Cyber Citadel TSA Code of Practice Testing and Validation Services

If you are a large organisation within the UK telecommunications sector, the deadline is upon you to comply with the Telecommunications Security Act (TSA). This act sets out a code of practice, developed in collaboration with the NCSC, that covers network management, monitoring and analysis, supply chain, and other critical operations.

At Cyber Citadel, we understand what needs to be done and offer a full suite of services to help your organisation comply with the TSA Code of Practice. Our expertise in extensive testing and validation processes, with a focus on penetration testing, ensures robust security against potential threats. 

Key Information

  • March 31st 2024 – All Tier 1 (greater than 1 billion GBP in revenue) must comply. This includes entities (of any size or revenue) interacting with Tier 1 organisations.
  • March 31st 2025 – All Tier 2 (greater than 50 million GBP in revenue) must comply. Again, any entities interacting with Tier 2 organisations must also meet this deadline.
  • This mandate affects both providers and suppliers – any entity within the supply chain must comply. Small businesses only need to comply if they interact with Tier 1 or 2 organisations.

Penetration Testing Services

  • External Network: Simulate real-world attacks on your external connections to uncover vulnerabilities and weak entry points.
  • Internal Network: Assess your internal network security by simulating insider threats and identifying potential risks.
  • Web Applications: Identify and mitigate vulnerabilities in your web applications, including common issues like SQL injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).
  • Wireless Networks: Test and secure your wireless networks by detecting vulnerabilities and misconfigurations.
  • Social Engineering: Test your organisation’s resilience against phishing, baiting, whaling and other social engineering attacks.

Privileged Access Management (PAM) Services

  • Privileged Access Workstations (PAWs): Implement and manage secure workstations to prevent unauthorised access.
  • Access Logging and Monitoring: Deploy solutions to log and monitor all privileged access, including session recording and event tracking.
  • Password Vaulting: Securely store and inject passwords to reduce the risk of exposure.

Third-Party Access Control

  • Secure Remote Access: Ensure that third parties such as MSPs and external administrators accessing your management plan meet the same security standards as your organisation.
  • Contractual Compliance and Auditing: Develop and enforce agreements to ensure third-party compliance with security standards, supported by robust auditing.

Infrastructure Security and Assumed Compromise

  • Infrastructure-as-Code: Express infrastructure in the language of code for faster, safer deployment and better version control enabling regular system-restore from known-good image backups  or configurations to limit attacker dwell time and lateral movement.
  • Ephemeral Infrastructure Management: Implement and manage ephemeral agents and Terraform integrations to provision secure infrastructure on demand, reducing the attack surface.
  • Infrastructure Management: Implement and manage replica (ephemeral) environments and agents to test new infrastructure and integrate it quickly and securely into the network, reducing the attack surface and vulnerability window.

Security Policy Compliance and Implementation

  • Overarching Security Measures: Assist in implementing security measures for various management planes, signaling planes, and third-party suppliers in line with the TSA Code of Practice.
  • Continuous Monitoring and Analysis: Set up comprehensive monitoring and analysis to ensure ongoing compliance and rapid incident response.

Consultation and Custom Solutions

  • Flexible Implementation Guidance: Consultation to help clients understand and implement TSA Code of Practice measures, with justifications for any deviations.
  • Custom Security Solutions: Tailored security solutions to meet the specific needs and configurations of your clients’ networks and business structures.

Don’t Delay!

The deadlines for compliance are here: check now whether you are required to comply.

Remember, if your business forms any part of the supply chain of a Tier 1 or 2 organisation you will need to act! Failing to do so will have consequences since the regulatory body Ofcom has been directed to proactively assess security practices and have the power to issue fines of up to 10% of the annual turnover of a company. In addition, smaller companies working with a Tier 1 or 2 organisation may lose business if they are non-compliant as the large companies try to avoid risking regulatory violations.

If you are unsure about any aspect of compliance, contact Cyber Citadel. Whether it’s a few modifications or rebuilding part of your network infrastructure, Cyber Citadel is there to make it as painless and seamless as possible. Each service we offer is designed to ensure compliance with the TSA Code of Practice, and ultimately enhance your organisation’s security posture and protect against threats.