Compliance and Unified Communication



Similar documents
Building the Lync Security Eco System in the Cloud Fact Sheet.

Building the Lync Security Eco System in the Cloud Fact Sheet.

Preparing VoIP and Unified Communications Systems for IPv6 Technical Summary September 2014

Police. 21st Century Security Problem for Police Authorities.

Securing Unified Communications for Healthcare

Western Australian Auditor General s Report. Information Systems Audit Report

Ingate Firewall/SIParator SIP Security for the Enterprise

How To Protect Your Data With A Senior Security Encryptor From Being Hacked By A Hacker

An outline of the security threats that face SIP based VoIP and other real-time applications

VoIP Security, an overview of the Threat Landscape

WHITE PAPER. Gaining Total Visibility for Lawful Interception

Security and Risk Analysis of VoIP Networks

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

MyCloud Dedicated Unified Communications (UC) Transforming Business Communications

Vodafone Total Managed Mobility

SIP Security Controllers. Product Overview

Unified Communications. Increased productivity through communications convergence

IBX Business Network Platform Information Security Controls Document Classification [Public]

What is an E-SBC? WHITE PAPER

FOUR WAYS TO ACHIEVE PCI DSS COMPLIANCE

Microsoft Core Solutions of Microsoft Lync Server 2013

A practical guide to IT security

Secure VoIP for optimal business communication

Course Outline. Course 20336B: Core Solutions of Microsoft Lync Server Duration: 5 Days

Course Outline. Core Solutions of Microsoft Lync Server 2013 Course 20336B: 5 days Instructor Led. About this Course.

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Business Telephony Security

SIP Trunking with Microsoft Office Communication Server 2007 R2

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Securing SIP Trunks APPLICATION NOTE.

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

MICROSOFT LYNC SOLUTIONS. Unifying Communications with the Active Communications Solution

SangomaSBCs Keeping Your VoIP Network Secure. Simon Horton Sangoma

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Mitigating the Security Risks of Unified Communications

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

INTRUSION PREVENTION (IPS) Features SECURITY OF INFORMATION TECHNOLOGIES

Fact Sheet. N-fon Case Study

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

Core Solutions of Microsoft Lync Server 2013

White Paper. avaya.com 1. Table of Contents. Starting Points

INSTANT MESSAGING SECURITY

Cyber and Data Security. Proposal form

OpenScape UC Firewall and OpenScape Session Border Controller

Unified Communications Overview

Telephony Denial of Service (TDoS) Attacks. Dan York, CISSP Chair, VoIP Security Alliance

ipecs UCS Unified Communications Solution Easy to access and activate Highlights Single server solution

Threat Mitigation for VoIP

CompleteCare+ Enterprise Voice

Risk Free Migration to Lync Kevin Isacks, VP SBC & CA Development

Top tips for improved network security

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

ethernet services for multi-site connectivity security, performance, ip transparency

Data Access Request Service

How To Protect School Data From Harm

smart guide to mobile call recording for MiFID II

How To Protect Your Network From Attack From A Network Security Threat

OCR Level 2 CAMBRIDGE TECHNICAL

eircom unified communications solutions giving your teams the power to deliver

A HELPING HAND TO PROTECT YOUR REPUTATION

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Jort Kollerie SonicWALL

Recommended IP Telephony Architecture

With HD quality Full transparent networking features And on-demand capacity enhancements

Nine Steps to Smart Security for Small Businesses

The changing face of global data network traffic

Simplify Delivery of a Next-Generation. Alcatel-Lucent OpenTouch Suite for Mid-Sized and Large Enterprises: Blueprint

Core Solutions of Microsoft Lync Server 2013

Transcription:

Compliance and Unified Communication January 2015 [Type text]

There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure that the organisation's compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any UC implementation impacts the deploying organisation's compliance status. This white paper examines the UC compliance issues and shows how with the correct security controls, an organisation may realise the benefits of UC without compromising their compliance status. Compliance When compliance is discussed in an IT context, financial sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses not just the financial sector. Compliance also applies to all forms of business communication including phone, video and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC), now in use by most businesses. The financial sector has its own set of compliance regulations, but even here the regulations vary from country to country. In the UK, in 2011, the FSA extended compliance regulations to cover the recording of phone calls. At a European level, the Markets in Financial Instruments Directive (MIFID) published in 2007 mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction 1. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. The MIFID II regulations, which were adopted by the European Parliament and Council in 2014 and which will apply from January 2017 specifically, include call recording. However there is more to compliance than call recording regulations for the financial sector. There are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC 2 and summarised in the Handbook on European Data Protection Law 3. Directive 95/46/EC controls the collection and use of personal data and defines seven principles including: Personal data may be used only for stated purposes and no other purpose. Personal data must be kept safe and secure from potential abuse, theft or loss. 1 http://tinyurl.com/manset8 2 http://tinyurl.com/6gpkrav 3 http://tinyurl.com/olbzgeu 2

