The purpose of this document is to satisfy this need, providing a compact and easily understandable overview of the most relevant security safeguards with the focus on organisational and technical measurements. It should also be noted that security is a constantly changing environment and employees and suppliers need to recognise this.
Each employee and external party with access to data and information assets of Telesol are in scope of this policy and must comply with the requirements set by Telesol. Security Officer (SO) and Data Protection Officer (DPO) are responsible for this policy.
The objective of this ISMS is to protect Telesol information assets against all internal, external, deliberate, or accidental threats.
3.1 Information and demarcation to data protection
Information assets manifests itself from 4 different information types:
Data protection (DP): DP itself is not an individual information asset type. Any of the 4 asset types above could be related to data protection. Telesol has to ensure that staff and business partners operate compliant with the European standard GDPR. An Data Protection Officer (DPO) supports the activities. Therefore, DP control mechanisms were implemented to the Telesol ISMS.
3.2 Confidentiality, Integrity, and Availability of information
There are three fundamental values of Information Security: Confidentiality, Integrity, Availability that is to protect.
| Confidentiality: | It means that information is not made available or disclosed to unauthorized individuals, entities, or processes. |
| Integrity: | Data must be complete and unaltered. In information technology, the term “information” is used to refer to “data” to which, depending on the context, certain attributes, such as the author or time of creation, can be assigned. The loss of integrity of information can therefore mean that this data has been altered without authorization, that information relating to the author has been falsified or the date of creation has been tampered with. |
| Availability: | Services, IT system functions, data and information must be available to users as required. |
3.3 Technical and Organizational measurements and Authentication, Authorization and Accounting
Technical and Organisational measurements (TOMs) are in place to control access to content.
To protect access to content, controls are set for requesting, approving, granting, modifying, revoking, and revalidating user access to systems and applications containing Personal Data. Staff and certain suppliers need access to Personal Data located on cloud based systems and on premise servers, within applications, databases and/or ability to download data within the network. All access requests will be approved based on role-based access and reviewed on a regular basis. All systems must meet corporate information security standards and employ security configurations and best practices to protect against unauthorized access.
| Authentication: | When a person logs in on a system, the system runs a check in an authentication process to verify the identity of the person. The term is also used when the identity of IT components or applications is tested. |
| Authorization: | Authorization is the process of checking whether a person, an IT component or an application is authorized to perform a specific action. |
| Accounting: | Accounting ensures that only authorized persons have access to data. |
3.4 Essential Security safeguards
The entire network consists of active and passive components such as routers, servers, firewalls, laptops, patch panels, cabling, etc. Described requirements below regarding information security are treated equally whether components are located in the telecommunication network, the Data Communication Network (DCN) or in the IT infrastructure. Therefore, the term “information security” refers to the entire network of Telesol and is not limited to the infrastructure operated by the IT department.
3.4.1 Systematic approach to Information Security
Security aspects must be adequately considered early on in all projects
Information security aspects are considered right from the start of a project. New technology must not be implemented or purchased without consent from the Information Technology Security Team. Therefore, the team has to be a consultant on an early stage of each project where IT services are involved.
Step-by-step approach to greater Information Security
The Information security framework is defined with the following points at focus:
** Information Security Awareness training: Is mandatory for all new starters and provides insight and guidance on how employees and relevant external parties can help protect Telesol against crime. Training will be available for all employees in the first weeks when they start at Telesol. Long term contractors and external developers will receive customized training too.
4.1 Objective of the ISMS its policies and users
The defined scope of Telesol’ ISMS takes into account to provide secure
servicing of the telecommunication networks of Telesol customers which is operated centrally from Almere including the necessary IT Services, IT infrastructure and all main companies processes
The following objectives were defined:
In scope of this policy are all employees of the ‘In Scope’-Definition. This includes also the members of the executive team.
4.1.1 Locations in Scope
The following locations are in scope:
4.1.2 Key Roles and responsibilities
| Managing director: | Accountable for ISMS |
| Security officer: | Responsible for optimal working of ISMS all GDPR policies and their timely execution. |
5.1 Executives team’s commitment to the ISMS
The executive team of Telesol has instructed and approved the Information Security Management System. The Information Security Management System is legally binding and applies to all employees including the executive team, workers and contractors of Telesol.
5.2 Responsibility to enforce requirements of the ISMS
The Security officer is appointed by the executive team to enforce compliance with the agreed policies and procedures. Security officer has the right and the obligation to take appropriate measures to maintain and enforce requirements of the information security management system. On a scheduled basis, the Security officer will report security updates to the executive team. Financial resources are available to mitigate risks to meet the risk appetite of the organisation. Security officer is the main contact person for all topics of information security for all employees and the executives of the Telesol. Security officer continue to use the expertise of external security experts, the professional associations /networks and the relevant security authorities.
