(NW & IT) Security: A Global Provider s Perspective



Similar documents
Third party assurance services

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Need to protect your information? Take action with BSI s ISO/IEC

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Protecting information minimizing risks. Information Security Management

Ixonos Cloud Solutions - A Review

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

APES 325 Risk Management for Firms

Business Continuity Management

Cyber Security solutions

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY

Our Commitment to Information Security

8 Best Practices for IT Security Compliance

Department of the Interior Privacy Impact Assessment

How To Get A Better Price For Your Phone In Orange (European)

Four Top Emagined Security Services

Is securing personal information a priority? Reassure clients and achieve data protection compliance with BS 10012

Solihull Clinical Commissioning Group

Submission to Standing Committee of Officials Of Consumer Affairs (SCOCA) on draft Australian Consumer Law Regulations

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Accredited Body Report CPA Australia. For the period ended 30 June 2013

Regulatory Impact Assessment (RIA) Date: /08/15 Type of measure: Subordinate Legislation Lead department or agency: Department for Social Development

The State Of PCI Compliance

Position Description

BSA GLOBAL CYBERSECURITY FRAMEWORK

Application management services that power business transformation

ISO Gap Analysis - Case Study

Information Security Services

An overview of UK data protection law

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

Contents Company overview Partnering with CCE Service offerings Accreditations Service coverage ISO compliance

Presentation on COBIT Education

How to Design and Manage ITIL

Governance and Management of Information Security

Top Ten Technology Risks Facing Colleges and Universities

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Securing the Microsoft Cloud

Domain 5 Information Security Governance and Risk Management

GoodData Corporation Security White Paper

OECD PROJECT ON CYBER RISK INSURANCE

Market Watch. Further observations from suspicious transaction reporting (STR) supervisory visits. Contents

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

PROCEDURES FOR ENVIRONMENTAL AND SOCIAL APPRAISAL AND MONITORING OF INVESTMENT PROJECTS

WHITE PAPER. How to simplify and control the cardholder security environment

SUNGARD B2B PAYMENTS AND BANK CONNECTIVITY STUDY INNOVATIONS TO OVERCOME COMPLEXITY-DRIVEN FRAUD EXPOSURE AND COST INCREASES

July New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity

Information security controls. Briefing for clients on Experian information security controls

the paris office Elizabeth Naud and Luc Poux, architects

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

A blueprint for an Enterprise Information Security Assurance System. Acuity Risk Management LLP

Workshop materials Completed templates and forms

Benchmark of controls over IT activities Report. ABC Ltd

CONTENTS I. CONDITION, DEVELOPMENT AND PROSPECTS OF THE TELECOMMUNICATIONS MARKET

The Regulatory framework and VoIP. Merijn Schik, DG INFOSOC

THE CHANGING ENVIRONMENT FOR TRANSFER PRICING DOCUMENTATION. Action 13 documentation and reporting requirements

System of Governance

Product Recall. Written by Michael Lincoln and Donna Niblock. The Liberty White Paper Series

Marketing and Communications Manager Heslerton Road, Dunsandel, Canterbury

Symantec Residency and Managed Services

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Protecting your business interests through intelligent IT security services, consultancy and training

Occupier perspective Workplace strategies Focus on people March 2014

Prof. Udo Helmbrecht

Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management

CONDUCTING GLOBAL CLINICAL RESEARCH TRIALS:

An ICS Whitepaper Choosing the Right Security Assessment

New Relic EU Data Protection Whitepaper

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Article 29 Working Party Issues Opinion on Cloud Computing

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Preparing for Unannounced Inspections from Notified Bodies

RE: PCAOB Rulemaking Docket Matter No. 004 Statement Regarding the Establishment of Auditing and Other Professional Standards

Information Governance Policy

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Need to protect your information? Take action with BSI s ISO/IEC

Supporting information technology risk management

What is SEPA? Fact Sheet. Streamlining Payments in Europe

ASIC Class Order [CO 05/1122] Proposed class order relief for providers of generic financial calculators. Regulation impact statement (RIS)

