commonly-accepted goals of information security management specifically suited for telecommunications organizations,
  • Information security management practices to assist in the building of confidence for telecommunications activities.

Who should use ISO/IEC 27011?

ISO/IEC 27011 is for telecommunications organizations, anyone responsible for information security, together with security vendors, auditors, telecommunications terminal vendors and application content providers.


Key Features and Benefits:

  • Provides telecommunications organizations with a common set of general security control objectives based on ISO/IEC 27002, telecommunications sector specific controls, and information security management guidelines allowing for the selection and implementation of such controls. Leading to a higher level of information security within the organization if used.
  • Use of this standard by telecommunications organizations will increase public trust, leading to an increase in business and profits.
  • Additionally, provides implementation guidance for telecommunications organizations implementing ISO/IEC 27002 information security controls. Helping them to implement a best practice information security framework.


Implementing a Security Infrastructure

The implementation of ISMS policies and processes should be supported by a security infrastructure that includes multiple security layers. This “Defense in Depth” approach ensures that the compromise of one security layer alone does not expose the network to attacks.

Some of the security measures that can be deployed across the various layers are:

  • Interference and tamper-proof cabling infrastructure
  • Security guards and CCTV monitoring for operator premise perimeters
  • Physical access control mechanisms like smartcard and biometric readers
  • Firewalls at the network perimeter and DMZ for publicly accessible systems
  • Host- and network-based Intrusion Detection/Protection Systems
  • Security Information and Event Management (SIEM) systems to handle security events and logs generated by multiple systems
  • Malware management by deployment of antivirus, antispyware technologies on internal systems and mail servers
  • Secure application development practices
  • Security testing of the telecom equipment, perimeters, critical network components and applications
  • Encryption and data masking techniques for both data at rest and transit
  • Security awareness


Perform or Conducting Security Testing

Maintaining a consistent security posture across an organization’s network in the face of the ever changing nature of information security is a complex and time consuming task. Periodic security testing plays a vital role in assessing and enhancing the security of networks.

Vulnerability Assessment

Telecommunication networks are likely to have a heterogeneous mix of equipment from various suppliers. A highly credible, trusted third party certification programme must be in place to conduct an assessment to identify and evaluate security weaknesses and vulnerabilities contained in equipment software, firmware and hardware implementations. Certification of the supplier products against the Common Criteria Specifications (ISO 15408) ensures this at the component level.

With a large number of vulnerabilities and an increasing number of attacks exploiting them being reported across technology platforms, it is becoming difficult to ensure that the critical elements of a telecommunications network are not vulnerable to these attacks.

Vulnerability assessment can be used to:

  1. Identify vulnerabilities
  2. Report and assess the vulnerability and its overall consequence
  3. Recommend mitigation strategies (safeguards or alternatives)
  4. Ensure that organizational security policies are met by auditing the system configurations
  5. Provide input into the incident handling process

Fuzz Testing

While vulnerability assessments can help identify and mitigate known vulnerabilities, it cannot be used to protect against exploitation of unknown vulnerabilities that are likely in complex networks like telecom networks. A methodology that is now being used to address these unknown vulnerabilities is Fuzz Testing, which is a form of attack simulation where abnormal inputs are used to trigger vulnerabilities. One approach is model-based fuzzing, which uses protocol specifications to target tests at protocol areas most susceptible to vulnerabilities.

Another approach, traffic capture fuzzing, uses traffic captures to create the fuzzers used for testing.


Radio Access Path Security Testing

An aspect of security testing that is unique to a telecommunications network is the testing of the radio access network. By and large, the approach to testing radio nodes is based on custom test scenarios that are in turn based on the characteristics of individual radio nodes. The primary tools in use are a modified Mobile Station (MS) and the custom radio traffic injection scripts. In order to protect the privacy of subscribers’ information during the security tests, it is recommended that a second test device (an unmodified MS) is used as the primary target for the attacks where possible. The tests should be designed to prevent legitimate subscribers from associating with the modified equipment being used, and also to ensure that there is no service disruption.

