Compliance and Unified Communication

Transcription

1 Compliance and Unified Communication January 2015 [Type text]

2 There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure that the organisation's compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any UC implementation impacts the deploying organisation's compliance status. This white paper examines the UC compliance issues and shows how with the correct security controls, an organisation may realise the benefits of UC without compromising their compliance status. Compliance When compliance is discussed in an IT context, financial sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses not just the financial sector. Compliance also applies to all forms of business communication including phone, video and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC), now in use by most businesses. The financial sector has its own set of compliance regulations, but even here the regulations vary from country to country. In the UK, in 2011, the FSA extended compliance regulations to cover the recording of phone calls. At a European level, the Markets in Financial Instruments Directive (MIFID) published in 2007 mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction 1. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. The MIFID II regulations, which were adopted by the European Parliament and Council in 2014 and which will apply from January 2017 specifically, include call recording. However there is more to compliance than call recording regulations for the financial sector. There are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC 2 and summarised in the Handbook on European Data Protection Law 3. Directive 95/46/EC controls the collection and use of personal data and defines seven principles including: Personal data may be used only for stated purposes and no other purpose. Personal data must be kept safe and secure from potential abuse, theft or loss

3 Any organisation processing personal data is responsible for adhering to all seven principles. The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC services is not compliant if it is not protected against attack. The frequency with which security breaches continue to occur has lead to new proposals for EU data protection regulation. These include a requirement to report all security breaches within 72 hours. The proposals also establish a public register of all breaches notified. In addition any breach can result in a fine of up to 5% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation. It is clearly in a company's interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: 3 If you think compliance is expensive, try non compliance. Unified Communication Unified Communication (UC) is the integration of real-time, enterprise communication services with existing IT applications and services. UC includes voice and video calls, Instant Messaging and presence information (showing the availability of colleagues). UC is designed to improve the effectiveness of business communication, both within an organisation and to a business's customers and partners. The full benefits of UC are gained only when the service is extended beyond the bounds of an organisation's network to connect remote users on mobile or fixed line devices and to extend the service to 3 rd parties. UC is implemented on IP networks and can share those networks with data services, social collaboration platforms and systems. This brings communication services such as voice and video into the IT realm. This plus the fact that UC services will inevitably carry sensitive and personal data means that UC is subject to the same compliance regulations as any data services. This means that all UC deployments must be protected with effective security measures.

4 The protocols used to deliver UC are complex. This complexity plus the real-time requirements of UC means that the security measures deployed must be tailored to meet UC specific security threats. Standard data security measures are not sufficient. The security and compliance problems are not confined to UC. Recent reports show that both cellular networks 4 and the global SS7 phone network 5 are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UC system that meets compliance requirements protects all real-time communications. Steps to Ensure UC Compliance As we have seen, compliance obligations extend beyond the financial sector and are about more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality of personal information. As the EU directive states: Personal data must be kept safe and secure from potential abuse, theft or loss. If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UC services the latter including all voice, video and IM communication. Compliance for UC is a process, the key steps in this process are: 1. Understand which of the many regulations apply. 2. Audit your UC and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc) do not adequately protect UC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information

5 5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UC security system which meets the compliance requirements. UM Labs can support this process by analysing an existing UC system and accessing the security measures in place to protect that system. UM Labs have also developed the UC Security Platform which is designed to protect UC systems and to provide a number of features to support UC compliance. 5

6 The platform is designed to work with most UC systems including Microsoft Lync and with all popular IP-PBX systems and will secure local, remote and roaming user connections. The platform has been audited by European Telecom providers needing a solution to a growing compliance problem. As a result and after two years of testing, UM-Labs was selected as a key component to provide compliance for national telecom providers. The Platform is designed to meet the following compliance goals. To protect from attack on three levels, network, application and content. To protect the UC systems from attacks, including Denial-of-Service (DoS) attacks. See the UM Labs white paper, Combating Denial of Service Attacks for VoIP and UC 6 for further details on DoS attacks. To provide auditing functions to record all attacks on the system and to record the corrective action taken. To provide alerts when the system is attacked. To provide encryption services to protect voice, video and IM communications. To enable the recording and secure storage of calls, including encrypted calls, to meet compliance and legal intercept requirements

7 About UM-Labs "UM-Labs work to protect your business from criminal Interference" Cyber Security is the fastest growing challenge in today's world of the Internet, everyday 24 hours a day there is a breach, a theft of data, listening on phone calls/video calls, messaging (IM) and even your location. Businesses have in the past tried to control attacks with outdated computing technics and this legacy is set against a back drop of keeping in with the status quo. The thirst for internet content and the fast growing use of Cloud technology increases the volume of criminal cyber-attacks on Video chat, Internet phone calls, IM and location. Over 234 million people use these communication services in business every day, a 21st century solution is required to protect and manage; if not your business is at risk. UM-Labs are a creative and advanced R&D company with experts in compute security software design, smart mobile technology and cloud computing. The cloud solution is a unique layer of real time security software. This protects and encrypts Internet communications across all of the cloud variants, it is easy to install and scales to thousands of users from one virtual server, compliant tested and certified customer reference sites in Europe and the US. Contact: - or [email protected] 7