Telecom service providers present a variety of risk that should be evaluated against your policies, procedures, controls, and I'll share a couple with you.
If you have sensitive data that crosses the communications path:
- how is the data encrypted and who is responsible to ensure that the data is protected?
- who within the provider can access the data? Often data ports can be mirrored which means it can be captured and played back or viewed later.
- The list goes on…….
If the service supports your critical operations, then the vendor might be a critical vendor
- Does the provider have a different recover time objective that doesn't support your internal service levels? If your internal service levels require a 2-hour service level but the provider can only recover in 4 hours, you might have a problem
- Contracts should reflect claw backs in a refund and not a credit when service levels are not met.
Telecom vendors often outsource to sub-contractors and you should when and what situations may occur where they have access to your systems and sensitive data
Original Message:
Sent: 10-22-2019 12:00 PM
From: Anonymous Member
Subject: Telecom Vendor Risks
This message was posted by a user wishing to remain anonymous
In the past we've looked at Telecom providers as a utility and haven't performed security risk assessments on these types of vendors. I'm starting to question this approach and wanted to take the pulse of this group regarding your positions on telecom providers and the potential risks you've identified from an information security perspective. Thanks.