Product Risk Assessment

Product Assurance

Guidelines for Product Assurance, Risk
and Fraud Assurance for all new products/
service launch for Telecom.

www.yu.co.ke Revenue Assurance & Fraud
Syed Thameem

1

Product & Service Risk Assessment – Questions

Within the Econet is the “Product Manager” made
responsible for the loss as well as profit?
Who has ownership and responsibility for ensuring products
are launched with fraud protection built in?
What financial figure is placed upon potential fraud losses?
When is the Fraud Team involved within the process?
Is the Fraud Team actually listened to or does marketing rule?
Is the Fraud Team playing catch up when defining fraud
controls?
Is the Fraud Team viewed as being the enemy or a valuable
part of the end to end process?

Syed Thameem

Product & Service Risk Assessment – Introduction

Fraud & Security Risk Assessments – why?
Enables the creation of fraud resistant products and
services.
Prevents and mitigates against losses caused by fraud.
Far more cost effective to implement controls and measures
at the beginning.
Minimise the effects of fraud on genuine customers and
protects the brand image.
Utilised to determine fraud strategy and operational changes
needed relating to working practices and detection tools.
Develops and encourages a coherent approach
Company/Group wide on fraud knowledge and awareness.

Syed Thameem

Product & Service Risk Assessment – Introduction

Product assurance MUST become an integral part of the
new and existing product development process.
Revenue protection features (incl. fraud) should be
assessed for all products/services launched.
Required protection levels, controls and enhancements to
existing services should also be identified & implemented.
Activation, service delivery, billing etc for all products should
be tested to ensure accuracy and that the service can be
charged for!
It is and cannot ever be a single or one off activity and
requires input from different business areas to succeed.

Syed Thameem

Product Risk Lifecycle

Marketing &
Development
Recovery of
Money,
Equipment & Dealer / Sales
Service Channel
Fraud
Department
Billing &
Activations &
Collections
Fulfillment

Customer Care

Syed Thameem

Product Evaluation Process

Syed Thameem

Fraud Risks with New Products & Services

Each product & service in the market represents a potential
new opportunity for fraudulent attack.
Pressure to launch new services to gain competitive
advantage often results in little attention to security or fraud
initiatives.
This risk is compounded when these services are offered by
new operators or in highly competitive markets.
Key aspect of fraud management role is to be an integral part
of the new product and service development process.
The Fraud Team needs to ensure they can determine the
required points of control, measurement, and monitoring to
ensure appropriate prevention initiatives are in place.

Syed Thameem

Fraud Risk Assessment – Stages

Evaluation of risks in new products/services must take place
at each main phase that the product/service passes through,
meaning:
◦ CONCEPT
◦ DESIGN
◦ IMPLEMENTATION
◦ LAUNCH
◦ POST LAUNCH

At each gate, the Fraud Team should assess and determine
the potential risks and consider what new characteristics of
the proposed product/service are likely to be abused – this
will be based on the available documentation, namely the
Business Requirements Specification.

Product/Service characteristics will usually vary significantly
from one phase to another, so evaluation has to be
thoroughly performed each time.

Syed Thameem

Before Starting Assessment

Maintain a database of all the products/services the Fraud
Team receives – via the concept.
Assign a PRIORITY based on the information you have at
Design Phase – you will not want to have to look at
EVERYTHING!
Estimate the level of resources required, level of experience
needed in various fields, and the time at hand.
Assign a project risk code for tracking purposes - for future
monitoring and follow up of actions/responsibilities.
Communicate first decisions to Marketing – for some products
you will have a “no-go” decision, Marketing should know your
position and reasoning.
When agreed commence the FRA – remember, the same
points need to be re-assessed at each Phase/Gate!!

Syed Thameem

Defining the High Level Framework

Product and service risk assessment will need to include
analysis of the following areas:
◦ Technical infrastructure – service delivery mechanisms
◦ Acquisition – service offering & intended market
◦ Registration process – fulfilment of service requirements
◦ Pricing structure – assuring the revenue as opposed to potential
for abuse
◦ Billing – integrity
◦ Charging/billing – methodology and completeness
◦ Customer confidentiality – protection of information
◦ Legal and regulatory – requirements fully met
◦ Authority levels/approval/sign off – compliance
◦ Escalation paths, contingency planning etc – strategy
◦ Security policies & practices – specific to the product

Syed Thameem

Defining the High Level Framework cont’d

Process & Technology Risks are likely to come from the
following areas:
◦ Requirements management
◦ Product/services process design
◦ Product customisation
◦ Program change/ version control
◦ System/configuration data control
◦ Transaction data control
◦ Security architecture
◦ Functionality testing & compliance
◦ Data conversions
◦ End user acceptance
◦ System cutover /going live
◦ Operational support/back up

