I’ve been speaking to a range of stakeholders recently involved in the delivery of compliance regarding the Telecommunications Security Framework (also called the TSA). The overriding experience I’m hearing is one of consultancies using their existing approaches and processes without regard to the governance requirements of the framework implemented by the Telecommunications Security Code of Practice.
I started looking around this weekend at the approaches taken by consultancies, and have seen a range of consultancies who could indeed do with reading my article on myths in the security framework.
The real challenge here is that the code of practice and wider security framework which created it is a legal framework in which the language within it has specific legal weight. The code was laid before parliament for approval and came into force in December 2022, defining the guidance as to the measures to be taken under sections 105A to 105D by the provider of a public electronic communications network or a public electronic communications service.
What do consultancies need to do?
The following advice is given based on my experience on consulting on various compliance frameworks, including N3, CAS(T) (where I was part of the group which amended and co-authored the last version of CAS(T)), HSCN (where I was the author of the Compliance Addendum Annex A and the security aspects of the Compliance Operating Model with the wider industry community) and now the security framework itself. I’ve only reached this stage by being humble enough to understand what I don’t know and where my knowledge needed to evolve.
Understand the wider security framework and how it differs
This security framework isn’t like anything else we have seen before, and it’s clear in the amended clauses within the Communications Act 2003 that what is written in the framework will be used by any court or tribunal which sits to decide if compliance is being met. The definitions of the key assets in the code are triggers for the compliance requirements to be met, and compliance will depend on how well you have understood the requirements within your compliance strategy.
If you are unsure, then my articles are free to view here and on my LinkedIn page.
Be clear about the scope
Remember that whilst the scope of compliance is public electronic communications services and networks (PECN and PECS), it’s important to be clear about the assets in scope and whether something that is B2B for your customer may form part of a PECN/PECS for one of their customers. For more details on assets and scope, then do feel free to check out my articles.
Understand that your standard approach to compliance needs to meet what is in the code and not the other way round
Cyber Essentials, NIST, Annex A from IS)/IEC-27001:2013/2017/2022 or indeed your favourite spreadsheet of controls is useful to align the wider organisation compliance to, but it will not be something that will allow your clients to achieve compliance by themselves.
A certified Information Security Management System can be a good vehicle to support compliance for the code, but it will require the code to be included as an external context and the content within the key concepts from section 2 , technical guidance measures from section 3 and the indicators of good practice from the Cyber Assessment Framework in Annex C to be referenced in your statement of applicability.
Policies from the NIST 800-53 catalogue can be used to support compliance with the code, but again you will need to ensure that the policies meet the requirements of the areas detailed above.
Ensure that you are creating the governance framework which the security framework depends upon
You might have the smartest compliance approach/technology, but unless your approach/technology is meeting an outcome within the code then your client will struggle in responding to the governance requirements from Ofcom. Ofcom is asking what the governance approach to meeting the technical guidance measure is, and not just what technical control is being used.
Ensure that you are not crying wolf about fines
I wholly understand that it’s tempting to sell your wares based on the fine regime, but failure to meet a part of the code doesn’t necessarily mean that a fine if your client can show that they are managing the risk in another way. It’s your job to advise them on this, so please ensure that your approach is meeting defined objectives with mitigations where those objectives can’t be fully met.
Summary – this is a change of approach, be the agent for change with your clients
This is the first legally enforced security framework within the UK, take the opportunity to be humble enough to recognise what needs to change in your approach and where your knowledge needs to evolve to leverage the opportunity. Having clients who understand the outcomes they are trying to meet will ensure better decisions through good quality guidance.