Sector-Based Improvement of the Information Security Risk Management Process in the Context of Telecommunications Regulation

  • Nicolas Mayer
  • Jocelyn Aubert
  • Hervé Cholez
  • Eric Grandry
Part of the Communications in Computer and Information Science book series (CCIS, volume 364)


The current European regulation on public communications networks requires today that Telecommunications Service Providers (TSPs) take appropriate technical and organizational measures to manage the risks posed to security of networks and services. However, a key issue in this process is the risk identification activity, which roughly consists in defining what are the relevant risks regarding the business operated and the architecture in place. The same problem appears when selecting relevant security controls. The research question discussed in this paper is: how to adapt generic Information Security Risk Management (ISRM) process and practices to the telecommunications sector? To answer this research question, a four-step research method has been established and is presented in this paper. The outcome is an improved ISRM process in the context of the telecommunications regulation.


Business Process Telecommunication Service Architectural Description Telecommunication Sector National Regulatory Authority 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Official Journal of the European Union, Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 (2009)Google Scholar
  2. 2.
    Journal Officiel du Grand-Duché de Luxembourg, Loi du 27 février, sur les réseaux et les services de communications électroniques (2011)Google Scholar
  3. 3.
    Dekker, M., Liveri, D., Catteddu, D., Dupré, L.: Technical Guideline for Minimum Security Measures - Guidance on the security measures in Article 13a. In: ENISA (The European Network and Information Security Agency) (December 2011)Google Scholar
  4. 4.
    Official Journal of the European Communities, Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (2002)Google Scholar
  5. 5.
    Federal Communications Commission, Telecommunications Act of 1996 Google Scholar
  6. 6.
    Alter, S.: Defining Information Systems as Work Systems: Implications for the IS. European Journal of Information Systems 17(5), 448–469 (2008)CrossRefGoogle Scholar
  7. 7.
    ISO/IEC 42010, Systems and software engineering – Recommended practice for architectural description of software-intensive systems. Geneva: International Organization for Standardization (2007)Google Scholar
  8. 8.
    Dubois, É., Heymans, P., Mayer, N., Matulevičius, R.: Intentional Perspectives on Information Systems Engineering. In: Nurcan, S., Salinesi, C., Souveyet, C., Ralyté, J. (eds.) Intentional Perspectives on Information Systems Engineering, pp. 289–306. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    The Open Group, TOGAF Version 9.1. Van Haren Publishing, The Netherlands (2011)Google Scholar
  10. 10.
    ISO/IEC 27005, Information technology – Security techniques – Information security risk management. Geneva: International Organization for Standardization (2011)Google Scholar
  11. 11.
  12. 12.
    ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security management. Geneva: International Organization for Standardization (2005)Google Scholar
  13. 13.
    Mayer, N.: A Cluster Approach to Security Improvement according to ISO/IEC 27001. presented at the Software Process Improvement, 17th European Conference, EuroSPI 2010 (2010)Google Scholar
  14. 14.
    TMForum, “TM Forum - eTOM Business Process Framework, (accessed: February 11, 2013)
  15. 15.
    American Productivity & Quality Center (APQC) and IBM, “Telecommunication Process Classification Framework (November 2008)Google Scholar
  16. 16.
    TMForum, “TMForum Frameworx - SID Service Overview,” GB922-4SO (2011)Google Scholar
  17. 17.
    ITU (International Telecommunication Union), “ITU-T X.1057 Asset Management Guidelines in Telecommunication Organizations,” Recommendation ITU-T X.1057 (2011)Google Scholar
  18. 18.
    Marinos, L., Sfakianakis, A.: ENISA Threat Landscape - Responding to the Evolving Threat Environment. In: ENISA (The European Network and Information Security Agency) (September 2012)Google Scholar
  19. 19.
    Ministerio de Hacienda y Administraciones Públicas, “MAGERIT - versión 3.0 - Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información - Libro II: Catálogo de Elementos” (October 2012)Google Scholar
  20. 20.
    National Institute of Standards and Technology, “NIST Special Publication 800-30 Guide for Conducing Risk Assessments” (September 2012)Google Scholar
  21. 21.
    Alberts, C., Dorofee, A.: OCTAVE Threat Profiles. Software Engineering Institute. Carnegie Mellon University, White paperGoogle Scholar
  22. 22.
    Bundesamt für Sicherheit in der Informationstechnik, “Supplement to BSI-Standard 100-3, Version 2.5 - Application of the Elementary Threats from the IT-Grundschutz Catalogues for Performing Risk Analyses,” Federal Office for Information Security, Bonn, Germany (August 2011)Google Scholar
  23. 23.
    Collier, M.D.: Enterprise Telecom Security Threats (2004)Google Scholar
  24. 24.
    ITU (International Telecommunication Union), “ITU-T X.1055 - Risk management and risk profile guidelines for telecommunication organizations” (November 2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Nicolas Mayer
    • 1
  • Jocelyn Aubert
    • 1
  • Hervé Cholez
    • 1
  • Eric Grandry
    • 1
  1. 1.CRP Henri TudorLuxembourgLuxembourg

Personalised recommendations