PROCESS IMRPOVEMENT DIVISION OTE GROUP

ATHENS, MAY 2019

Who are we?

What is SOC?

OTE SOC paradigm

Areas to consider

Benefits

Next steps

Agenda

Who are we?

OTE GROUP

4

Key Services

Fixed Mobile

Broad-

bandPay TV

ICT

OTE Groupat a Glance

2 Countries of Operation: GR,RO

Subsidiary Companies

≈ €4 Billion

Revenues

≈20,000

Employees

Shareholding Structure:

45% Deutsche Telekom

5% Greek State

50% Public

To ensure….▪ system reliability,

availability, and

integrity

▪ Security and build

trust To protect them

from…• disclosure of private and

confidential data

• system failures due to

disasters impacting

service

To demonstrate ▪ compliance with

robust frameworks of

internal controls

▪ Implementation of

best practices

CUSTOMER NEED

What is SOC?

SOC is known as Service Organization Controls Reports (ISAE 3402 or SSAE 16) issued to certify organisations

managing customer’s mission critical systems, storing & processing confidential customer information for

multiple customers.

SOC is an independent attestation report provided by Chartered or Certified Public Accountants to provide

clients of a service organisation and their independent auditors with information on policies, procedures and

controls that may be relevant to their internal control structure and their financial statements.

SOC is used by customer’s auditors to understand controls related to a service that is likely to be relevant to

clients' internal control, as it relates to financial reporting in order to reduce or eliminate audit procedures at

the service organisation.

SOC can be used by customers to understand the design adequacy and operating effectiveness of their

service provider’s controls for the outsourced services offered.

SOC is increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70,

Service Organisations (SAS 70) in 1992.

SOC requires annual assessment to ensure operation of the established control environment

SOC in Detail

SOC Definition

SOC Scope

What’s in it for

the customer?

SOC & Auditors

SOC is a market

trend

SOC is

continually

assessed

Management is

required to provide written

assertion on effectiveness of

controls & acknowledges

responsibility with regards to

sanctions

SOC REPORTS & TYPES

Type I: Cover the suitability of Design of controls as of a point in time (snapshot)

Type II: Cover the suitability of Design & Operating Effectiveness of controls over a period of time, typically 6 or 12 months

SOC11

SOC22

SOC33

TYPE I TYPE II

Ensures Effectiveness of organization's control environment that affect Customer’s

Financial Reporting

Ensure Effectiveness of organization's control environment relevant to Security,

Availability, Processing Integrity, Confidentiality or Privacy Requirements

Scope: Financial Process & a basic scope of IT controls (ITGCs) related to the

Statutory Financial Statements Report

Scope: Trust Service Principles

❑ Security – the System is protected against unauthorized access (physical & logical)

❑ Availability - the System is available for operation and use as committed or agreed.

❑ Confidentiality - information designated as confidential is protected as committed

or agreed

❑ Processing Integrity - system processing is complete, accurate, timely & authorized.

❑ Privacy – Personal information is collected , used, retained, disclosed and disposed

of in conformity with required criteria

Same as SOC 2 without including detailed testing description – Used for marketing

purposes

For Internal Use ONLY

For Internal Use ONLY

Can be Posted

WHY SOC ?

Can be used to replace other audits

(SOX, internal controls audit, statutory etc.) as it

provides independent assurance by Chartered

AuditorsThe results of

auditor’s procedures are disclosed in the

issued report

Satisfies customer's external audit

requirements

Controls over financial reporting,

security, data, privacy are evaluated, tested

& reported The evaluation

criteria may be

customized as the service

organization is

responsible for describing

the controls that will be

disclosed in the service

auditor's report

OTE SOC Paradigm

IMPLEMENTATION APPROACH

CERTIFICATION

INTERNAL

MANAGEMENT

ASSESMENT

RECOMMENDATION

PLANGAP ANALYSIS

CONTROL MATRIX

& PROCESSESRISKS

IMPLEMENTATION AND CERTIFICATION

OUR ISSUED SOC REPORTS |ROADMAP

OTE Existing

Control

Environment

Management Testing |

Assess Control Existence,

Design & Operating

Effectiveness for Managed

IT Services

2014

SOC 1 Type 2 Report

| Managed IT

Services (TMNL)

To be Continued…

Feb 2015 Nov 2015

SOC 2 Type 1 Report

| Managed IT

Services (TMNL)

Jan 2017

April 2016

SOC 2 Type 2 Report

| Managed IT

Services (TMNL)

SOC 1 Type 2 Report

| Managed IT

Services

(TMNL | CCH)

June 2017

SOC 2 Type 2 Report

| Managed IT

Services

(TMNL | CCH)

October 2018

Management

Testing for New

Service: 1st Level

Support

Jan 2019

SOC 1 Type 2 Report |

Managed IT Services

(TMNL | CCH | FRAPORT)

