Corporate Security Statement
Owner: BICS Corporate Security Team
Date: December 2024
Who are we?
Belgacom International Carrier Services (BICS) takes the security of its information, infrastructure and applications very seriously. Its commitment to corporate security is mainly shown by its acquisition of an ISO 27001:2022 certification in September 2024.
BICS has implemented some policies, controls and procedures, and has allocated dedicated resources required for a formal Corporate Security organization.
his document provides an overview of the security controls employed by BICS and is intended to be shared with its customers, prospects, partners and suppliers.
ISO 27001 certification
BICS has set-up an Information Security Management System (ISMS) that is ISO 27001:2022 certified, since September 2024.
The ISMS comprises IT Operations processed by data center locations for which BICS is accountable:
- Storage & Back-up of the data
- Logical access management
- Asset management
- Office IT
- Monitoring the availability
- Incident management
- Procurement
- Compliance
- SIEM
- Capacity management
- Business continuity management
- Knowledge management
- Vulnerability management
- Change management
- Human resources
- Physical security
- Facility management
The certificate concerns the following locations:
- BICS HQ in Brussels (Belgium) – Legal and operational addresses
- BICS datacenter “Marais” in Brussels (Belgium)
- BICS datacenter “Paille” in Brussels (Belgium)
- BICS datacenter “Carli” in Evere (Belgium)
- BICS datacenter “Mechelen” in Mechelen (Belgium)
- BICS datacenter in Marseille (France)
Note: the certificate does not cover cloud services used for the delivery of services to the customers, DDOS protection and development activities. BICS netcenters and other points of presence are also excluded.
ISO 27001:2022 certificate is available here.
Security governance
Security policies
BICS has implemented, published and communicated to its personnel an information security policy, detailing the ISMS structure, the security governance and the main roles and responsibilities. It contains a management declaration, signed by BICS managing director, setting BICS objectives toward information security and showing top management commitment.
Ensuing from that main document, BICS has developed a set of security policies, procedures, technical standards and guidelines that define security requirements to protect BICS assets and data.
Individual responsibilities are communicated in each document.
These policies are permanently available to employees and contractors through BICS intranet portal.
Information security policy is available on demand.
Security organization
BICS has a formal Corporate Security organization led by the Chief Information Security Officer (CISO), who is responsible for all the security matters in the organization and is assisted by a team of technology and security professionals. These security professionals hold a variety of certifications and other credentials that attest their proficiency in the field. They participate in training programs and activities sponsored by industry-specific security groups to stay abreast of current security trends and issues.
The CISO has the ultimate responsibility for the organization’s security-related decisions and strategies.
The Corporate security team is spread between IT security governance specialists, security engineers and security operation experts.
Management leadership
BICS top management is highly involved in the maintenance and continuous improvement of BICS security posture and provide their support to security-driven initiatives. They participate on a regular basis to Security steering committees and to ISMS management reviews.
Security operations team sends to BICS top management every month a SIRT report, providing some security-related highlights, especially updates on incidents and vulnerabilities, reports on the attendance and results of security awareness sessions, and highlights of security intelligence reports.
Human Resources security
Recruitment process
Teams in charge of the recruitment of new employees and contractors perform checks to ensure that the candidate has the required skills and knowledge to perform the job for which they apply. Background and reference checks are done according to what is legally permitted in the country where the person applies.
Contractual obligations
BICS employees and contractors, when joining BICS, are required to sign non-disclosure and confidentiality agreements, and to commit to respect BICS information security policies.
Security awareness
BICS employees and contractors are required to follow a set of security trainings and awareness when joining the organization. A yearly awareness program reinforces periodically the main security concepts and remind them their responsibilities, as defined in the security policies. Phishing simulations campaigns run permanently to reinforce awareness and train people to detect potential attacks.
Appropriate use
BICS code of conduct and an acceptable use policy address the appropriate use of BICS assets, tools and data. Those who violate them will be subject to potential sanctions. A disciplinary process is in place to handle such violations.
Termination process
BICS has established a documented termination process that defines responsibilities for the collection of IT and HR assets and for the removal of access rights for employees and contractors who leave BICS.
Asset management
BICS has established and maintains asset inventory processes for its information assets.
