Digital Information Risk correlation and intelligence reporting solution
With the advent of the “Digital Information Age” the task of protecting ICT infrastructures became a massive and multifaceted task, namely due to the humongous quantity of data that a large ICT infrastructure manages, generates, and is exposed to, especially for companies with a vast number of retail clients visits, contacts and transactions to be kept available and secure on their public sites under local and international privacy laws, and in industries subject regulatory and statutory frameworks.
In telco markets, sensitive customer data breaches or infrastructure down time can lead to negative outcomes in term of public perception on the overall company security and reliability, when it comes to security in the cyber space on customer data and privacy protection, and to sanctionable outcomes as well.
The Client is one of the top three Italian mobile and landline telephone operators by capitalization, number of clients and overall reach, with a large presence of retail customer points of contact in Italy, and it is owned by one of the ten largest telephony groups worldwide.
- Given the diversity of formats and of layers within the infrastructure, the client had many difficulties in piecing together the detail level info of the huge number of detailed feeds and reports coming from the ICT security operations in place, and was thus lacking high level and information rich reporting on the underlying risks and their trends. The absence of an aggregated reporting model for ICT risk management was ultimately making it difficult to understand the changes in the taxonomy of attacks and incidents (i.e. nature, frequency, geography, impacted layer and processes, etc.), and thus of the potential and existing risks trends on the different ICT dimensions and layers;
- The client needed as well to implement the PCI DSS standard requirements, in order to be allowed by local financial regulators to activate al the retail and business payment processing, by mean of the connection to the major international payments services networks. This implied putting in place an adequate security framework for all infrastructural layers and applications connected to sensible customers data, and giventhe nature of the information managed in this process, also all local and international laws mandates for Customer Data Privacy had to be respected and implemented, namely with regards to the tracking of all internal access to the customer data in the different processes of the scenario, including the DB system administrators access and privileges;
- Given that the holding group was a NASDAQ listed company, subject to the Sarbanes-Oxley Act (SOX) on corporate responsibility, both local and international regulatory and statutory frameworks where to be implemented and managed, along guidelines standards such as ISO 27001;
During a period of nine months and two major project phases the client progressively integrated the newly designed base of data on INFOSYNC RM platform, and successfully created thereafter several reporting dashboards and drill down navigation schemas, perfectly responding to the management expectations regarding the company policies and needs on timely and transparent security and audit reporting for the pertaining statutory requirements on ICT security regarding privacy, client data security, and of the Sarbanes-Oxley Act.
- Reuse of all available data and information from disparate log analysis and reporting systems;
- Standardization of the reporting model supporting the risk evaluation processes;
- Adoption of standard measurement of values in operational risk (Cobit5, ISO 27001, Privacy Law);
- Completeness and Clarity of the information reported to Internal Audit counterparts on all of the relevant ICT security aspects, and of the current level of compliance with all the multiple directives and regulations and mandates for the treatment, storage, security and overall privacy respect of client data;