our enterprise security Empowering business



Similar documents
IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Why Should You Use Sahana Eden?

HSMS. Group Health AND Safety Management System

Information Security Management System for Microsoft s Cloud Infrastructure

SECURITY. Risk & Compliance Services

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cybersecurity The role of Internal Audit

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Securing the Microsoft Cloud

INFORMATION SECURITY STRATEGIC PLAN

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Security. Security consulting and Integration: Definition and Deliverables. Introduction

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Business Continuity in Healthcare

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Securing the Cloud Infrastructure

Overview. Emergency Response. Crisis Management

Developing National Frameworks & Engaging the Private Sector

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Prepared by Rod Davis, ABCP, MCSA November, 2011

Governance, Risk, and Compliance (GRC) White Paper

How we manage our business

Governance and Management of Information Security

National Cyber Security Policy -2013

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Securing the Microsoft Cloud

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

TELUS Business Continuity Program past and future

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Information Security Risk Management

Cisco SAFE: A Security Reference Architecture

defense through discovery

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Risk Considerations for Internal Audit

Cybersecurity. Are you prepared?

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Information Security Management System Policy

BUSINESS CONTINUITY POLICY

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Guiding principles for security in a networked society

Globe Telecom, Inc. Preparations for the Big One

Attachment A. Identification of Risks/Cybersecurity Governance

Information Security Management System Information Security Policy

Business Continuity Planning

Integrated Risk Management. Balancing Risk and Budget

SAP Product and Cloud Security Strategy

Intel Business Continuity Practices

TRUE. BLUE. DONE. Health, Safety and Environmental Management System (HSE MS)

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Bridging the HIPAA/HITECH Compliance Gap

Continuity of Business

Cyber Security solutions

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Business Continuity Management Policy

BUSINESS CONTINUITY PLAN OVERVIEW

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Information security controls. Briefing for clients on Experian information security controls

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Operational security for online services overview

Blending Corporate Governance with. Information Security

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Preparing for the Convergence of Risk Management & Business Continuity

Cybersecurity and internal audit. August 15, 2014

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

The PNC Financial Services Group, Inc. Business Continuity Program

TUSKEGEE CYBER SECURITY PATH FORWARD

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Earning Your Security Trustmark+

Business Continuity Management Framework

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

Building and Maintaining a Business Continuity Program

Microsoft s Compliance Framework for Online Services

Terms of Reference PUBLIC PERCEPTION SURVEY. Office of Disaster Preparedness and Emergency Management

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Company Management System. Business Continuity in SIA

fs viewpoint

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Policy : Enterprise Risk Management Policy

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Transcription:

our enterprise security Empowering business

Introduction Communication is changing the way we live and work. Ericsson plays a key role in this evolution, using innovation to empower people, business and society. This document is intended to provide the reader an overview of how Ericsson addresses the different aspects of our Enterprise Security, i.e. Personal Security, Asset Protection and Product Security. Any additional questions after reading this document on our Enterprise Security should be sent to Ericsson via http://www.ericsson.com/contact Ericsson manufactures and supplies products on the basis of international standards such as 3GPP (wireless) and best architecture practices such as ITU-T recommendation X.805. Business operations including managed services are carried out in line with the ISO/IEC 27001 Information Security Management standard. Ericsson believes that security is crucial for maintaining and enhancing stakeholder confidence by: We are evolving from a mainly transactional relationship of managing security KPIs into truly becoming a part of the customer s business. Customers should rest assured that Ericsson treats their business as we do our own. This leads us to increased customer collaboration and greater complexity in our customer relationships. Today Ericsson has the telecom industry s most comprehensive managed services offering. Activities range across designing, building, operating and managing dayto-day operations of a customer s network. We manage networks that serve more than 750 million subscribers in more than 100 countries. Personal Security Doing all that can be done to ensure the wellbeing and safety of Ericsson s personnel and disaster response efforts Asset Protection Protecting the information and physical assets for which Ericsson are custodian (our own, our customers and partners ) Product Security Providing products which are resilient to serious threats presented by the evolving telecom landscape and assisting with security services to ensure our customers assets are well defended Ericsson s business is driven by speed and simplicity. Our growth and success lies in our ability to collaborate and build partnership, while knowing and acting on inherent security risks. Security should provide the right balance of risk taking versus risk mitigations. Due to the ongoing evolution of the worsening threat landscape, it is important to align security mechanisms through proper risk management processes, instead of relying on isolated security controls. Security risk management in daily operations is always under improvement and regular reviews take place to ensure the effectiveness of controls, including assessing any new threats and vulnerabilities. Ericsson is in a leadership position today, but we have to evolve to meet our customers expectations. Security should provide the right balance of risk taking versus risk mitigations. Respect, including respect for the privacy of individuals, is one of our core values to be complied with by all employees in their work for Ericsson. We are committed to protecting the privacy and confidentiality of personal information, including, but not limited to employees, contingent workforce, customers, and end-users. As the relationship with customers is becoming more complex we are proud of having a world-wide organization of security professionals supporting account managers in dealing with whatever security concerns our customers may have.

