Information Security

 View Only
  • 1.  Telecom Vendor Risks

    This message was posted by a user wishing to remain anonymous
    Posted 10-22-2019 03:29 PM
    This message was posted by a user wishing to remain anonymous

    In the past we've looked at Telecom providers as a utility and haven't performed security risk assessments on these types of vendors. I'm starting to question this approach and wanted to take the pulse of this group regarding your positions on telecom providers and the potential risks you've identified from an information security perspective. Thanks.

  • 2.  RE: Telecom Vendor Risks

    Posted 10-23-2019 08:19 AM

    Telecom service providers present a variety of risk that should be evaluated against your policies, procedures, controls, and I'll share a couple with you.

    If you have sensitive data that crosses the communications path:

    • how is the data encrypted and who is responsible to ensure that the data is protected?
    • who within the provider can access the data?  Often data ports can be mirrored which means it can be captured and played back or viewed later.
    • The list goes on…….

    If the service supports your critical operations, then the vendor might be a critical vendor

    • Does the provider have a different recover time objective that doesn't support your internal service levels? If your internal service levels require a 2-hour service level but the provider can only recover in 4 hours, you might have a problem
    • Contracts should reflect claw backs in a refund and not a credit when service levels are not met.

    Telecom vendors often outsource to sub-contractors and you should when and what situations may occur where they have access to your systems and sensitive data

  • 3.  RE: Telecom Vendor Risks

    Posted 10-23-2019 08:48 AM
    From the perspective of Financial Services, I have always put my telecom providers thru the rigors of the vendor risk management program.  In addition to the very accurate points that Ron made a few minutes ago,  the contracts with telecom providers can be particularly "sticky", expensive and difficult to get out of if you miss a notification date.  Bottom line - treat telecom providers as a traditional (and most likely critical) vendor.  Its a worthwhile investment.

  • 4.  RE: Telecom Vendor Risks

    Posted 10-23-2019 09:52 AM
    We view ISP's as Critical but low risk. Any data traversing the network should be encrypted with a currently acceptable cipher suite, so the risks the ISP poses are to availability of service, not confidentiality, integrity, or privacy. Organizations should have sufficient mitigating controls in place to demonstrate to examiners/concerned parties that the risk is limited to availability/resiliency.

    It's also usually difficult to get any decent due diligence information from telecos as well which adds to the problem of how to treat them.