Telecom organizations provide services by deploying different transmission means (radio, wired, copper fiber). In few cases, infrastructure can be shared between providers, while it is certain that external partners have access on telecom equipment. On top, the information that is transmitted through telecom infrastructure is classified as top secret. The standard ISO27011:2016 is addressed exclusively to telecom organizations, specializing security controls, in order to manage these particularities and safeguard the triple principle of Information Security:
The specialized security controls involve the areas:
Roles and responsibilities: One member from upper management level is responsible for risk assessment exclusively for telecom infrastructure. All staff that has access must be properly trained.
Contact with authorities: Removal of communications secrecy and any evidence collection must be done under strict circumstances and well defined procedures based on National Regulation.
Screening: More checks are required when hiring new staff (recommendation letter, criminal records)
Access control: Classified access must be provided based on role of employee or external partner. All accesses must be logged and any works performed by external partners must be supervised.
Physical security perimeter: Date centers must be equipped with alarm and video surveillance systems. In case of shared data centers, telecom equipment must be isolated from customer equipment (separate room, cage). At HQs there must be security outpost with bulletproof glasses and any object must be scanned to eliminate terrorist or criminal action.
Physical access: all visitors must be provided with access cards, limited only to spaces that there is no telecom infrastructure, escorted by employee.
Change management: any changes must be completed within maintenance window, which is defined as the one with lowest traffic. In case that standby personnel is understaffed any changes should be avoided (summer vacation, Christmas).
Compliance with legal and contractual requirements: it addressed topics such as Service Level, provider’s obligations, customer rights, evidence archiving (recorded phone calls, mails, CDRs), customer notification in case of scheduled works or outages, emergency plan (fire, earthquake)
Network protection: Network monitoring and deployment of any measures to avoid congestion and malicious attacks (DDoS)
ISO27011 is not certifiable. However, it includes all those security controls that are inspected and must be fulfilled, in case a telecom organization wishes to be certified by ISO27001
Do you want to discuss about your needs and provide you the right solutions?
Mrs. Lily Mylona,
Sales Director, PRIORITY
T. 210 2509900