ConnexCS Cybersecurity Policy


Document Owner: Managing Director and Technical Content Writer
Applicability: ConnexCS Global Infrastructure, Employees, Contractors, and Service Providers.

1. Purpose

The purpose of this document is to define ConnexCS’s approach to cybersecurity, establish responsibilities, and outline controls designed to:

  • Protect the confidentiality, integrity, and availability of ConnexCS systems and customer data.
  • Ensure compliance with the UK Telecommunications (Security) Act 2021, Ofcom’s Security Guidance, and other applicable international cybersecurity standards (e.g., ISO 27001, NIST CSF).
  • Prevent, detect, and respond to cyber threats and security incidents.
  • Promote a culture of security awareness across all staff and third-party vendors.

2. Scope

This policy applies to:

  • All ConnexCS employees, contractors, and third-party service providers.
  • All ConnexCS systems, infrastructure, applications, and cloud services.
  • All operational processes related to customer services, data handling, and network management.

3. Roles and Responsibilities

RoleResponsibilities
Managing Director / DevOps ManagerOversees cybersecurity strategy, policy enforcement, and compliance.
Managing Director / DevOps Manager / NOC TeamMonitors networks, detects anomalies, and escalates incidents.
Managing Director / DevOps Manager / NOC TeamResponds to incidents, conducts investigations, and implements corrective actions.
All EmployeesFollow security policies, report suspicious activity, and complete training.
Third-Party VendorsAdhere to ConnexCS security requirements as defined in contracts and SLAs.

4. Security Governance

ConnexCS maintains a structured cybersecurity governance framework that includes:

  1. Policies and Procedures – Clearly documented and approved for all key security areas.
  2. Regular Audits – Internal and external audits to verify policy adherence.
  3. Continuous Monitoring – 24/7 monitoring of networks, applications, and cloud systems.
  4. Risk Management – Identification, assessment, and mitigation of cybersecurity risks.
  5. Training and Awareness – Regular (annual) staff training on phishing, password hygiene, and incident reporting.

5. Technical Controls

5.1 Network Security

  • Internal and external firewalls with strict access rules.
  • Segmented networks with VLANs and VPN tunnels for inter-zone communication.
  • Continuous monitoring for unauthorized access attempts and anomalies.

5.2 Data Protection

  • All sensitive customer and operational data is encrypted at rest and in transit.
  • Data stored in databases is secured with strong encryption and access controls.
  • Regular backups with secure storage and periodic restoration tests.

5.3 User Access Management

  • Strong authentication protocols including two-factor authentication (2FA) for administrators.
  • Password policies based on NIST guidelines: minimum length, no complexity requirements, and hashed storage with Argon2.
  • Principle of least privilege enforced for all user accounts.

5.4 System Security

  • Servers and endpoints are patched and updated regularly.
  • SSH keys required for direct server access; long, complex passwords where keys are not possible.
  • Intrusion Detection and Prevention Systems (IDS/IPS) actively monitor for threats.

5.5 Application Security

  • Secure development lifecycle with code reviews, static analysis, and vulnerability testing.
  • HTTPS enforced with SHA256 SSL certificates and Perfect Forward Secrecy.
  • Security testing for APIs and web portals, including penetration testing and vulnerability scanning.

6. Cybersecurity Incident Management

6.1 Incident Definition

A cybersecurity incident is any event that threatens the confidentiality, integrity, or availability of ConnexCS systems or data.

6.2 Incident Lifecycle

  1. Detection – Automated monitoring and user reporting.
  2. Classification – Determine category (Platform, Operational, Security) and severity (P0–P5).
  3. Containment – Isolate affected systems to prevent propagation.
  4. Eradication – Remove malicious components or vulnerabilities.
  5. Recovery – Restore systems from verified backups.
  6. Post-Incident Review – Root cause analysis, lessons learned, and corrective measures.

6.3 Communication and Reporting

  • Internal escalation to Security Operations and NOC.
  • Customer notifications where applicable.
  • Regulatory notifications in line with UK Telecommunications Security Act and Ofcom guidance.

7. Monitoring and Logging

  • Centralized logging of network, application, and system events.
  • Alerts configured for unusual or suspicious activities.
  • Logs retained for a minimum of 3 years for compliance and forensic purposes.

8. Physical Security

  • Datacenters secured with access control, surveillance, and environmental monitoring.
  • Hardware access restricted to authorized personnel.
  • Portable devices secured with encryption and remote wipe capabilities.
  • All physical infrastructure is hosted in secure third-party datacentres (e.g., AWS) that meet ISO 27001 and SOC 2 standards. ConnexCS personnel have no direct hardware access.

9. Advanced Threats: AI-Related Risks

9.1 Overview

Advances in AI/ML have created new attack surfaces. ConnexCS recognises AI-driven fraud and AI voice cloning as credible, evolving threats that may be used to bypass authentication, social-engineer staff or customers, and automate large-scale attacks. This section describes those risks and the controls ConnexCS has adopted.