INTUG Position. The economic and social benefits of providing business users with a single market for telecommunications

Orange Polska Code of Ethics

Developing National Frameworks & Engaging the Private Sector

IIA/ISACA Bermuda 2014 Annual Conference Cyber Security. Legal Considerations of Cyber Security For Bermuda Based Organizations

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Information Security Management System Policy

Information Security Management System Information Security Policy

Information security due diligence

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Entrepreneurs Programme - Business Growth Grants

Corporate Information Security Policy

Protecting Malaysia in the Connected world

E-Learning Courses. Course Category

ISO/IEC 27001:2013 Your implementation guide

Buckinghamshire County Council Transport for Buckinghamshire ANPR Code of Practice

The Role of Internal Audit In Business Continuity Planning

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Transcription:

ECTA Regulatory Conference 2006 Workshop Data Protection, Retention and Security Issues in the Electronic Communications (NW & IT) Security: A Global Provider s Perspective 15 November 2006, Brussels Marcel Grijsen Director Regulatory Affairs, EMEA

Introduction - 1 > Orange Business Services : a Global Provider of (Integrated & Converged) Services & Solutions for Multi National Corporations and International Organizations (MNCs). > Since 1 June 2006 the France Telecom Group re-branded to Orange Business Services for the large corporate customer segment. > Therefore, at commercial level our services are now sold under the Orange Business Services brand name. > But our local licensed operating entities remain Equant companies. > I may use the two interchangeably so please don t be confused! I mean one and the same business.

Introduction - 2 > Disclaimer: In my day-to-day Telecommunications Regulatory practice I generally do not work much in the specific area that is covered by today s workshop. > Therefore I am not a specialist by any stretch of the imagination in this domain. > It may be basic, but I hope that my contribution sharing with you some of our experiences and insights from a specific provider s perspective may be valuable regardless.

Security is Key: Provider Perspective > Security is an important part of our business, see e.g. Security section on our website: > http://www.mnc.orange-business.com/content/xml/obs_home.xml > We take Security very seriously and it is a key and central part of our business. > Equant has been audited under Sarbanes Oxley rules and holds SAS70 certification. Equant complies with ISO17799 and intends to work towards ISO certification. Equant uses COBIT, ITIL, ISO17799 (BS7799) as security standards in its operations. > Towards Ourselves as a Global Network and Services Provider to MNCs Security is key: Apart from complying with regulatory requirements related to Security, it is only Logical to protect and secure your business core assets, such as our Global Network we would even do it if there were no obligations embedded in regulations to ensure security!! > We regard ourselves as a reliable, trusted and secure Provider to MNCs across the Globe, and hope our Customers share this vision.

Equant Security Goals > Ensure business continuity of our customers at all times. > Ensure secured customer traffic over the Equant network backbone. > Prevent and minimize the impact of security incidents on customers through the implementation of appropriate security practices/policies throughout the Equant organization. > Ensure the protection of the Equant network backbone & systems and the network information.

Equant Security Organization > Global Security Organization Headed by the Equant Chief Security Officer CSO, responsible of Security governance on the corporate level. > Security Council Created to Establish a corporate vision about security throughout Equant. Its members are first level management representatives > Security Management Organization Responsible of day to day security management and security Engineering. > Security Operations Center (SOC) Monitor the Equant Network & Systems Security & network security incident investigation & mitigation on a 24x7 basis. > Network Infrastructure Security engineering. Responsible for the network infrastructure security engineering projects. > Business Information Security Managers - BISMs The BISMs are security representatives in all Equant organizations, they are the point of contacts with Equant Corporate security and are responsible for integrating security in all business aspects within Equant.

Equant Security Policies > Equant has a core security policy which is divided into a number of policies and sub-policies defined on all levels to ensure business continuity and to minimize business damage. > Equant handles Security in a Global manner. Our security programs cover different areas utilizing best business security practices to Equant business and Equant customers and partners business. > Therefore it makes sense for us to develop Global Security Policies to support our Global business. Our business model is not well served by differing, prescriptive, national, Member State level, approaches and local regulations.