Syed Thameem

Product & Service Fraud and Security Assessment

C u st o m e r A cq u is it io n

A cc e s s t o d a t a , c o n tr o ls &
a u d itin g
B u s in e s s p ro c e ss e s & F ra u d
& S e cu r i ty P o lic y

B illin g , c o lle ct io n s & p a ym e n t
K n o w n w e a kn e s s e s/
vu ln e ra b i litie s

C u s to m e r ty p e (m a s s / P r o d u ct A ss u ra n c e &
m ic ro / co rp ) S e r v ice I n te g r it y
S e cu r ity s tru c t u re
( p h ys ic a l, I T & n e t w o r k )

O p e ra t io n a l p ro ce d u r e s a n d
w o rkin g p ra c tic e s
S o l u tio n s tra t e g y

P ro d u c t o r se r v ice f e a tu r e s

S ys t e m s & P la tf o rm s

Syed Thameem

FRA Checklists

Benefits:

To determine the scope of the proposed audit – technology and personnel
Provide a standard methodology and approach to performing the PDN
audits
To determine the points to prove/disprove
To provide a point of reference for developing the interviews
To facilitate supplementary actions
To prevent future security breaches developing in the business
To eradicate weaknesses in systems, processes and practices
Means of ensuring all aspects of the audit will and have been covered
To be used to produce management reports - facts that will support
decision on security standards compliance

Syed Thameem

FRA Checklists

Details:

Prepare and use standard PDN audit templates
When developing the re audit program look to enhance existing MBSS
check lists
Record all details– network platforms, data sources etc
Detail the information sources used - business & vendor documentation
(internally/externally)
Logically detail technical equipment and processes to be audited
Identify the assets, evaluate likelihood of the risk, severity, risk factor and
audit method e.g. interview, technical scan, document
Grade the management of the perceived risk (high/medium/low)
Create details for system/data: confidentiality, reliability, integrity,
availability

Syed Thameem

Stage 1 – Information Gathering
Essential for earliest possible visibility.
Obtain information about the product/service owners and their involvement in
the product/service delivery – WHO are your business partners.
Obtain background information on the product/service functional elements and
their interoperability, including their interaction with other systems, and general
product/service characteristics.
Ensure that you have a thorough understanding on the main attributes of the
product/service , for example, how will the product be offered, the proposed
market segment (corporate/business/residential), the billing/charging
requirements, collection of revenue or any third party relationship.
Information gathering MUST be performed at all stages of risk assessment -
good communication must be established and maintained with the other
parties involved in the product launch.
When conducting feasibility studies issue Fraud Questionnaire as soon as
new product or risk discovered.

Syed Thameem

Stage 2 – Analysis
Information obtained MUST be analysed from a risk perspective,
considering the known fraud instances to date, system’s
characteristics and known fraud trends.
When changes occur in the process design, delivery or
implementation method, etc, then the analysis MUST be redone.
When product is complex, the Analysis stage can be split into smaller
entities for separate analyses or even by different people, if they
require different set of skills, such as:
◦ Technical specification – engineering for network services and platforms and IT for
billing requirements
◦ Registration process – sales from a customer acquisition perspective and customer
care from a customer handling perspective
◦ Data integrity – engineering for network services and platforms and IT for billing
requirements
◦ Charging flow - engineering for network services and platforms, IT for billing
requirements and RA & FM for revenue protection
◦ Payment reconciliation – Credit & Collections, IT and RA & FM for revenue protection

Syed Thameem

Stage 3 – Risk Assessment
The main objective of the FRA will be to determine, based on the information
analysed on the previous stage, what, why and how fraud risks can occur.
The following aspects MUST be taken into account:
◦ The nature of the service being provided
◦ The revenue requirements vs. acceptable losses
◦ How the product/service will be securely provisioned
◦ How it will be billed and payment received
◦ How different business systems will interact to ensure
revenue integrity
◦ How customer care issues will be handled
◦ The development of necessary audit trails
◦ Reporting on revenue vs. losses including
reconciliation practices

Syed Thameem

Stage 3 – Risk Assessment – cont’d

The FRA is a “Team” based activity involving the product owners,
personnel performing the work (likely to be technical/IT) and
colleagues from other departments that the product or service
impacts upon (likely to be customer care/finance/ credit &
collections – Fraud & RA).
Several techniques should be used during FRAs, these will vary
according to each product’s specifics, but will have to include:
◦ Structured interviews with relevant interested parties (technical/procedural)
◦ Specific focus groups within the operations
◦ Individual assessment using questionnaires (where appropriate)
◦ External information sources – GSMFF , FMS User Groups, other operators etc
◦ Fraud workshops with Development Teams – demonstrate fraud loss potential
◦ Fraud Team to promote an open door in return for assistance

Syed Thameem

Stage 4 – Risk Assessment Matrix
The FRA Matrix should include:
Threats
Vulnerabilities
Impact
Controls
Product/Service narrative
FRAs should be regularly reviewed to ensure matrix is updated.
Research & Intelligence gained MUST be fed into the matrix.
Must encourage “feedback stage” – pooling of ideas.
Study of emerging fraud techniques.
Newly defined controls, points of measurement, reporting etc must
be incorporated.
Essentially FRA matrix should be evolving and usable to benefit all
Fraud Team personnel – experienced and new entrants.

