The article is the second part of a 2 part series. Here is the first part!
Compliance is not a one-time thing, it is a constant monitoring and periodic checks of the systems, to stay compliant with DoT regulations. Maintaining effective and secure compliance has multiple facets including failure notifications, change control mechanisms, and periodic reviews.
This article has been created on the basis of the OSP market report 2017, prepared after conducting a survey that was carried out on the level of enterprise compliance to OSP regulations. It is to understand the complexity of the OSPs and their scale of compliance to the OSP regulations.
What enterprises need to focus on?
- Lack of expertise: Due to the lack of expertise, from the perspective of DoT/OSP regulations and mapping them to the voice infrastructure, both the enterprises and the service providers stay at a high-risk of litigations and penalties due to the technically non-compliant system.
- Resistance to change: Many enterprises are not able to accept the changes in technology like SIP trunking because of the lack of expertise. The mere fright of being non-compliant is preventing such enterprises from adopting the newer technologies and moving on from the older technologies like ISDN-PRI.
- Toll fraud: India is second on the PBX toll fraud origination list (first being the US), where insecure PBX configurations, lack of voice expertise, and manual monitoring increase an organization’s vulnerability.
OSP Distribution – Based on Infrastructure
OSP compliance of an enterprise is determined using the core principles of the OSP regulations. It is essential for the logical partitioning between PSTN and an enterprise’s CUG (Closed User Group) to be verified to meet the core principles.
The primary tests for this process include checking of the basic design or the architecture of the logical partitioning while ignoring many of the trickier configurations that requires expert guidance.
As per the survey reports, a reasonable amount of distribution of the enterprises by size is done. Around 48% of the surveyed firms were of the small or the medium setups, and 52% of the other firms were large contact centers with over 700 agent seats in each.
A deeper analysis of the type of survey respondents shows that the large enterprise’s sample included 38% extra-large enterprises with 1500-7000 agents, and the remaining 62% had around 700-1500 agents.
Also, for the enterprises with less than 700 agents, 66% of them were medium enterprises with 300-700 agents, while the remaining 33% were small enterprises with less than 300 agents. This is an insightful analysis with a well-distributed sample.
Another significant outcome states, the bigger the size of the enterprise, the harder it is to manually maintain the compliance status of the organization. Also noted that all the extra-large enterprises were found to be non-compliant while around 62% of the large enterprises made to the compliance list.
Among the sample of the medium and small-sized enterprises, 75% of the small enterprises were found to be non-compliant while 50% of the medium-sized enterprises were found to be compliant with the primary criteria. It means that small-sized enterprises use simpler configurations without logical partitioning because they are unaware or lesser aware of their compliance needs.
Whereas medium-sized enterprises are taking effective measures to spread compliance awareness and have a complex system that can be manually managed.
Detected Compliance Issues
Architectural and design faults happen when the basic logical partitioning of PSTN and CUG is not enforced in the configurations. Around 70.8% of the respondents of the survey suffer from the architectural and design faults. Other faults like missed best practices or misconfigured features are irrelevant if a respondent was found to have an architectural or design flaws.
This means that the enterprises should concentrate more on getting a well-designed voice network that will resolve the non-compliance issue the organizations are facing at present. Enterprises also face the complexity of maintaining continuous compliance on systems resulting in bad configurations accumulating over time.
‘Misconfigured feature configuration’ is the category of non-compliances where specific features like mobility, redirections, hot desking, etc. were configured allowing non-compliant calls to be made.
This category consists of 16.7% of the respondents even though they don’t have any design/architectural faults in their configurations. Also, around 50% of the enterprises lack understanding of PBX features required for compliant configurations while 30% of the enterprises are aware of the technical needs for a compliant system.
Around 4.2% of the respondents of the survey belongs to a category where the configurations were well-designed and with configured features, but lack some of the industry best practices like access controls over the resources. These enterprises are capable of moving to full compliance with minor configuration changes.
And, the remaining 8.3% of the respondents of the survey were found to have configurations to be fully compliant.
Therefore, a major chunk of the industry is at risk of being found to be OSP non-compliant while those having expertise in absorbing more involved configurations and industry best practices are very few in numbers.
Secured and Vulnerable Enterprises
The vulnerability and security picture that we see also has two aspects to it, both of which concentrate on security and protecting the PBX from insufficient internal access controls and external malicious users.
Toll frauds are happening because the external malicious users can access PBX, using its call-related features, putting the enterprises at high-risk. As per the survey, around 60% of the enterprises, having over 1500 agents, were negligent of this issue. Also, about 37.50% of the enterprises with 700 to 1500 agents were having security vulnerabilities.
This means that large enterprises’ IT need to shift their focus towards the voice infrastructure of the systems. While the small enterprises are capable of managing the security of their systems, as per the survey.
The most crucial resource in an enterprise’s PBX are the trunks, incorrect use and configuration of these may lead to non-compliance. Unrestricted access to the trunks can pave the way to fraudulent activities, making it crucial for enterprises to control access to the trunks effectively.
During our research, we learned that out of the 500 enterprise trunk configurations that we scanned, up to 55% were vulnerable to fraud.
The extra-large enterprises, with their extensive manpower and the small organizations with non-complex setups, are better at managing their trunk access controls, as only 43.24%, and 36% of their trunk resources missing adequate access controls.
Also, around 65-68% of the small enterprises (with around 300-1500 agents) were found more negligent and are prone to security breaches.
(Disclaimer: This is a guest post submitted on Techstory by the mentioned authors. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.)