Information Security

This message was posted by a user wishing to remain anonymous

In the past we've looked at Telecom providers as a utility and haven't performed security risk assessments on these types of vendors. I'm starting to question this approach and wanted to take the pulse of this group regarding your positions on telecom providers and the potential risks you've identified from an information security perspective. Thanks.

​

Telecom service providers present a variety of risk that should be evaluated against your policies, procedures, controls, and I'll share a couple with you.

If you have sensitive data that crosses the communications path:

• how is the data encrypted and who is responsible to ensure that the data is protected?
• who within the provider can access the data?  Often data ports can be mirrored which means it can be captured and played back or viewed later.
• The list goes on…….

If the service supports your critical operations, then the vendor might be a critical vendor

• Does the provider have a different recover time objective that doesn't support your internal service levels? If your internal service levels require a 2-hour service level but the provider can only recover in 4 hours, you might have a problem
• Contracts should reflect claw backs in a refund and not a credit when service levels are not met.

Telecom vendors often outsource to sub-contractors and you should when and what situations may occur where they have access to your systems and sensitive data

Original Message:
Sent: 10-22-2019 12:00 PM
From: Anonymous Member
Subject: Telecom Vendor Risks

This message was posted by a user wishing to remain anonymous

In the past we've looked at Telecom providers as a utility and haven't performed security risk assessments on these types of vendors. I'm starting to question this approach and wanted to take the pulse of this group regarding your positions on telecom providers and the potential risks you've identified from an information security perspective. Thanks.

From the perspective of Financial Services, I have always put my telecom providers thru the rigors of the vendor risk management program.  In addition to the very accurate points that Ron made a few minutes ago,  the contracts with telecom providers can be particularly "sticky", expensive and difficult to get out of if you miss a notification date.  Bottom line - treat telecom providers as a traditional (and most likely critical) vendor.  Its a worthwhile investment.
Original Message:
Sent: 10-23-2019 08:19 AM
From: Ron Malone
Subject: Telecom Vendor Risks

​

Telecom service providers present a variety of risk that should be evaluated against your policies, procedures, controls, and I'll share a couple with you.

If you have sensitive data that crosses the communications path:

• how is the data encrypted and who is responsible to ensure that the data is protected?
• who within the provider can access the data?  Often data ports can be mirrored which means it can be captured and played back or viewed later.
• The list goes on…….

If the service supports your critical operations, then the vendor might be a critical vendor

• Does the provider have a different recover time objective that doesn't support your internal service levels? If your internal service levels require a 2-hour service level but the provider can only recover in 4 hours, you might have a problem
• Contracts should reflect claw backs in a refund and not a credit when service levels are not met.

Telecom vendors often outsource to sub-contractors and you should when and what situations may occur where they have access to your systems and sensitive data

Original Message:
Sent: 10-22-2019 12:00 PM
From: Anonymous Member
Subject: Telecom Vendor Risks

This message was posted by a user wishing to remain anonymous

In the past we've looked at Telecom providers as a utility and haven't performed security risk assessments on these types of vendors. I'm starting to question this approach and wanted to take the pulse of this group regarding your positions on telecom providers and the potential risks you've identified from an information security perspective. Thanks.

We view ISP's as Critical but low risk. Any data traversing the network should be encrypted with a currently acceptable cipher suite, so the risks the ISP poses are to availability of service, not confidentiality, integrity, or privacy. Organizations should have sufficient mitigating controls in place to demonstrate to examiners/concerned parties that the risk is limited to availability/resiliency.

It's also usually difficult to get any decent due diligence information from telecos as well which adds to the problem of how to treat them.