Syed Thameem

Stage 4 – Risk Qualification Matrix
Develop a simple and visual way to assess risk, using a summary of the
risks identified during the previous stages.
Each risk area is scored on a scale of 0 to 3 for likelihood of fraud or
leakage, where 3 will represent the greatest likelihood for fraud at the
current time.
Each risk area is again scored from 0 to 3 for the possible financial impact
if revenue assurance/fraud is possible in that area. These two scores are
then multiplied to give a score from 0 to 9.

Score Colour Fraud & Revenue Assurance Risk

0-1 No colour Insignificant risk

2 Green Low risk

3-4 Yellow Moderate risk

6, 9 Red Severe risk

Syed Thameem

Usage Completeness – Purpose & Value

More precisely, what are we looking for
during the Risk Assessment process?

Firstly, we need to ensure a record will be generated – no XDR, no
revenue – nothing to monitor!
Need to determine the specific controls on the revenue path and
that detection practices will exist - considering the product to be
launched.
Ensure that data reprocessing is available in case of error.
Ensure the XDR generation process is tested and that there are
backups available.
Ensure Partial Records are generated if needed and that
aggregation is correctly performed.
Consider settlement issues.

Syed Thameem

Usage Completeness – cont’d

Ensure that Mediation rules will be changed accordingly, if required
– looking for wrongly rejected CDRs in Mediation!
Check how the duration is being recorded and ensure it is correct.
Look at CDR generation process at the Switch – can the CDRs be
copied or transmitted to a 3rd party?
Look at the controls on CDR path – can someone delete the
records without you knowing?

All these are RA related pointers .... BUT will turn to Fraud if
the word gets out that systems can be abused!!
Working together with Technical & RA Teams and replicating
possible fraud scenarios, to ensure controls are working and
effective.

Syed Thameem

Billing Accuracy – Purpose & Value

Ensure that it will not interfere with existing products and
services – can a fraudster use this service to prevent billing
for other services?
Ensure you can accurately identify the customer based on
the records generated – especially in the IP area.
Ensure that you can reprocess the data.
Look for the Call Scenarios described in the documents – do
they cover all possibilities?
Ensure you have drill down capabilities to support fraud
investigations.
Perform tests to ensure that rating is done according to the
published tariffs.
Assess how billing is performed, based on what data – is it
pure CDR based or are there discounts for volume.

Syed Thameem

Usage Visibility and Reporting

Fraud Team relies heavily on information being VISIBLE.
If records are not available to Fraud/RA systems or reports,
basically there is no control over what is happening in the
network – from a fraud and RA perspective.
MUST ensure, as early as product design phase, that traffic
is included in Fraud and Credit Reports.
Need to ensure traffic is included as a feed into the FMS – if
a new CDR generation platform is being used. Allow for time
to develop decoders and parsers, if necessary.
Ensure visibility is provided to all the operations the
customer is making, not only to the access – DTMF analysis
should be used for IVRs and Voicemail Systems.

Syed Thameem

Service Access Control
Who is using the service and how? – the Fraud Team NEED TO
KNOW THIS!!
Check the network diagrams and proposed architecture layout to
assess if proper segregation is in place – compartmentalisation.
Check if customer can be attacked via IP while using the service.
Check to ensure the new service will not allow a barred customer
to make calls through it.
Check the product will not allow other products to be accessed –
for instance, if it’s a Data product, that Voice is barred. -
Ensure Fair Usage Policy is deployed when offering “unlimited”
service – assess opportunities for exploitation.
Check that when service is provided based on a
password/username, these are kept encrypted using good
encryption – i.e. AES (Advanced Encryption System).

Syed Thameem

Third Party Requirements

Ensure clear requirements are included in the contract with any 3rd
party – do’s and don’ts and extent of liability for fraud.
Customer information and traffic MUST be protected from attack
while using third party service, so protection MUST be built around
that.
Validate 3rd party working practices, procedures - perform site
visits to assess the levels and standards of protection – leave
nothing to trust.
Check any CDR generation mechanism, authentication and
monitoring capabilities.
Especially in cases of Fraud, determine whether the contract
allows for the money to be recovered from the third party or at
least withheld where fraud is evidenced.
Ensure there are reasonable traffic limits and the Fair Usage
Policy is to be applied to the services offered by the 3rd party.

Syed Thameem

Technical Requirements

Check and assess the security of the product in terms of customer
authentication, encryption and network segregation. For IP
products, check if the network can be attacked by using new
deployed platform – e.g. A DOS attack.
Ensure comprehensive Audit Trails are available and that there is a
defined and workable process for reviewing them – fatal to find out
later that nothing can be checked or validated.
Ensure backups will be performed and that the data will be stored
long enough to assist in fraud investigations.
Perform Technical testing by using the product as part of the
technical group and test its limits – stress hour. Keep in mind that
network elements might behave different when traffic volumes are
high.

Syed Thameem

Testing Requirements

Fraud Team MUST be part of the Testing Team to
assess both risks and customer experience while using
the product.
Check usage against billing to determine that rating is
performed correctly.
Use TCG if available to assess duration accuracy and
rounding rules applied in rating.
Perform regression tests of existing revenue streams to
ensure nothing is being lost because of the new
product/service.
Test all defined controls to ensure they all work before
product is launched! – remember, DO NOT ASSUME
everything will work without CHECKING IT!

Syed Thameem

Specifying Controls
Develop a Risk/Control Matrix to determine overall fraud protection for the product
or service.
Ensure internal processes and procedures include the new product/service – for
instance, that there is a suspension method available in case of fraud or evidence
of non charging, service payment issues etc.
Controls should fall into one of these categories:
◦ Procedural Controls – changes/improvements in the way
things are being done
◦ System Controls – changes in the way the systems
operate
◦ Physical and Logical Controls – generally built around
the production systems, which may involve the
use/creation of physical tokens, creation of secured areas,
etc
Identified Fraud Risks will be a combination of consequences and likelihood
together with corresponding controls and providing advice and guidance on
reducing or improving the position.

Syed Thameem

Specifying Controls cont’d

System Based Controls – e.g. application configurable controls –
more reliable than manual based controls.
Automated Controls – e.g. controlled by application functionality.
Manual Process Controls – e.g. critical manual controls that will
operate outside of an application for integrity of data/reliability.
Interface/Integration Controls – e.g. controls that will ensure data
integrity of the interface – need to be identified and verified.
Reporting Controls – to ensure that reports can be generated from
an application and that they will be accurate.
Application Security Controls – e.g. SOD with regard to
segregation of duties - restrict inappropriate or excessive access
privileges).

Syed Thameem

Fraud Risk Assessment Output

It will be essential to communicate with the business:–
Example methods are:
◦ Inherent Risk: None/Low/Med/High – stating the
risks as they exist in raw form – PRIOR to controls
◦ Residual Risk: None/Low/Med/High - Identified
risks to be mitigated by proposed controls
◦ Assessment Rating: Med/High – Fraud Team
RECOMMEND not to launch or alternatively define
the NEED for “Specific Modifications/Controls”
NB: The Product Owner must be in a position to request a further
FRA if any agreed controls are not implemented or if the product
is significantly changed.

Syed Thameem

Fraud Risk Assessment Handling

There are several ways to handle the Fraud Risk,
once identified – the main methods are:
◦ Avoid the Risk: by deciding not to proceed with the
activity likely to generate the risk
◦ Reduce the likelihood: take actions to reduce or control
the likelihood (such as additional levels of protection,
segregation of duties, etc)
◦ Reduce the Consequences: take actions to reduce the
consequences of a risk (define liability for losses, price
and charging policy, etc)
◦ Transfer the Risk: This could involve another party
bearing or sharing some element of the perceived risk –
for instance, in case of web payments transferring the risk
to an external merchant – PayPal, Paily, Moneybookers,
etc.

Syed Thameem

Monitoring & Measurement – Post Launch
Fraud Team MUST monitor progress – usability of product after
launch.
This is essential where a product or service was launched
regardless of FRAUD RISK.
Fraud Team MUST look to demonstrate “first fraud occurrence”
and corrective actions now required.
Fraud technique – modus operandi (external/internal/collusion etc).
Value of losses being experienced – if any are evidenced.
Effectiveness of controls defined and implemented.
Define the time frames for “review and check” activities.
Determine changes needed in fraud detection – new thresholds or
alarms in FMS etc.
Report over time on associated fraud losses by product or service.

Syed Thameem

Balanced Approach – Session Summary

Cost of Prevention / Detection /
Investigation
Software will not prevent fraud
People will not prevent fraud
Need to work together
Software to help people

Syed Thameem

End

We can stop revenue leakage by proactively, kindly involve
RA in all our new product/service launch.

Thank you for your attention and Support.

Syed Thameem

Product Risk Assessment

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Product Risk Assessment

Similar a Product Risk Assessment (20)

Último

Último (20)

Product Risk Assessment