Telstra completes IT overhaul program for structural separation compliance

The Australian Competition and Consumer Commission (ACCC) has announced the completion of Telstra's IT overhaul and infosec remediation program as part of its Structural Separation Undertaking (SSU) obligations compliance.

Every year, the ACCC must look into whether Telstra has kept to its SSU commitments until the National Broadband Network (NBN) rollout is complete and all services have been migrated from the Telstra fixed-line network to the NBN.

"The ACCC is pleased that Telstra's long-running project to achieve compliance with its SSU has concluded," ACCC chairman Rod Sims said on Tuesday.

"The ACCC is now satisfied that Telstra's SSU reporting measures can be relied on to identify any further information security issues, should they arise."

After reporting a series of security breaches due to both human error and its legacy IT systems, an independent review by Ovum of Telstra's IT systems was kicked off in March last year.

During the project, an Internal Due Diligence (IDD) review was conducted, as well as an Information Security Remediation (ISR) program. Ovum reviewed the ISR program along with a sample of eight of its IT systems, and reviewed Telstra's IDD with a sample of six IT systems.

The ISR program saw a remediation team made up of 100 business analysts, project managers, and experts across Telstra's businesses remediate 42 IT systems and implement a compliance management framework (CMF). A three-year implementation time frame has been flagged.

Testing across the ISR program involved three layers -- vendor tests, remediation program tests, and legal verification tests.

"Overall, Ovum was satisfied with the range of tests conducted, the data input options, and the customer cases used in the review," Ovum said in the executive summary [PDF].

"However, three issues were identified in three of the eight IT systems under review. These issues were reported by Telstra in its confidential reporting to the ACCC. In each case, Telstra has now remediated the issue and Ovum has verified the remediation."

The IDD program involved Telstra reviewing which staff members have access to what information, in order to ensure employees working in the Retail business had no access to NBN wholesale customer information.

Twenty-four of the 42 IT systems involved in the IDD review were evaluated over a period of nine weeks, with Telstra implementing a "clear reporting and appropriate corporate governance model with senior management oversight" as a result.

Within those 24 IT systems, Telstra detailed issues in four systems. Ovum added another two to this list, but said that Telstra's new CMF should be able to identify any issues in future.

"We would recommend that the ACCC continue to rely on Telstra's self-reporting mechanisms and that the implementation of Telstra's compliance management framework should either prevent new issues from arising (given the SSU compliance framework is now built into new product development or IT changes), or allow the reporting of new issues as they arise (through compliance checks and company training)," Ovum concluded.

In April, Telstra's SSU FY15 compliance report resulted in the ACCC finding that while Telstra had improved its level of compliance, several breaches occurred due to human error and failing IT systems.

The breaches recorded by the ACCC for the 2014-15 financial year related to disclosing to its retail business confidential or commercially sensitive wholesale customer information obtained while supplying regulated services; failing to maintain separation between its wholesale, retail, and network businesses; failing to comply with transparency reporting requirements; and blocking the process of service orders for migration to the NBN.

"These compliance issues largely arise due to Telstra's legacy systems not being designed to deliver the outcomes required by the SSU, or errors made by Telstra staff in performing their day-to-day work," Sims said at the time.

"Telstra has made progress towards addressing key issues during the year, particularly in relation to its IT systems and processes to better safeguard against disclosure of protected wholesale customer information."

Specifically, one breach occurred due to "human error", when a retail business employee was included on a wholesale business chain email; one where a retail business employee called a network services business employee thanks to "individual error"; one where a Telstra employee moved from wholesale to retail but was kept on an email alias; four where Telstra found that wholesale information was visible in a retail business IT system, application, portal, or phone system; one where call centre staff members potentially had access to both retail and wholesale customer information; and one when Telstra retail staff inadvertently made use of a meeting room inside Telstra's wholesale business premises "without being appropriately escorted".

Telstra also reported several breaches of its Migration Assurance Policy, including on one occasion publishing a disconnection schedule for its customers less than five business days after being told by NBN, which was caused by "human error"; publishing disconnection notices for retail customers less than three months in advance due to IT system failings; experiencing a "small number of instances" where Telstra reconnected copper services after they had been permanently disconnected; reporting "some instances" when, due to "data quality issues and human error", Telstra connected services despite those premises being NBN serviceable; and missing by several days the disconnection dates for some premises.

"Telstra has further advised that five disconnection dates were passed during 2014-15, impacting 73 NBN Rollout Regions," the ACCC added.

The SSU, which governs how the telco's wholesale business is to function during the rollout of the NBN and commits it to structurally separating its wholesale and retail businesses by 2018, was accepted by the ACCC in February 2012 after the regulator rejected Telstra's first attempt at the document.

Four years after this, the Australian government released in February 2016 its final Migration Assurance Policy, detailing the process for customers to transition from Telstra's legacy copper network to the fixed-line NBN.