9.2 AI Fraud — Risk Description

AI Fraud refers to attacks where AI tools are used to:

  • Automate social engineering (phishing, vishing) at scale.
  • Generate believable fraudulent messages or personalised content to deceive customers or staff.
  • Orchestrate multi-stage attacks using natural language generation and decision automation.

Impact examples: financial loss, unauthorised access, reputational damage, regulatory breach.

9.3 AI Voice Cloning — Risk Description

AI Voice Cloning / Deepfake Audio refers to generated or manipulated speech that mimics a legitimate person’s voice. Attackers may use voice clones to:

  • Bypass voice-based authentication.
  • Convince call-centre staff to perform privileged actions (e.g., number porting, password reset).
  • Socially engineer customers or partners.

Impact examples: fraudulent transactions, data disclosure, account takeover.

9.4 AI Attack Vectors — Common Techniques

  1. Deepfake Audio & Synthetic Speech: Using samples to create convincing voice clones.
  2. Automated Vishing Campaigns: AI drives large-scale personalised voice calls or messages.
  3. Adaptive Phishing: LLM-generated, context-aware spear-phishing messages.
  4. Voice Interface Manipulation: Adversarial inputs to voice recognition or IVR systems.
  5. Credential Stuffing at Scale: AI to optimize credential stuffing and evasion tactics.
  6. Data Poisoning / Model Evasion: Tampering with training data or using adversarial examples to degrade detection models.

10. Controls & Mitigations for AI Threats

ConnexCS employs layered countermeasures across prevention, detection, and response.

10.1 Prevention Controls

  • Hardened Authentication: Enforce multi-factor authentication for all privileged actions. Avoid sole reliance on voice as authentication.
  • Policy for Sensitive Actions: Require multi-channel confirmation (e.g., in-app approval + email) for high-risk changes (number porting, PBX config, billing changes).
  • Data Minimisation: Limit public exposure of voice samples and PII that could be used for cloning.
  • Supplier Controls: Contractual security requirements for partners that process voice data, including prohibitions on reuse of samples for model training.
  • Rate-Limiting & Proof-of-Work: Apply throttles and anti-automation measures on APIs and IVR endpoints to reduce automated abuse.

10.2 Detection Controls

  • Call-Fingerprint & Voice-Forensics: Integrate tools that analyse acoustic features, cadence, spectral anomalies, and frequency artifacts to flag synthetic speech.
  • Anomaly Detection for Behavior: Monitor for unusual calling patterns, rapid session changes, or actions out-of-band with normal customer behaviour.
  • ML-based Deepfake Detectors: Deploy and maintain models tuned to detect AI-synthesized audio. Regularly evaluate model performance against new deepfake techniques.
  • Enhanced Logging: Capture rich metadata (call origin, SIP headers, device fingerprints) for correlational analysis and investigations.

10.3 Operational & Procedural Controls

  • Staff Training: Train customer service and NOC teams to recognise vishing and deepfake attempts, including test drills and playbook rehearsals.
  • Call Verification Playbook: Require staff to follow strict verification scripts and to escalate any unusual voice or content characteristics.
  • Customer Awareness: Publish guidance for customers on voice cloning risks and recommended account protections (2FA, hardware tokens).
  • Proof-of-Identity Upgrades: Where required, move to stronger proof methods (hardware token, in-person verification, registered device challenge).

10.4 Response & Containment Controls

  • Rapid Block & Isolate: On detection of cloned voice or AI abuse, block related call-paths and isolate affected accounts.
  • Forensic Capture: Preserve raw call audio, SIP traces, and related logs under chain-of-custody for investigation and evidence.
  • Notification & Remediation: Notify impacted customers, rotate credentials, and implement account-locking or additional verification as needed.

11. AI-Specific Incident Playbook (Summary)

When AI-driven fraud or voice cloning is suspected:

  1. Triage & Validate
    • Flag incident as Security category. Assign severity based on scope (P0–P5).
    • Capture full call recordings, SIP headers, and IVR logs.
  2. Containment
    • Temporarily suspend affected accounts or call routes. Throttle suspicious endpoints.
    • Apply blacklists for identified source IPs / SIP URIs (short-term, with review).
  3. Investigation
    • Run voice-forensic and deepfake detection analysis.
    • Correlate with login and API activity; check for linked fraud patterns.
  4. Remediation
    • Reset credentials and enforce MFA on impacted accounts.
    • Revoke compromised keys or tokens; update routing policies.
  5. Customer Communication
    • Inform affected customer(s) with details and recommended actions. Offer monitoring support.
  6. Regulatory & Legal
    • If personal data loss or regulatory impact, notify Ofcom / ICO as required by law and policy.
  7. Post-Incident Review
    • RCA, update detection models and playbooks, and run targeted staff/customer awareness campaigns.

12. Machine Learning Model Security & Governance

  • Model Inventory & Versioning: Maintain records of deployed ML models used for detection and their training data lineage.
  • Adversarial Robustness: Regularly test detection models against adversarial samples and simulated deepfakes.
  • Retraining & Validation: Periodic retraining with curated datasets and validation against holdout deepfake benchmarks.
  • Explainability & Monitoring: Monitor model drift, false-positive/false-negative rates, and provide explainability for key decisions impacting customers.