Equant Backbone Security > Equant has implemented various methods and policies on the Inside, Between and Access to the Equant networks to secure the infrastructure and protect from the main IP network vulnerabilities (DDoS, configuration weaknesses, etc..) - Inside of the backbone networks. - For Backbone Networks Security Hardening and Control. - Between the Backbone Networks. For Isolation and Control. Access to the Backbone Networks. For secure backbone elements Access Control.

Equant Security Audit & Assessment > Equant recognizes the need to do regular security audits (External, by internationally recognized auditors and Internal, by Equant security experts) on the backbone network and systems to ensure compliance with the security policies defined. > External audits done by internationally recognized audit firms. > Audit findings and recommendations are used to drive security projects to enhance the security of the network.

Security is Key: Customer Perspective > Towards our Customers: Security is key to our Customers and their businesses, e.g. banks. > Our specific focus on serving MNCs across the Globe means that these big global companies are dependent for the security of their business communications, corporate networks (such as IP VPNs) and/or business (critical) applications on Orange Business Services. > Therefore our focus is to not breach this Trust. > In addition: our customers are highly demanding and given their business interests and requirements they will bring Security as a main topic to the negotiation table. This also has an impact as to how we regard the EC proposals as part of the NRF Review. Triggered by our customer experience.

Security is Key > In Our Experience, the rules have changed: > Old Rule: only invest in Security if the cost to secure is less than the cost of exposure. > New Rule: If your customers or partners can t trust your business, you will be out of business!!

NRF Review 2006-1 > Currently Security is mainly covered in the New Regulatory Framework (NRF) by e.g. Article 23 of the Universal Service Directive and Article 4 of the e-privacy Directive. > Article 4 (1) The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, ion, these measures shall ensure a level of security appropriate to the t risk presented. > EC Review Proposals range from introducing detailed new provisions on security and integrity at EU level via a mid-way proposal (general security and integrity requirements together with enabling measures) to No changes to the regulatory framework.

NRF Review 2006-2 > Get more prescriptive and detailed? Not the right direction in our opinion, move to patch-work Europe?, as we start to gain experiences in this area! > One reason that EC mentions to drive the proposals is a perceived decline in confidence. We do not experience such decline in confidence. In our world Security is a key topic in provider selection process and rest assured that all Security requirements, processes, reporting etc are well covered in agreements between MNCs and their Global Providers, such as ourselves. > Also proposed liability for security problems and notification requirement not applauded by us and far away from our situation where these issues are handled in a satisfactory manner directly between MNC Customer and Provider.

The Way Forward - 1 > In our view no need for a major review re Security, at least not one that would be culminating into new, detailed, descriptive levels of regulations. > Describe the principles, high-level, EU standard Guidance, but leave the practical implementations to the operators, especially if you seek to serve Globally it makes a lot of sense to aim for Global policies and solutions. In that way operators can comply in different ways, suiting their respective business models, whereas they remain to be compliant with applicable law! > It would be very helpful if EC undertakes an EU wide study on what the current MS regimes re Security come down to, map these, how these differ, and see whether this has internal market impact, and act upon that. > If anything should be done, the focus should be on harmonizing as much as possible at EU level, while leaving NRAs powers to implement at MS level.

The Way Forward - 2 > Possibly exempt the Providers with (Large) Business focus from any new rules, if these would have to be adopted, since our reading of the EC proposals is that these are very much done with a Residential / Consumer interest perspective in the background. > However please note that already today (some) local NRAs already seem to have far-stretching powers and MS deal with Security at National level in a non-transparent way for us. Serious risk, especially for pan-european and Global operators, of being caught in national micro regulatory practices re to Security. > Since Security is key and will remain to be, and looking after Security does not stop at borders, from a pan-european and Global level we d prefer to have high levels of harmonization at EU level: to know what operators have to comply with in a one-stop-shop approach! Cover 25 (soon 27) countries in one go! That is, if something really has to be done to change the current NRF. > - THANKS FOR YOUR ATTENTION -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information