Comply with

ISO/IEC 27011
Meet telecommunication-specific information security
guidelines
Security challenges in
telecommunications
Protection of highly sensitive data
Telecommunication firms possess and must control access to several
types of sensitive data including private customer data, employee
records, and company financial information. Not only do service
providers maintain large databases containing demographic and
transactional data, they also possess massive amounts of usage data
information in the form of Call Data Records (CDR) and Internet Traffic
and Transaction Data (IPDR). With large numbers of employees,
service providers must manage and record access to these sensitive
information.
Complex, interconnected networks
Telecommunication firms operate complex, heterogeneous network
environments which are difficult to monitor. They need different
monitoring products for different platforms which can be expensive
ISO 27011 Goals
Telecommunication firms whose facilities are used by various users to process
information such as personal and business data should handle this information
with great care and apply an appropriate level of protection. In conclusion,
telecommunications organizations need to establish and continuously improve
an overall security management system which ensures appropriate controls
are maintained.
The ISO 27011 standard allows telecom organizations to meet baseline information security management
requirements. It provides telecom firms, auditors, telecom terminal vendors and application content providers with
a common set of security control objectives based on ISO/IEC 27002, sector-specific controls, and IT security
guidelines for implementation of such controls. In addition to the objectives and controls described in ISO 27002,
telecommunications organizations must take the following security features into account:

1 2 3
and complex. Larger providers have tens of thousands of servers and
networking devices managed by countless external and internal system
administrators. Their activity cannot be fully traceable or controlled with
traditional solutions. For example, an accidental misconfiguration of a
mission-critical router can cause serious service outages.

Compliance challenges Confidentiality Integrity Availability

Telcos are increasingly subject to data protection regulations from a Information related to The use of telecommunications Only authorized access should
variety of organizations ranging from the Payment Card Industry (PCI), telecommunications organizations facilities should be controlled, be provided when necessary to
to governmental agencies, such as the European Union and its Data should be protected from ensuring the authenticity, accuracy telecommunications information
Retention Directive. Publicly traded telecom companies must also unauthorized disclosure. and completeness of information and facilities used for the provision
comply with Sarbanes-Oxley (SOX). Laws and standards prescribe transmitted. of communication services.
to keep clients sensitive data safe and the deployment of a system
that does not allow traceless modification of critical information, thus
protecting the clients’ interests.
ISO 27011 Framework
The Standard has been structured in a format similar to ISO/IEC 27002. Telecommunications sector specific guidance
and information is included in the following clauses:

ISO 27002 (27011) Clause Description

Establish a management framework to initiate and control the implementation of

Organization of information security (clause 6)
information security within the organization.

All major information assets should be accounted for and have an assigned owner.
Asset management (clause 7) Information should be classified to indicate the priorities, and expected degree of
protection.

Human resources security (clause 8) Security responsibilities should be addressed prior to, during and after employment.

Critical information processing facilities should be housed in secure areas, protected by

Physical and environmental security (clause 9)
defined security perimeters, and with entry controls.

Communications and operations management Operational procedures and responsibilities, third party service delivery management,
(clause 10) network security management, system monitoring, logging of security events, etc.

Business requirement for access control, user access management, user

Access control (clause 11) responsibilities, network access control, operating system access control and information
access control

Security requirements of information systems, correct processing in applications,

Information systems acquisition, development
cryptographic controls, security of system files, security in development and support
and maintenance (clause 12)
processes, etc.

Information security incident management Reporting information security events, management of information security incidents and
(clause 13) improvements

Business continuity management (clause 14) A business continuity management process should be implemented to minimize the
impact on the organization and recover from loss of information assets.

Note: Balabit can offer supportive technologies for the highlighted clauses!

The ISO 27011 security controls are very stringent, and it is certain that this will pose a challenge to telecom firms in
terms of implementation and operational costs. The question is how these rigorous requirements can be met most
cost-effectively...
How can Balabit help in ISO 27011 Compliance?
Privileged Activity Monitoring
Balabit Shell Control Box (SCB) is an activity monitoring appliance that
controls access to remote servers or networking devices, and records
the activities of the users accessing these systems. For example, it
Shell Control Box
records as the system administrators configure your database servers
through SSH, or your employees make transactions using thin-client SSH
applications in Citrix. The recorded audit trails can be replayed like a
movie to review the events exactly as they occurred. The content of
the audit trails is indexed to make searching for events and automatic Server Webserver
reporting possible. SCB is especially suited to supervise privileged administrator
user access as mandated by many compliance requirements, like
PCI DSS or ISO27011. It is an external, fully transparent device,
completely independent from the clients and the servers. The server-
and client applications do not have to be modified in order to use SCB; Telnet
it integrates smoothly into the existing infrastructure.

