We caught up with Rudd Apsey, Telecom2’s dedicated Chief Compliance Officer, about the importance of security and reliability within the telecoms industry, and why Telecom2 puts so much emphasis on its security certifications. The company currently holds 3 key security policies (PCI DSS, ISO27001 and Cyber Essentials Plus), and is continually looking for ways to improve its security, operational procedures and methodologies.
Hi Rudd. Can you tell us a little bit about what you do as Telecom2’s Chief Compliance Officer?
My job is twofold. Firstly, I work with our compliance team; reviewing and updating over 130 policies associated with our IT infrastructure and standards. Each policy is on a rolling review program to ensure it meets the latest security requirements. The other part of the job is to keep the directorate aware of changes in legislation, emerging threats and trends that the business could face in the future. As part of that process, we regularly update our disaster recovery plans to meet these scenarios. Business continuity and security for our customers and employees is my primary driver.
Which security and compliance regulations do you think are the most important within this industry?
I would say the PCI DSS standard. It is written to protect cardholder data passing across our network. It covers 6 core elements, namely to:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
This standard not only ensures all of the technical architecture is operating to a very high standard of security, it also ensures card data is protected and that staff managing infrastructure are suitably qualified. All of our suppliers have to meet similar security standards of their own to avoid Telecom2 falling victim to 3rd party vulnerabilities.
Our PCI DSS certification is audited by BSI on an annual basis and subject to rigorous external penetration testing. Contact centre clients handling card payments must have a PCI DSS certified supplier. Telecom2 is one of the few VOIP providers holding this prestigious standard.
As of 2020, we’ve held the ISO27001 certification. Can you tell us about this?
ISO27001 is an international standard specifying requirements for establishing, implementing, maintaining and – most importantly – continually improving information security management systems. This standard ensures a company wide commitment to managing its policies and associated risks and is based around 7 core principles:
- The context of the organisation
- Performance evaluation
How does the PCI DSS standard protect credit card data?
As payment fraud began to rise, credit card industry leaders convened to develop a common set of security standards. The PCI’s founding members—American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004. The founding members share equally in ownership, governance, and execution of the organisation’s work, and each incorporates the PCI Data Security Standard (PCI DSS) as part of the technical requirements for their respective data security compliance programs. Founding members also recognise assessors qualified by the PCI SSC.
The policy framework for the standard is based on 12 core elements each of which has a number of policies and processes in place to ensure the company is running its systems in accordance with the standard. Telecom2 and its compliance team continually review the 75 policies and their associated control measures (including risk registers) to ensure card data passing across its systems is protected at all times. This allows Telecom2 to retain its Level 2 certification status and to integrate directly with the card processing banking systems across the world.
We’ve just received Cyber Essentials Plus certification. How is this beneficial to our customers?
Cyber Essentials is a simple but effective government-backed scheme, that is desgined to protect organisations like Telecom2 against a whole range of the most common cyber attacks. Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, and carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks. There are two levels of certification:
Which takes the form of a self-assessment which is then peer reviewed. The assessment covers the protection the company has put in place to mitigate a wide variety of the most common cyber attacks . Certification gives our customers peace of mind that our defences will protect against the vast majority of common cyber attacks.
Cyber Essentials Plus:
Cyber Essentials Plus confirms that the business has been subjected to penetration testing.
Penetration testing, also called ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.
And how often are our certifications updated to ensure continued compliance?
All of the standards are subject to annual independent audits, however there is a rolling internal audit of all of the policies throughout the year to ensure nothing is missed and policies reflect the current methodology.
Why would you recommend working with a certified company over a non-certified one?
I think the obvious one is ‘peace of mind’. Anyone who contracts with Telecom2 knows that its technical infrastructure is operating to some of the highest technical standards available to UK-based companies. The standards also drive a culture of continuous improvement, development and robust design.
How do Telecom2 stay on top of new security threats?
There are a number of ways Telecom2 keeps on top of emerging threats. Some are just good practice; updating is operating software and firmware as specified by vendors and suppliers as and when required. The company subscribes to a number of security forums that alert to new threats but, more importantly, report on weaknesses or issues arising from security breaches occurring around the world. Our radar is on and manned 24/7 for the next emerging threat.
Disaster recovery is a hot topic at the moment. How do we ensure our clients’ businesses continue with limited impact when disaster strikes?
We have a full disaster recovery plan and a business continuity plan that, if triggered, engages the entire management team who will initiate through a well rehearsed call out procedure, deploying whatever resource is required to recover the situation. Differing scenarios are played out by way of desk-based simulations with team members on a quarterly basis, replicating potential events. A post exercise debriefing and lessons learned are reworked into the recovery plan to ensure its continuous improvement.
So, what’s next on your list in terms of security and compliance?
It’s not only security compliance the team is responsible for, our remit also covers data protection regulations including GDPR which in a post Brexit world continues to be a challenge. As for what’s next, the team has recently undergone formal training for auditing our ISO 27001 policy pack. This will ensure that the processes and methodology set out in our policies are a reality and that the company is operating to the standard, including those services offered by third party suppliers.
Want to find out more about our certifications and/or security? Get in touch with Rudd via firstname.lastname@example.org