Abstract
The current European regulation on public communications networks requires today that Telecommunications Service Providers (TSPs) take appropriate technical and organizational measures to manage the risks posed to security of networks and services. However, a key issue in this process is the risk identification activity, which roughly consists in defining what are the relevant risks regarding the business operated and the architecture in place. The same problem appears when selecting relevant security controls. The research question discussed in this paper is: how to adapt generic Information Security Risk Management (ISRM) process and practices to the telecommunications sector? To answer this research question, a four-step research method has been established and is presented in this paper. The outcome is an improved ISRM process in the context of the telecommunications regulation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Official Journal of the European Union, Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 (2009)
Journal Officiel du Grand-Duché de Luxembourg, Loi du 27 février, sur les réseaux et les services de communications électroniques (2011)
Dekker, M., Liveri, D., Catteddu, D., Dupré, L.: Technical Guideline for Minimum Security Measures - Guidance on the security measures in Article 13a. In: ENISA (The European Network and Information Security Agency) (December 2011)
Official Journal of the European Communities, Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (2002)
Federal Communications Commission, Telecommunications Act of 1996
Alter, S.: Defining Information Systems as Work Systems: Implications for the IS. European Journal of Information Systems 17(5), 448–469 (2008)
ISO/IEC 42010, Systems and software engineering – Recommended practice for architectural description of software-intensive systems. Geneva: International Organization for Standardization (2007)
Dubois, É., Heymans, P., Mayer, N., Matulevičius, R.: Intentional Perspectives on Information Systems Engineering. In: Nurcan, S., Salinesi, C., Souveyet, C., Ralyté, J. (eds.) Intentional Perspectives on Information Systems Engineering, pp. 289–306. Springer, Heidelberg (2010)
The Open Group, TOGAF Version 9.1. Van Haren Publishing, The Netherlands (2011)
ISO/IEC 27005, Information technology – Security techniques – Information security risk management. Geneva: International Organization for Standardization (2011)
ANSSI, EBIOS 2010 - Expression of Needs and Identification of Security Objectives. France (2010), http://www.ssi.gouv.fr/en/the-anssi/publications-109/methods-to-achieve-iss/ebios-2010-expression-of-needs-and-identification-of-security-objectives.html
ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security management. Geneva: International Organization for Standardization (2005)
Mayer, N.: A Cluster Approach to Security Improvement according to ISO/IEC 27001. presented at the Software Process Improvement, 17th European Conference, EuroSPI 2010 (2010)
TMForum, “TM Forum - eTOM Business Process Framework, http://www.tmforum.org/BusinessProcessFramework/1647/home.html (accessed: February 11, 2013)
American Productivity & Quality Center (APQC) and IBM, “Telecommunication Process Classification Framework (November 2008)
TMForum, “TMForum Frameworx - SID Service Overview,” GB922-4SO (2011)
ITU (International Telecommunication Union), “ITU-T X.1057 Asset Management Guidelines in Telecommunication Organizations,” Recommendation ITU-T X.1057 (2011)
Marinos, L., Sfakianakis, A.: ENISA Threat Landscape - Responding to the Evolving Threat Environment. In: ENISA (The European Network and Information Security Agency) (September 2012)
Ministerio de Hacienda y Administraciones PĂşblicas, “MAGERIT - versiĂłn 3.0 - MetodologĂa de Análisis y GestiĂłn de Riesgos de los Sistemas de InformaciĂłn - Libro II: Catálogo de Elementos” (October 2012)
National Institute of Standards and Technology, “NIST Special Publication 800-30 Guide for Conducing Risk Assessments” (September 2012)
Alberts, C., Dorofee, A.: OCTAVE Threat Profiles. Software Engineering Institute. Carnegie Mellon University, White paper
Bundesamt für Sicherheit in der Informationstechnik, “Supplement to BSI-Standard 100-3, Version 2.5 - Application of the Elementary Threats from the IT-Grundschutz Catalogues for Performing Risk Analyses,” Federal Office for Information Security, Bonn, Germany (August 2011)
Collier, M.D.: Enterprise Telecom Security Threats (2004)
ITU (International Telecommunication Union), “ITU-T X.1055 - Risk management and risk profile guidelines for telecommunication organizations” (November 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mayer, N., Aubert, J., Cholez, H., Grandry, E. (2013). Sector-Based Improvement of the Information Security Risk Management Process in the Context of Telecommunications Regulation. In: McCaffery, F., O’Connor, R.V., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2013. Communications in Computer and Information Science, vol 364. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39179-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-39179-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39178-1
Online ISBN: 978-3-642-39179-8
eBook Packages: Computer ScienceComputer Science (R0)