Any organisation processing personal data is responsible for adhering to all seven principles. The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC services is not compliant if it is not protected against attack. The frequency with which security breaches continue to occur has lead to new proposals for EU data protection regulation. These include a requirement to report all security breaches within 72 hours. The proposals also establish a public register of all breaches notified. In addition any breach can result in a fine of up to 5% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation. It is clearly in a company's interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: 3 If you think compliance is expensive, try non compliance. Unified Communication Unified Communication (UC) is the integration of real-time, enterprise communication services with existing IT applications and services. UC includes voice and video calls, Instant Messaging and presence information (showing the availability of colleagues). UC is designed to improve the effectiveness of business communication, both within an organisation and to a business's customers and partners. The full benefits of UC are gained only when the service is extended beyond the bounds of an organisation's network to connect remote users on mobile or fixed line devices and to extend the service to 3 rd parties. UC is implemented on IP networks and can share those networks with data services, social collaboration platforms and email systems. This brings communication services such as voice and video into the IT realm. This plus the fact that UC services will inevitably carry sensitive and personal data means that UC is subject to the same compliance regulations as any data services. This means that all UC deployments must be protected with effective security measures.

The protocols used to deliver UC are complex. This complexity plus the real-time requirements of UC means that the security measures deployed must be tailored to meet UC specific security threats. Standard data security measures are not sufficient. The security and compliance problems are not confined to UC. Recent reports show that both cellular networks 4 and the global SS7 phone network 5 are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UC system that meets compliance requirements protects all real-time communications. Steps to Ensure UC Compliance As we have seen, compliance obligations extend beyond the financial sector and are about more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality of personal information. As the EU directive states: Personal data must be kept safe and secure from potential abuse, theft or loss. If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UC services the latter including all voice, video and IM communication. Compliance for UC is a process, the key steps in this process are: 1. Understand which of the many regulations apply. 2. Audit your UC and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc) do not adequately protect UC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 4 http://tinyurl.com/pwbv9o2 5 http://tinyurl.com/pukfnz3 4

5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UC security system which meets the compliance requirements. UM Labs can support this process by analysing an existing UC system and accessing the security measures in place to protect that system. UM Labs have also developed the UC Security Platform which is designed to protect UC systems and to provide a number of features to support UC compliance. 5

The platform is designed to work with most UC systems including Microsoft Lync and with all popular IP-PBX systems and will secure local, remote and roaming user connections. The platform has been audited by European Telecom providers needing a solution to a growing compliance problem. As a result and after two years of testing, UM-Labs was selected as a key component to provide compliance for national telecom providers. The Platform is designed to meet the following compliance goals. To protect from attack on three levels, network, application and content. To protect the UC systems from attacks, including Denial-of-Service (DoS) attacks. See the UM Labs white paper, Combating Denial of Service Attacks for VoIP and UC 6 for further details on DoS attacks. To provide auditing functions to record all attacks on the system and to record the corrective action taken. To provide alerts when the system is attacked. To provide encryption services to protect voice, video and IM communications. To enable the recording and secure storage of calls, including encrypted calls, to meet compliance and legal intercept requirements. 6 http://tinyurl.com/kkmlby7 6

About UM-Labs "UM-Labs work to protect your business from criminal Interference" Cyber Security is the fastest growing challenge in today's world of the Internet, everyday 24 hours a day there is a breach, a theft of data, listening on phone calls/video calls, messaging (IM) and even your location. Businesses have in the past tried to control attacks with outdated computing technics and this legacy is set against a back drop of keeping in with the status quo. The thirst for internet content and the fast growing use of Cloud technology increases the volume of criminal cyber-attacks on Video chat, Internet phone calls, IM and location. Over 234 million people use these communication services in business every day, a 21st century solution is required to protect and manage; if not your business is at risk. UM-Labs are a creative and advanced R&D company with experts in compute security software design, smart mobile technology and cloud computing. The cloud solution is a unique layer of real time security software. This protects and encrypts Internet communications across all of the cloud variants, it is easy to install and scales to thousands of users from one virtual server, compliant tested and certified customer reference sites in Europe and the US. Contact: - www.um-labs.com or marketing@um-labs.com 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information