All actual or suspected information security breaches will have to be reported to the Security officer. Such breaches will be thoroughly investigated.
All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.
Procedures exist to support the information security policies, including data protection measurements.
The Information Security Management System will be reviewed annually by the Information Security Audit Team.
Key performance indicators (KPIs) are in place to measure and ultimately ensure the ISMS is working.
Legislative and regulatory requirements will be met.
5.3 Employees duty to Security Compliance
Each employee of Telesol and third parties with access to information assets, data and systems have to comply with the security requirements of this ISMS. It’s important to carefully handle information, data, applications, IT systems and communications networks. Accidental or grossly negligent information security breaches will result in disciplinary procedures and/or prosecution. Information security incidents have to be reported according to Information Security Incident handling below.
5.4 Risk Management
The risk management system of Telesol is designed in methodology and application so that it meets the requirements of information security in general, information security according to ISO 27001: 2022 and the European Data Protection Regulation GDPR.
The risk management system of Telesol is established as a standard in a practice oriented framework.
The risk management of Telesol is the responsibility of the Security officer and its deputy.
5.5 Classification of information assets
Information assets at Telesol are classified in the following classification scheme:
| Public: | All documents that can be shared in public. Typically, sales and marketing material. |
| Internal: | All not specifically marked documents at Telesol are classified as “Internal”. |
| Confidential: | Information that is confidential must be protected against unauthorized disclosure. |
| In strict Confidence (ISC): | Information that requires higher security and protection as Level 2 – confidential must be protected against unauthorized disclosure. Specific measures are required to protect ISC content. Data has to be fully encrypted during transit. This means the use of unencrypted network protocols such as Telnet and FTP are prohibited. Legacy systems that don’t support encryption must be isolated with no access to the Internet or alternative measurements can be considered to protect the configuration of these nodes. |
In terms of damage and disclosure of information, this means:
| Public: | Available for sharing in the public domain. | Disclosure causes no harm to Telesol. The information is for public use. |
| Internal: | Internal use only by Telesol employees. | Remains within Telesol office, servers or Microsoft 365 environments. |
| Confidential: | Restricted use and distribution. Key stakeholders only. | Sensitive information and commercially confidential. Distribution is likely limited to the project team/stakeholders involved. |
| In strict Confidence (ISC): | High confidential with significant damage if there was an information breach. | Highly confidential and of strategic importance. Significant damage to the business if disclosed beyond a limited group of stakeholders. |
5.6 Security Supplier Management
Suppliers delivering systems and services providing important items to operate the IT services at Telesol. To ensure that suppliers are maintaining the same high security standards that Telesol has established there are several verification methods established.
In general suppliers are verified if they are ISO27001 certified with an appropriate scope. If they are not certified then an Information Security questionnaire has to be filled out by the supplier and submitted to Telesol Information Security Team for review.
Before a new service agreement can be considered for Telesol a Supplier Information Security Evaluation Process has to be conducted and submitted to Telesol Security officer.
5.7 Business Continuity Management (BCM)
The objective for the entire BCM is to enable Telesol, its technical facilities and its employees to ensure that control of products and services are available at all times in compliance with all regulatory, legal, contractual and other requirements, as well as the operation of important IT services and Telesol facilities. The aim is to maintain or, in the event of damage, the fastest possible restoration of the normal operation of critical or time critical services at Telesol. Telesol BCM captures the threats and risks that can impair time-critical processes, regulates process organization, emergency and response measures, monitoring and improvement of the BCM process within Telesol.
5.8 Internal audits and improvement of ISMS
The entire security at Telesol is constantly improved. Therefore, independent audits are conducted on a scheduled basis.
Compliance with this guideline and the ISMS framework are regularly reviewed by internal audits and/or by external experts.
The findings of the audits are measured, evaluated and converted into then reported to the management in the context of the management review. The information and data security of Telesol is thus measured to determine the degree of maturity of security in the context of weaknesses and improvement. Measuring maturity is an important and integral part of ensuring and improving the Telesol availability, confidentiality and integrity protection goals.
5.9 Security incidents and notification
Information Security Incidents have to be reported in case of:
Information Security Incidents must be reported by all parties observing a security incident impacting Telesol or its business partners. Observers can report an Information Security incident 24×7.
Observers can report an Information Security incident by sending an email to:
security.officer@telesolgroup.com providing details of the incident.
In case of emergency
An urgent incident case should be raised during business hours by phone through the Telesol NOC services helpdesk: +31 (0) 20 225 55 88.
5.10 Order of precedence
In the event of a conflict between requirements, the higher standard prevails.