Personal Security We are committed to ensure a safe working environment and healthy workplaces around the world. We have a comprehensive organization and supporting tools to assist personnel in our business activities should an emergency occur. All personnel have access to a dedicated 24/7 emergency number and the latest travel advisories for all countries which we operate in. Personnel who are exposed to threats shall be given adequate personal protection. Following the 9/11 attack and the Thailand Tsunami 2004, the need to instantly know who is where became evident. On Group level we have access to travel details for most of the business travelers. We are proud to say that today we are able to reach almost all staff with immediate warning SMS or request travelers to confirm health status and location. We strongly believe that a crisis situation is best handled locally by the affected organization s CMTF. At Group level the Group Crisis Management Council (GCMC) is the supervisory body which monitors and supports CMTF actions. Many successful tasks have been carried out including evacuation of staff from places of unrest, rescue operations from earthquake-hit areas, etc. We are taking every opportunity to improve by reviewing lessons learned following all major crisis situations that have occurred. Disaster Response Efforts While we as individuals cannot do much about specific events, we can do something about the aftermath. When there is a human need to communicate Ericsson is there. However, even with the current high level of Ericsson knowledge relating to travelers whereabouts, we are constantly seeking to improve by increasing coverage, both in terms of the number of travelers and also geographical area. When an incident is perceived as crisis, Ericsson s crisis management organization takes action. Regions within Ericsson all have a Crisis Management Task Force (CMTF) to deal with severe incidents not managed by normal incident management procedures. Crisis Management We manage a crisis situation in accordance with applicable steering documents and actions are prioritized to remove or minimize threats to life and safety. Our priorities in a crisis are: 1. Removing threats to life or safety 2. Protecting the commercial interest of Ericsson 3. Protecting the brand 4. Ensuring that Ericsson is acting as a responsible corporate citizen The following diagram outlines our crisis management organization. The Ericsson Response program is based on Ericsson s previous involvement and experience in various disaster response efforts throughout the world and is run in collaboration with several United Nations organizations, the International Federation of the Red Cross and the Red Crescent (IFRC), Save the Children and other partners. Ericsson Response was founded in April 2000 at the request of company employees who wanted to use their experience and skills in disaster relief situations on a voluntary basis. Since then hundreds of Ericsson employees from all global regions have volunteered, been trained and deployed in various disaster relief operations. >> Group Crisis Management Council (GCMC) Manages crisis on Group level >> Crisis Management Task Force (CMTF) Manages crisis on Regional and Business Unit level >> Customer Units, Company/site crisis teams Manage crisis in the country or on the site

Asset protection We provide support for networks with over 2 billion subscribers and we manage networks serving more than 750 million subscribers. In addition, we handle many trade secrets in our daily operations. This responsibility, entrusted to us by our customers and partners, has led Ericsson to cultivate strong capabilities in the area of asset protection. Ericsson is convinced that meeting the challenging business demands to protect assets that we own, or have been entrusted with, involves the implementation of security frameworks which augment our day to day operations. These frameworks are supported by top level management and are clear on roles and responsibilities. Information Security, Physical Security and Business Continuity are all in scope for such frameworks, resulting in consistent, efficient and cost effective Enterprise Security. Information Security The Information Security Management (ISM) framework defines how we manage information security in alignment with the international information security management standard ISO/IEC 27001. However, when there is a clear business value and/or a customer request, Ericsson will proactively acquire ISO/IEC 27001 certification within defined and prioritized scope. Correct access to correct information at the right time is at the core of Ericsson s business. The human factor plays an important role in protecting information. All staff is regularly trained in basic security practices and Ericsson utilizes ongoing information campaigns to keep everyone informed and up to date. One important contributor to achieving an advanced level of information security is IT-security ensuring that IT systems perform as expected and have the sufficient capability to protect information. Security controls that we have implemented are based on industry best practices and general standards, such as CobiT (used for the SOX ITGC controls), ISO 27001, NIST 800-53, privacy laws, and other applicable regulations. Experience to date has proven their effectiveness, attested to by various activities including penetration testing and external audits. Purpose of this session >> Raise awareness on Information Leakage. >> Understand connection between risk of information leakage and your position. >> Become more risk conscious and know how to act. Two can keep a secret if one of them is dead Confucius 500BC Information security awareness training is an essential part of the ISM framework. All leadership teams, employees and external workforce are targeted for regular awareness activities. Physical Security The Physical Security Management framework defines how we manage physical security. As a global organization we have a long tradition of defining and implementing physical security controls to counter the wide and varied array of threats. Physical Security includes protection against unauthorized access, fire and other hazards. Now we are in a phase of aligning physical security management with information security management in order to satisfy requirements set out by ISO/IEC 27001. The physical security framework is executed locally to achieve cost effectiveness taking local threats and vulnerabilities into account. Business Continuity We feel that there is a high sense of urgency for Business Continuity Management (BCM) due to events such as pandemics, ash-clouds, severe storms and acts of violence. We have seen an increase in awareness and demands for BCM from customers and other stakeholders which we address by Ericsson s BCM framework. We are proud to announce that our external auditors, DNV, PWC and E&Y are supporting this BCM framework approach and that it has been deployed throughout the organization.

Product Security Product Security is the capability embedded in our products to support secure network operation by preventing damage from threats such as denial-of service attacks, theft or manipulation of network data. We manufacture and supply our products on the basis of international standards for the management of telecommunication products, such as 3GPP and best architecture practices such as ITU-T X.805 recommendation. Network operators and service providers must adapt to a continuously changing risk landscape and vendors must provide appropriate security in their products, solutions and services. We are actively adapting our products as networks evolve, based on best practices and our own experience of network operations. Thus best of breed products and operational experience are embedded into Ericsson s offerings. Product Security is the capability of the products to support secure network operation. The evolving networks and changing threat scenarios demand appropriate measures to be taken during the product development process. These measures enable us to ensure the required level of product security. Although the required level of product security shall always be determined in a business context we also have Generic Baseline Security Requirements Security Design Rules Security in Depth The Generic Baseline Security Requirements are based on existing best practices in the industry and what is normally expected as the inherent level of security in telecom products. to provide a basic security level that is in balance with the risks faced and our customers explicit and implicit expectations. Apart from security functionality implemented in the product itself, hardening and vulnerability analysis is part of the development process. In achieving the required level of product security, Ericsson is using well defined Generic Baseline Security Requirements and Security Design Rules that are regularly updated to match the changes in technology, regulations and business. The Security in Depth principle, which can be summed up by the term belt and braces, is fundamental for the Generic Baseline Security Requirements. It is considered a fundamental security principle for products supplied by Ericsson and is based on many complementary security mechanisms arranged to support each other. Telefonaktiebolaget LM Ericsson SE-126 25 Stockholm, Sweden Telephone +46 8 719 0000 Fax +46 8 18 40 85 www.ericsson.com 284 23-3159 Uen Telefonaktiebolaget LM Ericsson 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information