BICS assets are classified for each security criteria: confidentiality, integrity, availability, traceability. Depending on the classification of the asset, security requirements are defined to protect properly the asset, and BICS personnel is provided with instructions on how to handle the assets.
Specific rules are defined for asset maintenance, and asset transport.
The use of removable media is not allowed.
When an asset is no longer needed, it is disposed of according to a specific security process, allowing to ensure that no data can be retrieved from that asset anymore.
Mobile devices
Non BICS devices cannot be connected to BICS internal network, whether in wired or wireless mode. Non BICS devices can use BICS guest Wi-Fi, which does not provide any access to BICS data.
Mobile devices must have an antivirus that runs permanently.
IT support team can remotely wipe mobile device when necessary.
Physical and environmental security
Datacenter security
The following physical and environmental controls are incorporated into the design of BICS datacenters:
- Separate protected facilities
- Badge entrance control
- Internal and external cameras
- Temperature and humidity control and monitoring
- Fire and water detection alarms
- Lightning suppression
- Transient voltage surge suppression and grounding
- Redundant power feeds and UPS systems
- Physically secured network equipment areas and locked cabinets
Datacenter access is limited to authorized personnel. Visitor access procedures and loading dock security protocols are established.
BICS office security
Physical access controls are implemented in all BICS offices. Controls vary by location but typically include access control with badge readers, on premises security staff and defined procedures for visitor access control.
Identity and access management
Authorization and authentication controls
BICS follows a formal process to grant or revoke access to its resources. Access management is based on the “least-possible privilege” and “need-to-know” principles to ensure that authorized access is consistent with defined responsibilities. BICS uses a combination of user-based, role-based and rule-based access control approaches. BICS has established documented procedures to ensure a proper access management for newcomers, movers and leavers. On top of that, accesses are regularly reviewed in order to remove any access that will no longer be needed.
Privileged access
Access to authentication servers at administrative, root or system levels is limited to those professionals designated by BICS. Dedicated admin accounts must be used to performed privileged actions.
Password requirements
BICS security policy establishes requirements for password complexity, change and reuse. Session are automatically locked after a period of inactivity, and accounts are locked in case of several unsuccessful connection attempts. All BICS staff are required to agree to take reasonable precautions to protect their credentials. Sharing password is strictly forbidden.
Operations security
Hardening
All BICS laptops are protected by hard drive encryption software through the 256-bit AES encryption algorithm. The software enforces password controls and uses a dynamic password time-out to prevent brute force password attacks. Additionally, the software is bound to the hard drive, protecting not only the operating system, but also the data. The internal policy that regulates the use of laptop is widely disclosed to BICS staff. Training is delivered to new employees to educate them about theft and to encourage behavior that will help protect laptops against it.
Full disk hard drive encryption is being used in order to prevent most offline physical attacks and boot sector malware.
Vulnerability and patch management
BICS uses multiple vulnerability scanning tools to assess its internal and externally facing network environments. The scans are running permanently, ensuring that each system will get scanned at least once per week. Processes are established to register the identified vulnerabilities and assess them: each vulnerability is given a CVSS score, that defines the SLAs to patch the vulnerability. Vulnerabilities all have an owner, in charge of its patching.
Vulnerability report is sent monthly to the executive committee, including a status of each vulnerability.
BICS has patch management processes and tools to assess and deploy operating system and application-specific patches and updates. This process includes steps to:
- Evaluate vendor supplied patches
- Determine servers that require patches and updates
- Document procedures for patching and updating servers
- Deploy patches and updates in a timely manner to protect the BICS infrastructure.
BICS continually reviews patches and updates, as they are released, to determine their criticalities and ensure their deployment according to the severity of the vulnerabilities they cover.
Penetration testing
BICS external facing applications undergo penetration testing at least once per year, and before a major release. Penetration tests are made by external company with relevant expertise. Findings are registered and follow the remediation process explained above in the vulnerability and patch management section.
Back-up and restore
Data center systems are routinely backed up for disaster recovery purposes. Back-up and restore procedures are documented and regularly tested.
Traceability and log management
SIEM (security information and event management) is being used for security monitoring and anomalies detection.