Penetration Testing

Penetration testing supplements the vulnerability assessment activities by taking “the last step” and actually exploiting these vulnerabilities to compromise and gain access to the target systems, and not just report potential vulnerabilities. Penetration testing provides the “hacker’s” perspective inside and outside the network perimeter. Security testing specialists attempt to infiltrate the client’s network, systems and applications using not only common technologies and techniques, but also specialized tools and some unexpected methods, such as combined techniques (“multi-vector” attacks). The result is a detailed report identifying key vulnerabilities and suggested protection tactics – an action plan to improve the organization’s security posture.


Conducting Network Security Audits

Network security audits can be conducted to discover, assess, test and report the existing security infrastructure implementations. Network security audits should be based on internationally accepted standards and frameworks like ISO 27001 and COBIT.

A methodology for network security audits, consisting of four distinct phases:

  1. Scope and Plan – This involves defining the audit objective, determining the audit scope, understanding the business risks and defining the project plan.
  2. Information Gathering – This is gathering the information about the security policies, processes and security controls that have been implemented, and also the industry best practices, standards and guidelines that are applicable.
  3. Assessment – This is performed to discover the vulnerabilities existing in the system. The impact of any discovered vulnerability on the telecom operator business is used to determine a risk rating.
  4. Documentation – This includes the analysis and reporting of data and test results. The report documents the results and findings of the security assessment and includes a discussion of the risk analysis arising from the assessment, implications to the telecom operator’s systems and networks and recommendations for improving the security position of the operator’s applications, systems and networks.


These areas are subdivided into many more specific elements. ISO/IEC is working on a number of other standards for the 27000 series.

ISO/SEC27K series Description
ISO/IEC 27001:2005 is the information security management system (ISMS) requirements standardISO/IEC 27002:2005 is the code of practice for information security management describing a comprehensive set of information security control objectives 
ISO/IEC 27003 provides implementation guidance for ISO/IEC 27001
ISO/IEC 27004 is an information security management measurement standards suggesting metrics to help improve the effectiveness of ISMS 
ISO/IEC 27005:2008 is an information security risk management standard 
ISO/IEC 27006:2007 is a guide to the certification or registration process for accredited ISMS certification or registration bodies 
ISO/IEC 27007 will be a guideline for auditing information security management systems 
ISO/IEC 27008 will provide guidance on auditing information security controls
ISO/IEC 27010 will provide guidance on information security management for sector-to-sector communications 
ISO/IEC 27011:2008 is the information security management guideline for telecommunications organizations
ISO/IEC 27013 will provide guidance on the integrated implementation of ISO/IEC 20000-1 
ISO/IEC 27014 will cover information security governance 
ISO/IEC 27015 will provide information security management systems guidance for financial service organizations 
ISO/IEC 27031 will be an ICT-focused standard on business continuity 
ISO/IEC 27032 will provide guidelines for cyber security 
ISO/IEC 27033 will replace the multi-part ISO/IEC 18028 standard on IT network security 
ISO/IEC 27034 will provide guidelines for application security 
ISO/IEC 27035 will replace ISO TR 18044 on security incident management 
ISO/IEC 27036 guideline for security of outsourcing 
ISO/IEC 27037 guideline for digital evidence 
ISO 27799:2008 provides health sector specific ISMS implementation guidance based on ISO/IEC 27002



IT Risk and Security Governance Survey

This survey is part of a study being conducted at Charles Sturt University to determine maturity level of IT Security Governance in Australian organizations. All responses and data collected are highly confidential. At no stage this data will be used other than the above mentioned purpose. (Please tick the boxes and/or write your response wherever applicable)


1. Does your organization have ISMS (Information Security Management System)?

_Yes _ No

2. What is the highest level of IT security position in your organization?


_ Security Manager

_ Security Admin

_ Security Technician

_ Other ____________________________

3. Who has the responsibility and accountability for IT Risks:






_ Other _____________________________

4. Does the organisation maintain an IT risk register?

_Yes _ No

5. How often is the risk register updated?

_Quarterly _ Yearly _ Other _______________

6. How are IT risks communicated to all stakeholders in organisations?

_ Induction/Training

_ Professional Development

7. How are the risks classified in your organisation?

_ avoidance

_ mitigation

_ transfer

_ acceptance

8. How does the organisation manage IT Risks?

_ Risk assessment for processes and business decisions does not occur

_ Risk management is not identified as relevant to acquiring IT solutions and delivering IT services

_ IT Risks are considered in an ad hoc manner

_ Informal assessments of project risk take place as determined by each project

_ Risk assessment approach exists and is implemented at the discretion of the project managers

_ The risk management is usually at a high level and is typically applied to only major projects

_ An organisation wide risk management policy is available.

_ Risk management is defined process that is documented

_ The assessment and management of risk are standard procedures

_ Risk is assessed and mitigated at the individual project level

_ Risk management is structured, organisation wide process and is enforced

_ Risk management is truly integrated in all IT operations

9. Percent of organisation budget spent in IT?

_ more than 10% _ 8-10%

_ 6-7% _ 3-5 %

_ 1-2 % _ less than 1%

10. Percent of organisation budget spent in IT Security/Risk Management?

_ more than 10% _ 8-10%

_ 6-7% _ 3-5 %

_ 1-2 % _ less than 1%

11. Frequency of review of the IT risk management process.

_Quarterly _ Yearly _ Other _______________

12. Percent of identified IT events used in risk assessment? _____________ %

13. Percent of identified critical IT events that have been assessed? _____________ %

14. Percent of risk management action plans approved for implementation. _____________ %

15. Percent/Number of significant incidents caused by risks that were not identified by the risk assessment process?

_____________ %

16. What is the governance structure for information security in the organisation? Please draw if different than






Security Admin

Security Technician Other (please draw the structure)

17. What standard(s) and/or framework(s) does your organisation complies with?

_ ITIL (for service delivery)

_ CMM (for solution delivery)

_ PMBOK or PRINCE2 (for Project Management

_ ISO/IEC 17799:2005 (for information security)

_ AS/NZS ISO/IEC 27001:2006 (for information security)

_ COBIT (for IT Governance )

_ Val IT (for IT Governance )

_ Risk IT (for IT Risk Management )

_ Other ___________

18. What are the organisation’s business objectives?

_ Revenue and Market Share

_ Reputation and Brand

_ Asset and Capital Management

_ Earnings and Operating margins

_ Others ___________

19. What are possible risks the organisation faces?

_ Economic conditions

_ Price volatility

_ Interest rate volatility

_ New product development

_ Environmental regulation

_ Government regulation

_ IT infrastructure capacity

_ Key supplier dependence

_ Recruitment and retention

_ Customer migration

_ Regulator compliance

_ Others_______________

20. What are the organisational business processes?

_ Product development

_ Sales and marketing

_ Customer support

_ Production

_ Procurement

_ Others _____________

21. What are organisational IT Assets?

_ IT Infrastructure

_ Network

_ Applications

_ Databases

_ Others ______________

22. What are threats to your organisational IT Assets?

_ Denial of service _ laptop theft _ Telecom fraud _ Unauthorised access

_ Viruses _ Insider abuse _ Financial fraud _ System penetration

_Sabotage _ Bots _ Password sniffing _ Website defacement

_ Theft/loss of proprietary information _Theft/loss of customer data

_ Abuse of wireless network _ Misuse of web application

_ Abuse/misuse of IT resources _ Others


CobiT (2008) “Control Objectives for Information and related Technology.” Retrieved December 30, 2008 from


Conner, B., Noonan, T. and Holleyman, R. W. (nd). “Information Security Governance: Toward a Framework for

Action.” Retrieved July 12, 2010 from http://www.bsa.org

ISO27001 Security (2010) Retrieved July 10, 2010 http://www.iso27001security.com/index.html

ITGI (2003) “Board briefing on IT Governance.” Retrieved July 10, 2010 from


Philippines Privacy Act — http://www.philstar.com/Article.aspx?articleId=789210&publicationSubCategoryId=66



2 thoughts on “Information Security Governance – Telecommunication Industry

  1. Did the IT Risk and Governance Survey result in a telecommunications sewctor maturity benchmarking that you can share? Scott Corzine – scott.corzine@fticonsulting.com


    Posted by Scott Corzine | 11/17/2015, 11:47 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s



Blog Stats

  • 37,940 hits
April 2012
« Mar   May »
Follow Daniel Vizcayno's Insights on WordPress.com

Member of The Internet Defense League

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,148 other followers

%d bloggers like this: