I read Matt Warman’s article in CityAM this morning regarding the impending regulation to enforce the Telecommunications Security Regulation (or Framework) through the Telecommunications Security Bill with interest, given that the following statement was attributed to him:
The telecoms industry is responsible by law for the security of these networks, but commercial business models are failing to incentivise best practice — particularly where there is an impact on cost or investment decisions. This is unacceptable and it now falls on this government to raise the security bar.
Is security part of the telecoms industry DNA?
It’s a very bold statement to make, given that the collaborative approach by industry to deliver two versions of the CESG Assured Service (Telecommunications) – also know as CAS(T) – delivered a joint approach between the NCSC and the telecommunications industry to create a certification approach for telecommunications.
Mind the gap
Indeed, the closure of the CAS(T) scheme to new entrants and removal of oversight or audit has created a gap that will not be addressed by the new Telecommunications (Security) bill:
CAS(T) was designed for a different requirement and for different customers (see the blog on CAS(T)’s history for more).
Is the telecoms industry capable of meeting the challenge?
Mr Warman MP has very strong views on the ability of industry to build on this ecosystem:
We must strengthen the way public telecoms providers design, build and manage the architecture beneath the millions of calls, messages, emails and files we share every day. There is simply too much at stake to entrust the market to come up with a solution to this global issue.
Given that the Health and Social Care Network (HSCN) provides a compliance operating model which has strengthened the CAS(T) security procedures to provide a diverse marketplace which is thriving and resulted in the migration away from single supplier solutions; saying that industry is unable to make the changes required to deliver a secure service ecosystem is something that is again very bold, especially when there is a recognised gap between the coverage of the old CAS(T) approach and new TSR one.
Is the network important anyway?
It’s interesting that the security of the network is in such sharp scrutiny, given that the Government Digital Service (GDS) network principles make it clear that the protection of the application is more important than the importance of the network:
Implement encryption at the most optimal point for performance and cost. Application encryption is better optimised, needs less infrastructure and is easier for the user to verify than network encryption.
If not security then what is important?
The key to the use of any network service is to ensure that it meets the needs of the user. This is something that again is mentioned in the network principles where bandwidth, availability, resilience, class of service (CoS), quality of service (QoS) and price are all requirements for consideration.
Governance is the key
So the issue is really one of governance at the customer end, rather than purely of security on the network platform. COVID19 has brought the governance of organisations into sharp focus, as my article at the start of the year highlights, if an organisation didn’t use its compliance approaches and management systems to guide its actions then the organisation’s governance is not working.
I hope that any regulation in this space starts with a link into what is published to allow organisations to realise that any burden is not due to new things being created but is the culmination of the inaction to implement what is already there now.
So what should be done now?
So what should organisations do now to prepare for this regulation?
I would recommend:
- Identify if you weren’t able to use your ISMS or BCMS to guide you during COVID19 reactions, why that was the case and capture the actions to address the gaps.
- Identify all company data being upload to, and processed by, Cloud services.
- Consider what physical security and internet connectivity is available from the remote working environment and whether any further action is required to manage risks (i.e. how much do you rely on central systems in the office locations that aren’t there at the remote working location).
- Consider if changes are required to security policies.
- Consider what control you have over the data on personal devices and how much control you wish to have over the device (and what impact that might have on staff if you wipe the entire device).
- Ensure that you can extract the company data held within the Cloud services and you can obtain evidence that it has been deleted.
- Ensure that the company data held within the Cloud service isn’t used for anything other than your own purposes.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the GDPR 12 steps guidance for data protection.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the NCSC 10 steps guidance for cyber security.
- The above assessments will give you 30 areas to assess against, which you should be able to assess your gaps as they stand in your use of remote working today and create plan of action to address the gaps.
- Look to ensure that all endpoints you use for processing company data are supported for the latest security updates (i.e. not older than an iPhone 6s or iPad Air 2 and with iOS 13 installed for iOS devices, any Android device earlier that Android 8.0 – Oreo, and really any Windows device not running Windows 8 or above).
- Ensure that any endpoint not running iOS has anti-malware installed which updates daily).
- Ensure that all endpoints have the latest updates applied.
- Ensure that you follow NCSC password guidance.
- Ensure that you are using two factor authentication (sometimes called Multi-Factor Authentication) enforced on any Cloud service you are using.
What should I consider for the medium term?
Dependant on whether you intend your move to the Cloud to be permanent, the following guidance areas are very useful:
- GDS modern network guidance is very good for considering the risks to be considered from the use of Cloud services, even though some of it is specific to the public sector.
- The NCSC has great guidance on Cloud service security and end user device configuration.
- The NCSC and ICO have published GDPR security outcomes which define the security of processing under the applied GDPR, and this should be viewed as the next step after complying with the GDPR 12 step guidance.