Network security
Antivirus
The virus protection software package is loaded during the operating system start up process and performs on-access scans of all data. The software is configured to clean or delete infected files and provides other safeguards. Virus signatures are automatically and constantly updated through a process managed on a central basis.
Antispyware
BICS installs spyware detection and removal of malicious software on all BICS computers.
Desktop firewall
BICS desktop firewall software is automatically enabled and uses BICS standard configuration to protect against malicious network traffic, including internet-based network threats, untrusted networks or malicious software. Database configuration settings are secured against change, tampering or disablement by end users or malicious programs.
Wireless Networks
Only IT-managed wireless networks are permitted on BICS network. The wireless network is segmented to ensure only fully managed endpoints are admitted to the corporate network while unmanaged endpoints, are placed on a guest Vlan, and at best with access to internet. Wireless access security controls include standards for encryption and authentication that are managed by BICS mother company (Proximus).
Spam Blocking and URL Filtering
BICS has deployed and regularly updates URL filtering software that blocks access to inappropriate web sites from its network. BICS has also established and maintains email gateway with spam-blocking and anti-virus software.
Remote Access
BICS utilizes virtual private network (VPN) software, configured to require dual factor authentication to enable secure remote access to its networks. VPN tunnels are secured using AES128 or higher encryption. The client software uses smart tunneling technology to ensure that communications between the host PC and the BICS network are transmitted via an encrypted VPN tunnel. Communications to internet-routed addresses will be conducted outside of the established VPN tunnel. Also, session timeout settings are configured to automatically disconnect the user from a session after a period of inactivity. Processes are established to limit third-party remote access to BICS systems. Such access requires approval from the security team and access is limited to those systems required for the third-party to complete the task and is monitored on a regular basis.
Change management
BICS has established and maintains a change management process which includes impact assessment, testing and rollback procedures. All changes on BICS systems must be reviewed and approved via a Change Approval Board meeting.
Development environments
BICS maintains separated development and production environments. Development environments are required to be physically separated from production environments. The transfer of an application from development to production follows the procedures established in the change management process.
Information systems development cycle
BICS has established a methodology to manage the acquisition, development and maintenance of systems. Key security components related to this methodology include:
- Business criticality assessment
- Risk assessment
- Security team involvement in project reviews and key contracts
- Utilization of established change control management to transfer changes from the development to the production environment
- Penetration testing of a new service or significant changes to an existing one
Supply chain security
BICS ensures security across the whole supply chain, by requiring its suppliers to:
- Apply at least the same level of security as BICS does
- Ensure the requirement is cascaded to their own suppliers
Each supplier is required to sign a security annex, included in their contract with BICS, and setting the minimum requirement related to security. BICS performs regular security assessment on its suppliers, and ensures service delivery reviews are performed when necessary.
Incident management
BICS staff members are made aware that security incidents must be reported immediately. BICS has documented procedures for the receipt of security incident reports. BICS Corporate Security team has a documented incident response process which includes:
- Escalation process
- Pre-defined roles and responsibilities
- Incident response plan
Business continuity and disaster recovery management
BICS has established a Business Continuity (BC) and Disaster Recovery (DR) strategy and process, following the guidelines of the Business Continuity Institute, and approved by BICS executive management.
To manage this process properly, BICS has appointed a Business Continuity Manager and has assigned Business Continuity Coordinators among the different teams, in charge of the BC implementation in their scope. For each product and service, BC and DR plans are defined and they are regularly reviewed, updated and tested.
On top of this, BICS has also a Denial of Access Procedure, that allow BICS to continue working in emergency situations.
Compliance
Internal & External Audit
BICS is regularly audited, by internal auditors from its mother company (Proximus), and by external auditors from expert and/or certified companies. BICS internal operations are regularly covered by such audits, as well as services and products available to BICS customers.
Ethics & Compliance
BICS has implemented procedures to report, either anonymously or not, any misconduct of its professionals or third parties with respect to the Code and laws and regulations referring to property, secrecy, confidentiality, ethics, business conduct, as well as to internal policies and procedures.
Privacy Office
BICS has established data protection rules that ensure compliance with GDPR and other privacy applicable laws. The privacy policy is available on our website (Privacy Notice – BICS).