Summary: This document will review
the implementation of an ISO 17799:2000-based information security
management system in the National Telecommunication Administration of
Uruguay (ANTEL) and its subsidiaries.
INTRODUCTION
ANTEL is a state-owned company and leader in all
telecommunication market lines in Uruguay, with an annual turnover of
over US$500 million. Most opinion polls characterize it as the best
national company – public or private.
In addition to providing fixed and cellular
telephony and data services, it carries out important information
technology (IT) activities, promoting the Uruguayan state portal and
telecommunications and IT education projects at over 1000 educational
sites nationwide.
The project to be reviewed is known as “ANTEL’s
Information Security Program,” which was executed in its initial
stages with advice from the firm PricewaterhouseCoopers, and which the
consulting firm has described as a worldwide success, including the
subsequent actions taken by ANTEL’s information security management
and the main objectives achieved.
DESCRIPTION OF THE TECHNOLOGICAL INFRASTRUCTURE
OF ANTEL AND ITS SUBSIDIARIES
The National Telecommunication Administration has
complex and changing IT infrastructure, with numerous platforms with
multiple interconnections, owing to the types of services ANTEL
provides. Exchanges of information among the different systems that
such platforms support are sometimes the key to a business’ continued
existence, and must be possible on an ongoing basis and security and
confidentiality ensured.
ANTEL is growing based on specialized knowledge,
and has eight different subsidiary and/or divisions that make
intensive use of IT services and systems. For example, it has two
mainframes, AS/400 equipment, over 200 servers with different
operating systems, 60 specialized digital fixed and cellular telephony
switchboards, equipment to support Uruguay’s largest ISP
infrastructure, etc.
The impact of the firm and its services on the
national community may be visualized by visiting ANTEL’s website:
www.antel.com.uy
BACKGROUND
In ANTEL, the decision was taken to implement the
information security program for two reasons:
1. Management needed to exercise greater governance
over the different technological operating divisions; and
2. When relevant security incidents occurred, the
operating divisions recognized a need to establish such a program, so
as to achieve greater capacity and effectiveness in responding to such
incidents.
DEVELOPMENT OF THE SGSI IMPLEMENTATION PROGRAM
Earlier efforts began by “getting to know the
firm,” identifying information system components that would serve as
the basis for developing and implementing the security program within
it. This task was carried out based on a “top-down” approach, which
began by interviewing the top staff member with responsibility in this
area, who referred the most specific questions to subordinates. In
this process, it was necessary to hold over 50 technical and
managerial meetings with different players within the firm.
In stages, and by gathering different types of
information handled by ANTEL’s different divisions, the following were
identified:
-
Critical information system
-
The business’ processes and initiatives
-
Matrix of technologies and strategies, indicating
specific security aspects derived from each technology
-
List of the main threats, risks, and weaknesses
identified (at the business level)
-
List of the main threats, risks, and weaknesses
identified (inherent in the technological strategy)
-
Risk matrix
With the aim of making the survey less complex, one
matter not resolved at this stage a biunivocal determination of the
party with responsibility for each asset. This created a need for such
assignments to be made later, which led to certain reactive behavior
on the part of the management of the operating divisions.
At each of these stages, a series of document was
obtained for approval by the Board of Directors:
-
ANTEL’s mission with regard to security
-
Critical information system
-
Information classification
-
Security model
-
Risk areas
Therefore, with a first version of the “Information
Security Policies” document prepared and approved by the Board of
Directors, the next phase of the Information Security Program was
launched.
The strategy for implementing this phase and
spearheading the process of change was based on four main lines:
1. Definition of information security policies in
accordance with the standards ISO 17799:2000, and their corresponding
adoption by the Board of Directors.
2. Establishment of a more comprehensive
multidisciplinary team to serve as the “nerve center,” whose initial
task was to authorize all interconnections needed among the different
platforms of the networks and services and to provide advice on
technological solutions enabling the best available practices to be
incorporated. Thus far, this team, known as CONYSEC, remains in place,
in accordance with the provisions of the standard BS-7799:2.
3. Generation of a far-reaching dissemination,
training, and instructional plan.
4. Development of a balanced score card for the
information security management system.
The above-described strategy was organized entirely
on the basis of the Project Management Institute (PMI) project
methodology, and associated bibliography.
INFORMATION SECURITY POLICY
Having a group of Board-approved policies was
recognized as a principal step in providing guidance to and alignment
of the different players, affording legitimacy to the security team in
directing standardization efforts on information security-related
topics.
When the different possibilities had been examined,
it was decided to propose those information security policies with
which compliance would be most difficult, based on a detailed
cost-benefit study. It was recognized that such a proposal would
create a major gap between the initial and the target situation
described by the policies for adoption.
Upon their evaluation by numerous divisions and
endorsement by the Legal Division, on November 4, 2004, ANTEL’s
information security policies were approved by its Board of Directors.
The document is lengthy, approximately 90 pages,
and dwells at length on best practices in security organization in
different IT environments, discussing all usual aspects of the
aforementioned standard.
Since January 2006, information security management
has designed and implemented a system for control of the information
security management system to control, disseminate, and evaluate
progress made with activities in four areas:
1. Compliance with the information security
projects timetable.
2. Compliance with the timetable for the
development of corporate security procedures.
3. Compliance with ANTEL’s information system
auditing plan.
4. Fulfillment of indicators of response time and
number of information security inquiries.
To address such needs, multidivisional teams have
been developed:
-
CONYSEC: Establishment of this multidisciplinary
technical team arose from the idea of obtaining a point for
information security management to gain knowledge of connectivity
requirements between networks and systems, as well as a consulting
group to analyze and make recommendations based on best available
practices for such connectivity.
-
CSIRT: ANTEL’s Information Technology and
Telecommunications Incident Response Team
These teams provide proactive (CONYSEC) and
reactive (CSIRT) interaction which, together with the audits, inquiry
response system, training plan, and Procedural Security Unit’s
security recommendations, constitutes communication networks deemed
highly effective.
CONCLUSION
Although implementation of the information security
program is a long-term process now being developed and modeled, the
program’s progress is considered highly satisfactory in terms of its
effectiveness, as it has achieved far more than the objectives set
during initial planning. It has had positive impact on recovery time
in cases of IT problems and many changes are being made to achieve
greater security organization in the projects being promoted by the
different administrative divisions.
Eduardo Carozo
Blumsztein
Mgt. CIs
Manager of Security of the information
ANTEL
|