SOC 2 Type 2 Report

| First Level IT

Support Services

End of May

2019May 2019

Management Testing

for New Service:

Managed Security

Services

OUR ISSUED SOC REPORTS AT A GLANCE

Scope Status

▪ The first SOC 1 Type 2 Report was issued on February 2015 only for TMNL

▪ IT Services offered to CCH were included in SOC 1 Type 2 Report issued on January 2017

▪ IT Services offered to Fraport were included in SOC 1 Type 2 Report on January 2019

SOC 1 Type 2

Report

TMNL,

CCH,

Fraport

TMNL,

CCH

CCH

CCH

Customer

01.07 – 31.12 / 2018

Period

01.01 – 31.12 / 2018

01.01 – 31.12 / 2018

01.01 – 31.12 / 2019

Managed IT

Services

SOC 2 Type 2

SOC 2 Type 2

▪First SOC 2 Type 2 Report was issued on April 2016 only for TMNL

▪ IT Services offered to CCH were included in the SOC 2 Type 2 Report issued on June 2017

Managed IT

Services

First Level IT Support

Services

Managed Security

ServicesSOC 2 Type 2

▪First SOC 2 Type 2 Report for the service will be issued end of May 2019

▪First SOC 2 Type 2 Report for the service will be issued end of January 2020

SOC 2 Type 1Managed IT

Services

TMNL November 2015 ▪First SOC 2 Type 1 Report was issued on November 2015 only for TMNL

* Our reports are being based on the ISAE 3402 assurance standard. Though, the SSAE 16 standard may also be used if otherwise selectedhttp://isae3402.com/ or http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization%27sManagement.aspx

UNIFIED CONTROL MATRIX

LEV

ELS

OF S

ER

VIC

E

LEVEL 0: CONTROLS

BASELINE FOR MARKET

SCOPE: Internal & External

Systems

Physical & Logical Security

| Service Management

In scope: HW / SW /

Database / Network / Data

Centers / VMs

LEVEL 1: MINIMUM

CONTROLS FOR

PROVIDING SERVICE SCOPE: Service Provider

Controls (ICT Services) /

Internal Systems for internal

services

SCOPE: Internal Systems & as

a Service Provider with data

classified as handling

Confidential / Private

LEVEL 2: CONTROLS TO

ENSURE DATA

CONFIDENTIALITY &

PRIVACY

LEVEL 3: SPECIALIZED

SECURITY CONTROLSSCOPE: Internal Systems &

Network dedicated for the

provision of the service

Difficulty|cost |effort|

risk |maturity

IMPLEMENTATION

OPTIONS

SC

OP

E

Benefits

OUR BENEFITS FROM SOC IN TERMS OF PROCESSES (1/2)In

tern

ally

De

sig

ne

d

Establishes a formally structured Internal Control Environment for the services rendered through Common processes incorporating requirements of all frameworks / Common Framework approach of service rendering rolled-out in all customers

Leverages customer understanding of our processes through a single best description of the services rendered and the processes to support them (Service Description Documentation)

Ensures fully alignment with the established Internal Control System – Ensures avoiding overlapping and operational inefficiencies, further enhances the value of controls & reduces auditor costs in common areas with statutory audit

Enhances Organization Culture related to the provision of assurance of services offered to the customers Ensures Continuous awareness & Cross Functional Cooperation, break off silos

Ensures Systematic monitoring of Processes & Controls Operation & Creates opportunities for Continuous Improvement

Facilitates implementation & systematic review of ISO 27001, ISO 20000, ISO 31000, ISO 9001, PCI, GDPR by implementing a common integrated approach for all certification standards

Fosters Process & Controls Discipline by engaging Business Owners in its implementation and maintenance & creates a Culture of Ownership

Provides Competitive advantage in ICT Tenders / Enforces brand reputation and customers trust via the validity of a secure operation environment incorporating the relevant control points.

Ensures legal & regulatory compliance.

Reinforces company’s overall Strategy & Objectives and GRC approach

Reduces duplication and produces internal efficiency

Only One external audit performed for all our customers

OUR BENEFITS FROM SOC IN TERMS OF PROCESSES (2/2)

Inte

rna

lly

De

sig

ne

d

Areas to Consider

Needs

continuous

internal

management

assessment

and annual

by the

external

auditor

01 0302 04 05 06 07It is a high

cost

certification

Requires

alignment

and clear

specification

& agreement

of services

rendered

with the

customer at

the stage of

contract

signing

PMO role to

coordinate

internal &

external

activities

Cross

functional

cooperation

Specific

predefined

process

framework

through which

to offer a

common

service that

satisfies

differentiated

customer

needs

Common

Asset

Inventory

Tool

AREAS TO CONSIDER

Next Steps

Process Analytics High level monitoring

dashboards (automate where

possible/users to perform audit of

controls)

1

2

3 One common report for all customers

Managed improvements by creating

company wide projects

NEXT STEPS