Network Routers and

Key SCB benefits for telecom organizations administrator switches
■■ Control internal and external administrators’ access to
critical systems and data
■■ Transparent monitoring and recording of remote network
management
RDP
■■ Supporting heterogeneous environments using SSH,
RDP, HTTP/HTTPS, ICA, VNC, Telnet and other protocols
■■ Real-time session following with the possibility of instant
Windows terminal Windows
termination service user terminal server
■■ Video-like playback of recorded sessions
■■ High quality, tamper-proof audit trails
Auditor
■■ Improved troubleshooting and forensics investigations
How can Balabit help in ISO 27011 Compliance? Key syslog-ng benefits for telecom organizations
■■ Collect messages from a broad spectrum of applications
and devices
Trusted Log Management
The syslog-ng Store Box™ (SSB) is a high-reliability log management appliance to collect, classify, organize, and ■■ Transfer messages with Zero Message Loss
securely store log messages for enterprises who operate log infrastructure.. As an “out-of-the-box” log server, it ■■ Deploy syslog-ng Premium Edition on widest range of
consolidates enterprise-wide log management needs, helping telecom organizations to lower operational risks and server platforms
costs. It can collect and classify log messages from IT devices, operating systems and applications and transfer them ■■ Prevent tampering with encrypted transport and storage
to the high-performance log server in a reliable channel. The log messages from numerous network devices such as
■■ Scale to the largest log generating environments
servers, routers, and firewalls and a wide variety of applications ranging from ERP solutions to server OS software
■■ Web-based search interface
can be collected and stored. The syslog-ng solutions support over 50 platforms including a wide variety of Linux,
UNIX, HP, IBM, Microsoft Windows, and Solaris variations. Syslog-ng-based logging infrastructures meet the log ■■ Automated log life-cycle management
generating capacity requirements of telecommunications networks while ensuring reliable and secure log message
transport and storage.

Log collection Log archiving Log analysis

on the clients using moving older log messages forwarding messages to
syslog-ng Premium Edition to external storage external log analyzing engines

syslog-ng Store Box

Log collection Log monitoring Log storage Reporting

content-based filtering signed, encrypted, reports and statistics
and real-time alerting timestamped log files about the log traffic
Conclusion About Balabit
Balabit – headquartered in Luxembourg – is a leading provider of
contextual security technologies with the mission of preventing data
The following table lists key ISO 27011 requirements relevant to log management and auditing together with the
breaches without constraining business. Balabit operates globally
compliant Balabit solution:
through a network of local offices across the United States and Europe
ISO 27011 requirement syslog-ng/SSB SCB together with partners.

10.1 Operational procedures and responsibilities Balabit’s Contextual Security Intelligence™ strategy protects
Objective: To ensure the correct and secure operation of information processing facilities. ü ü
organizations in real-time from threats posed by the misuse of high
10.2 Third party service delivery management risk and privileged accounts. Solutions include reliable system and
Objective: To implement and maintain the appropriate level of information security and service delivery - ü application Log Management with context aware data ingestion,
in line with third party service delivery agreements.
Privileged User Monitoring and User Behavior Analytics. Together
10.6 Network security management they can identify unusual user activities and provide deep visibility into
Objective: To ensure the protection of information in networks and the protection of the supporting ü ü potential threats. Working in conjunction with existing control-based
infrastructure.
strategies Balabit enables a flexible and people-centric approach
10.10 Monitoring to improve security without adding additional barriers to business
Objective: To detect unauthorized information processing activities. ü ü practices.

11.2 User access management Founded in 2000 Balabit has a proven track record including 23 Fortune
Objective: To ensure authorized user access and to prevent unauthorized access to information - ü 100 customers among over 1,000,000 corporate users worldwide.
systems.
For more information, visit www.balabit.com
12.5 Security in development and support processes
Objective: To maintain the security of application system software and information. - ü

13.2 Management of information security incidents and improvements Learn More

Objective: To ensure a consistent and effective approach is applied to the management of information ü ü ■■
security incidents. Shell Control Box homepage

■■ ISO 27001 - Achieve the impossible! (White Paper)

■■ Start evaluation project

■■ Request a callback

“WE FOUND THAT BALABIT SCB IS THE ONLY SERIOUS PRODUCT ON THE
MARKET THAT IS CAPABLE TO SECURELY MONITOR SSH SESSIONS.”
Øyvind Gielink, IT security Officer, Telenor Group