New guidance on telecoms network and service security issued

Out-Law News | 27 Oct 2014 | 3:30 pm | 2 min. read

Telecoms operators have been advised to control more tightly the way they procure services from third parties to address security risks that could affect their network or services.

The European Union Agency for Network and Information Security (ENISA) said telecoms providers should set a security policy for all procurements and ensure they follow it.

Suppliers should not be engaged to provide products or services without those arrangements being subject to contractual controls, ENISA said. The contracts should detail the security requirements the suppliers should have to meet, it said.

The recommendations were contained in new guidelines on telecoms network and service security. The guidelines set out in more detail what the companies need to do to comply with their obligations on network and service security and integrity under EU law.

According to the guidelines, telecoms providers should put in place controls that mean people cannot access networks and information systems without passing through an authentication procedure. Only authorised individuals with unique identification details should be able to access the networks or systems, ENISA said. Precisely what authentication measures should be in place should depend on what level of access telecoms providers are prepared to give individuals, it said.

Telecoms providers should maintain "access logs" where details of the access to systems by users can be recorded, and test and report on "access control mechanisms", ENISA said.

"Critical systems" should be subject to regular "security scans and security testing … particularly when new systems are introduced and following changes", ENISA advised.

Telecoms companies should also have "an incident detection capability" that enables them to identify when security incidents have occurred. The capability should conform to industry standards and "appropriate incident reporting and communication procedures" should be set out to ensure regulators and customers are informed about the incidents when required, it said.

ENISA also called on telecoms companies to create a "disciplinary process" that allows them to hold individual employees "accountable for security breaches caused by violations of policies". Staff could be placed subject to specific rules on security issues, or be handed certain responsibilities, it said, and this information could be set out in the employees' employment contracts.

Telecoms operators were also advised to adopt "contingency plans and a strategy for ensuring continuity of networks and communication services provided" if their network or services is hit by a security incident. The companies should also have a recovery plan that they can follow to restore services should they experience an outage caused by natural or other major disasters.

ENISA recommended that telecoms providers "exercise and test backup and contingency plans to make sure systems and processes work and personnel is prepared for large failures and contingencies".

In the UK, the Communications Act places telecoms companies subject to an overarching obligation to protect the security of the network or services they provide. They "must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services". This includes taking steps to ensure that the impact of any security incidents on customers is prevented or minimised.

Telecoms network providers are required to inform regulator Ofcom if they suffer a breach of security that "has a significant impact on the operation" of their network or if there is a "reduction in the availability" of their network that has "a significant impact on the network". Telecoms service providers are also required to notify Ofcom if they suffer a security breach which has a significant impact on the operation of their service.

The security rules under the Communications Act stem from the EU's Framework Directive. ENISA's guidelines are intended for national regulators to consider as they set out their own guidance on network and service security in the telecoms market. The guidelines are not binding on the regulators or on telecoms network or service providers. Ofcom set out its own guidance for UK telecoms providers in August.