Telco

Digital Information Risk correlation and intelligence reporting solution

With the advent of the “Digital Information Age” the task of protecting ICT infrastructures became a massive and multifaceted task, namely due to the humongous quantity of data that a large ICT infrastructure manages, generates, and is exposed to, especially for companies with a vast number of retail clients visits, contacts and transactions to be kept available and secure on their public sites under local and international privacy laws, and in industries subject regulatory and statutory frameworks.

SUCCESS STORIES
Banking
Telco
Oil & Energy

Context

In telco markets, sensitive customer data breaches or infrastructure down time can lead to negative outcomes in term of public perception on the overall company security and reliability, when it comes to security in the cyber space on customer data and privacy protection, and to sanctionable outcomes as well.

Client Description

The Client is one of the top three Italian mobile and landline telephone operators by capitalization, number of clients and overall reach, with a large presence of retail customer points of contact in Italy, and it is owned by one of the ten largest telephony groups worldwide.

Client Need

The client had a very complex ICT infrastructure, with a number of powerful and yet disparate security appliances, solutions and tools added along the years and preserving different layers of the overall infrastructure security, along with many business and regulatory requirements to be fulfilled, and expressed some key needs to the Esc2 team:

  • Given the diversity of formats and of layers within the infrastructure, the client had many difficulties in piecing together the detail level info of the huge number of detailed feeds and reports coming from the ICT security operations in place, and was thus lacking high level and information rich reporting on the underlying risks and their trends. The absence of an aggregated reporting model for ICT risk management was ultimately making it difficult to understand the changes in the taxonomy of attacks and incidents (i.e. nature, frequency, geography, impacted layer and processes, etc.), and thus of the potential and existing risks trends on the different ICT dimensions and layers;

  • The client needed as well to implement the PCI DSS standard requirements, in order to be allowed by local financial regulators to activate al the retail and business payment processing, by mean of the connection to the major international payments services networks. This implied putting in place an adequate security framework for all infrastructural layers and applications connected to sensible customers data, and giventhe nature of the information managed in this process, also all local and international laws mandates for Customer Data Privacy had to be respected and implemented, namely with regards to the tracking of all internal access to the customer data in the different processes of the scenario, including the DB system administrators access and privileges;

  • Given that the holding group was a NASDAQ listed company, subject to the Sarbanes-Oxley Act (SOX) on corporate responsibility, both local and international regulatory and statutory frameworks where to be implemented and managed, along guidelines standards such as ISO 27001;

Esc2 Value Added Solution

Esc2 analysts, based on the client requirements proposed a packaged solution with the following key functionalities:

  • Collection, normalization, reuse and aggregation of all already available information from logs and reports, i.e. produced by all the security appliances, solutions and tools, and from proprietary security service feeds, establishing a clear and complete risk intelligence base of data to be used on a new, screen based, real time security reporting analysis framework, sporting an integrated semantic alignment on the different security layers and dimensions at the data warehouse level, and a simple and powerful front end featuring user created dashboards and drill down navigation;
  • Aggregation of risk dimensions and values based on Risk Management best practices such as COBIT 5 (from a business process point of view) and ISOI/IEC 27005 (for technologies chain) , creating a clear standard based measurement;
  • Realization of a Risk Summary overview on different dimensions, such as geography, business service and department, functional areas and business process, and impacted ICT layer and assets;
  • Flexible library based abstraction layer to support multiple and concurrent levels of compliance such as PCI DSS, SOX and Customer Privacy;
 
Infosync RM Architecture

Client Experience

During a period of nine months and two major project phases the client progressively integrated the newly designed base of data on INFOSYNC RM platform, and successfully created thereafter several reporting dashboards and drill down navigation schemas, perfectly responding to the management expectations regarding the company policies and needs on timely and transparent security and audit reporting for the pertaining statutory requirements on ICT security regarding privacy, client data security, and of the Sarbanes-Oxley Act.

Key Benefits

  1. Reuse of all available data and information from disparate log analysis and reporting systems;


  2. Standardization of the reporting model supporting the risk evaluation processes;


  3. Adoption of standard measurement of values in operational risk (Cobit5, ISO 27001, Privacy Law);


  4. Completeness and Clarity of the information reported to Internal Audit counterparts on all of the relevant ICT security aspects, and of the current level of compliance with all the multiple directives and regulations and mandates for the treatment, storage, security and overall privacy respect of client data;