View a markdown version of this page

TELCOSEC04-BP01 Enable encryption for CPNI and PII information at rest and in transit and access restriction - Telco Lens
Implementation guidance: Resources

TELCOSEC04-BP01 Enable encryption for CPNI and PII information at rest and in transit and access restriction

It is recommended that telecommunications organizations implement comprehensive encryption measures for both customer proprietary network information (CPNI) and personally identifiable information (PII) at rest and in transit to verify robust data protection and regulatory adherence. Organizations should use industry-standard encryption algorithms (such as AES-256) for data at rest, implement TLS/SSL protocols for data in transit, and establish secure key management practices.

This implementation should include encryption where applicable, strong access controls with multi-factor authentication, and regular security audits to verify encryption effectiveness. The organization must verify that third-party vendors handling CPNI or PII adhere to the same encryption standards and maintain detailed documentation of encryption practices.

Furthermore, establish comprehensive employee training programs to verify proper handling of encrypted data, and incident response plans should be developed specifically for potential breaches of encrypted information. This recommendation is critical for avoiding potential data breaches, maintaining regulatory adherence, protecting against financial penalties, and preserving customer trust. Conduct regular reviews and updates of encryption protocols to address emerging security threats and maintain the effectiveness of data protection measures.

Desired outcome:

  • Verify that customer proprietary network information (CPNI) and personally identifiable information (PII) data is encrypted at rest and in transit, providing a robust layer of protection for sensitive customer data.

  • Implement strict access controls and least-privilege permissions to limit access to CPNI and PII data, reducing the risk of unauthorized access or data breaches.

  • Demonstrate adherence with industry regulations and customer data privacy requirements, such as FCC CPNI rules and GDPR, by effectively securing the handling of sensitive information.

  • Provide visibility and auditability of access and usage of CPNI and PII data through comprehensive logging and monitoring.

Level of risk exposed if this best practice is not established: High

Implementation guidance:

Implement robust data protection measures by encrypting customer CPNI and PII data at rest and in transit. Use customer-controlled encryption keys and secure communication protocols like TLS. Enforce strict access controls based on the principle of least privilege, with multi-factor authentication. Enable comprehensive logging and monitoring to track access and usage activities, integrating the logs into a centralized security framework. Establish clear data handling policies and procedures and conduct regular audits to verify the effectiveness of the data protection controls and verify ongoing adherence with industry regulations and customer privacy requirements.

Implementation steps

  • Encrypt CPNI and PII data at rest:

    • Use AWS Key Management Service (KMS) to generate and manage customer-controlled encryption keys for protecting data at rest.

    • Configure AWS services handling CPNI and PII data, such as Amazon S3, Amazon RDS, and Amazon EBS, to use the customer-managed encryption keys from KMS.

    • Implement a key rotation strategy to verify the cryptographic strength of the encryption keys is maintained over time.

  • Encrypt CPNI and PII data in transit:

    • Require the use of secure communication protocols, such as TLS 1.2 or 1.3, for data transfers involving CPNI and PII information.

    • Utilize AWS Certificate Manager to provision, manage, and renew the SSL/TLS certificates used for encrypting in-transit data.

    • Enforce the use of secure protocols and certificate validation across network connections, including those between internal telco network functions and external interfaces.

  • Implement access controls and least privilege:

    • Define granular IAM policies to restrict access to CPNI and PII data based on the principle of least privilege.

    • Leverage AWS Identity and Access Management to create roles and policies that limit access to CPNI and PII data to only the authorized personnel and systems.

    • Implement multi-factor authentication (MFA) for users and systems accessing CPNI and PII data, adding an extra layer of security.

  • Enable comprehensive logging and monitoring:

    • Configure AWS CloudTrail to create detailed audit trails of access and usage activities related to CPNI and PII data.

    • Integrate the CloudTrail logs with Amazon CloudWatch and Amazon OpenSearch Service for centralized security monitoring and analysis.

    • Set up Amazon CloudWatch alarms to trigger alerts for suspicious or unauthorized access attempts to CPNI and PII data.

  • Establish data governance processes:

    • Develop and enforce data handling policies and procedures aligned with industry regulations and customer data privacy requirements.

    • Integrate the encryption, access control, and logging mechanisms into the organization's overall security framework.

    • Conduct regular audits and assessments to verify the effectiveness of the data protection controls and verify ongoing adherence.

Resources

Key AWS services: