Mobile Mentor achieved TaaS Certification for our Device Security and Threat Management services in late 2019 – an accomplishment we are very proud of but what does it actually mean?
Three years ago when my boss said he wanted me to take over the task of getting certified I had no idea what I was saying yes to and it’s been quite a journey!
What is Telecommunication as a Service (TaaS)?
TaaS, or Telecommunications as a Service, is a catalogue of approved telecommunications and managed services available to New Zealand government agencies to procure subscription services from.
The Department of Internal Affairs (DIA) act as a lead agency and negotiate services and contracts with suppliers on the TaaS panel, of which Mobile Mentor is one of the founding members.
TaaS certification ensures an agency’s data is secured at the appropriate level through a comprehensive audit process and confirms that the service provider has achieved a high level of competency around systems and security.
What does it mean to Mobile Mentor?
It’s helped us as a company mature in every aspect of our business. The systems, security and processes that we have designed, built, implemented and strengthened as a result of the certification process have streamlined and improved much of what we do on a daily basis and these benefits flow on to all of our customers.
TaaS certification process.
In the first phase of the certification process we defined the scope of services and worked with our auditor, Quantum Security, to identify what controls we would be assessed on.
For the services in scope for Mobile Mentor we ended up being assessed on over 650 controls including information security policies, governance, resource security, password and cryptography policies, physical security, change management, incident management and BCP to name a few. DIA then reviewed and endorsed this scope and we were able to move forward.
The audit phase involved Mobile Mentor’s auditor and DIA’s auditor collecting, reviewing and assessing the evidence gathered to show the agreed controls had been met.
To get to this point, all of Mobile Mentor processes, systems and policies needed to be in place, in production and actively used – all our resources vetted and trained – in fact the whole business was involved in maturing to a point where an auditor would approve that what we do and how we do it meets the expected standards.
We also pen-tested the software application components of our service to ensure there were no vulnerabilities which could put customer data at risk.
The final phase involved a review of the audit findings, fixing up some processes that weren’t quite up to scratch, identifying what risks exist in the service that can’t be avoided and understanding how these risks can at least be mitigated and a plan put in place to initiate an ongoing annual assurance process to ensure all the processes and controls are kept at a high standard.
It’s at this point our All of Government ICT Shared Capabilities Service Security Certificate was approved and signed off – woohoo!
But we don’t get to rest – each day the team look at new solutions, processes, policies and services which can be implemented to better achieve the controls and ultimately provide a better level of security and service for our customers.
As a small local business Mobile Mentor could not have achieved certification without Microsoft’s Enterprise Mobility and Security E5 licensing. The platforms, tools and services made available through this licensing have allowed us to secure our identities, protect our data, deliver endpoint management and security across all our devices and gain visibility into our cloud apps and services.
If you would like to know more about what we have learned and our best practice recommendations from having implemented these services internally and for our customers please reach out – we would love to have that conversation with you.