Review of ANTEL’s Information Security Management System (SGSI)

Summary: This document will review the implementation of an ISO 17799:2000-based information security management system in the National Telecommunication Administration of Uruguay (ANTEL) and its subsidiaries.

INTRODUCTION

ANTEL is a state-owned company and leader in all telecommunication market lines in Uruguay, with an annual turnover of over US$500 million. Most opinion polls characterize it as the best national company – public or private.

In addition to providing fixed and cellular telephony and data services, it carries out important information technology (IT) activities, promoting the Uruguayan state portal and telecommunications and IT education projects at over 1000 educational sites nationwide.

The project to be reviewed is known as “ANTEL’s Information Security Program,” which was executed in its initial stages with advice from the firm PricewaterhouseCoopers, and which the consulting firm has described as a worldwide success, including the subsequent actions taken by ANTEL’s information security management and the main objectives achieved.

DESCRIPTION OF THE TECHNOLOGICAL INFRASTRUCTURE OF ANTEL AND ITS SUBSIDIARIES

The National Telecommunication Administration has complex and changing IT infrastructure, with numerous platforms with multiple interconnections, owing to the types of services ANTEL provides. Exchanges of information among the different systems that such platforms support are sometimes the key to a business’ continued existence, and must be possible on an ongoing basis and security and confidentiality ensured.

ANTEL is growing based on specialized knowledge, and has eight different subsidiary and/or divisions that make intensive use of IT services and systems. For example, it has two mainframes, AS/400 equipment, over 200 servers with different operating systems, 60 specialized digital fixed and cellular telephony switchboards, equipment to support Uruguay’s largest ISP infrastructure, etc.

The impact of the firm and its services on the national community may be visualized by visiting ANTEL’s website: www.antel.com.uy

BACKGROUND

In ANTEL, the decision was taken to implement the information security program for two reasons:

1. Management needed to exercise greater governance over the different technological operating divisions; and

2. When relevant security incidents occurred, the operating divisions recognized a need to establish such a program, so as to achieve greater capacity and effectiveness in responding to such incidents.

DEVELOPMENT OF THE SGSI IMPLEMENTATION PROGRAM

Earlier efforts began by “getting to know the firm,” identifying information system components that would serve as the basis for developing and implementing the security program within it. This task was carried out based on a “top-down” approach, which began by interviewing the top staff member with responsibility in this area, who referred the most specific questions to subordinates. In this process, it was necessary to hold over 50 technical and managerial meetings with different players within the firm.

In stages, and by gathering different types of information handled by ANTEL’s different divisions, the following were identified:

• Critical information system

• The business’ processes and initiatives

• Matrix of technologies and strategies, indicating specific security aspects derived from each technology

• List of the main threats, risks, and weaknesses identified (at the business level)

• List of the main threats, risks, and weaknesses identified (inherent in the technological strategy)

• Risk matrix

With the aim of making the survey less complex, one matter not resolved at this stage a biunivocal determination of the party with responsibility for each asset. This created a need for such assignments to be made later, which led to certain reactive behavior on the part of the management of the operating divisions.

At each of these stages, a series of document was obtained for approval by the Board of Directors:

• ANTEL’s mission with regard to security

• Critical information system

• Information classification

• Security model

• Risk areas

Therefore, with a first version of the “Information Security Policies” document prepared and approved by the Board of Directors, the next phase of the Information Security Program was launched.

The strategy for implementing this phase and spearheading the process of change was based on four main lines:

1. Definition of information security policies in accordance with the standards ISO 17799:2000, and their corresponding adoption by the Board of Directors.

2. Establishment of a more comprehensive multidisciplinary team to serve as the “nerve center,” whose initial task was to authorize all interconnections needed among the different platforms of the networks and services and to provide advice on technological solutions enabling the best available practices to be incorporated. Thus far, this team, known as CONYSEC, remains in place, in accordance with the provisions of the standard BS-7799:2.

3. Generation of a far-reaching dissemination, training, and instructional plan.

4. Development of a balanced score card for the information security management system.

The above-described strategy was organized entirely on the basis of the Project Management Institute (PMI) project methodology, and associated bibliography.

INFORMATION SECURITY POLICY

Having a group of Board-approved policies was recognized as a principal step in providing guidance to and alignment of the different players, affording legitimacy to the security team in directing standardization efforts on information security-related topics.

When the different possibilities had been examined, it was decided to propose those information security policies with which compliance would be most difficult, based on a detailed cost-benefit study. It was recognized that such a proposal would create a major gap between the initial and the target situation described by the policies for adoption.

Upon their evaluation by numerous divisions and endorsement by the Legal Division, on November 4, 2004, ANTEL’s information security policies were approved by its Board of Directors.

The document is lengthy, approximately 90 pages, and dwells at length on best practices in security organization in different IT environments, discussing all usual aspects of the aforementioned standard.

Since January 2006, information security management has designed and implemented a system for control of the information security management system to control, disseminate, and evaluate progress made with activities in four areas:

1. Compliance with the information security projects timetable.

2. Compliance with the timetable for the development of corporate security procedures.

3. Compliance with ANTEL’s information system auditing plan.

4. Fulfillment of indicators of response time and number of information security inquiries.

To address such needs, multidivisional teams have been developed:

• CONYSEC: Establishment of this multidisciplinary technical team arose from the idea of obtaining a point for information security management to gain knowledge of connectivity requirements between networks and systems, as well as a consulting group to analyze and make recommendations based on best available practices for such connectivity.

• CSIRT: ANTEL’s Information Technology and Telecommunications Incident Response Team

These teams provide proactive (CONYSEC) and reactive (CSIRT) interaction which, together with the audits, inquiry response system, training plan, and Procedural Security Unit’s security recommendations, constitutes communication networks deemed highly effective.

CONCLUSION

Although implementation of the information security program is a long-term process now being developed and modeled, the program’s progress is considered highly satisfactory in terms of its effectiveness, as it has achieved far more than the objectives set during initial planning. It has had positive impact on recovery time in cases of IT problems and many changes are being made to achieve greater security organization in the projects being promoted by the different administrative divisions.

Eduardo Carozo Blumsztein
Mgt. CIs
Manager of Security of the information
ANTEL