13. Types of Data Encryption Standards

ConnexCS employs multiple industry-standard encryption mechanisms to ensure data confidentiality, integrity, and authenticity across all layers of communication and storage. These include encryption in transit, at rest, and within internal VPN links.

13.1. Encryption in Transit

Data transmitted between clients, browsers, SIP endpoints, and ConnexCS servers is protected using the Transport Layer Security (TLS) protocol.

  • Protocols Supported:
    • TLS 1.3 (Preferred)
    • TLS 1.2 (Fallback for older devices)
  • Cipher Suites: ConnexCS supports modern, secure cipher suites that employ:
    • Elliptic Curve Cryptography (ECC) — typically 256-bit curves.
    • RSA 3072-bit keys for backward compatibility.
    • AES-256-GCM for symmetric encryption.
    • SHA-384 / SHA-256 for message authentication and hashing.
  • Perfect Forward Secrecy (PFS): Implemented via Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key exchange, ensuring that session keys are unique and cannot be reused to decrypt past communications.
  • Certificate Standards:
    • Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA-384 signatures.
    • Certificates are issued by trusted Certificate Authorities (CAs) and renewed regularly.

13.2. VPN Encryption (Server-to-Server Communication)

ConnexCS utilizes Tinc VPN for encrypted communication between internal infrastructure components. The VPN encryption stack includes:

  • Elliptic Curve Cryptography (ECC-521 bit) for authentication and key exchange.
  • AES (Advanced Encryption Standard) for data encryption on the wire.
  • HMAC-SHA-256 for message authentication and integrity verification.
  • Ephemeral keys are used to provide Perfect Forward Secrecy across all sessions.

This ensures that inter-server traffic, management communications, and sensitive replication data remain secure even within private networks.

13.3. Encryption at Rest

Data encryption at rest protects stored information from unauthorized access or disclosure.

  • ConnexCS uses AES-256 for encrypting sensitive data at rest within databases, storage volumes, and backups.
  • Encryption keys are managed securely, following strict access controls and rotation policies.

Summary of Encryption Standards

Encryption TypeProtocol / AlgorithmBit StrengthPurposeFeatures
TLS 1.3 / 1.2Transport Layer Security256–3072 bitsEncryption in transitUses AES-GCM, ECDHE, and SHA-2
ECC (ECDSA / ECDHE)Elliptic Curve Cryptography256–521 bitsKey exchange & digital signaturesHigh security with reduced computational overhead
AESAdvanced Encryption Standard128–256 bitsSymmetric data encryptionUsed for both transit and storage encryption
HMAC-SHA-256 / SHA-384Hash-based Message Authentication Code256–384 bitsData integrity and authenticationEnsures tamper-proof communication
Diffie-Hellman / ECDHKey exchange algorithm256–521 bitsPerfect Forward SecrecyEnsures session keys are not reused
VPN Encryption (Tinc)AES + ECC + HMAC-SHA256256–521 bitsServer-to-server encryptionSecures internal network traffic

13.4. Security Configurability

ConnexCS systems support configurable cipher suites and curves to meet diverse device compatibility requirements:

  • Administrators can enable or disable legacy ciphers.
  • TLS configurations can be tuned to meet the latest compliance requirements (e.g., NIST, HIPAA, or ISO 27001).

Summary

ConnexCS implements modern cryptographic standards across all communication layers:

  • TLS 1.3 / 1.2 for end-user and client communications
  • AES + ECC + SHA-2–based encryption for VPN and data storage
  • Perfect Forward Secrecy (PFS) for all transient sessions
  • Configurable cipher control for compatibility and compliance

These combined measures ensure a high level of data protection, confidentiality, and regulatory compliance.

14. Vendor and Third-Party Considerations

  • Require vendors to demonstrate controls for AI-related risks, including secure handling of voice samples.
  • Include audit rights and breach notification clauses tailored to AI misuse.
  • Validate that third-party voice services use privacy-preserving training practices and do not persist customer voice unnecessarily.

15. Training & Awareness

  • Mandatory training modules on AI-driven fraud, voice cloning recognition, and secure verification practices for all customer-facing staff.
  • Regular tabletop exercises simulating deepfake-enabled fraud and vishing campaigns.
  • Periodic customer-facing advisories and best-practice guides.

16. Metrics & Reporting

Track and report the following KPIs to senior management:

  • Number of AI-related incidents detected per quarter.
  • Mean Time To Detect (MTTD) and Mean Time To Remediate (MTTR) for AI-enabled attacks.
  • False-positive rates for deepfake detectors and tuning actions taken.
  • Training completion and simulation exercise outcomes.

17. Continuous Improvement

  • Invest in research and partnerships to stay current with deepfake and AI-attack techniques.
  • Update controls, detection models, and playbooks as new threats emerge.
  • Share anonymised indicators of compromise (IOCs) with industry partners where appropriate.
  • Quarterly security audits and vulnerability assessments.
  • Annual policy review and updates.
  • Ongoing staff training and awareness programs.
  • Lessons learned from incidents integrated into policy and operational updates.

18. Enforcement

Failure to comply with this cybersecurity policy may result in:

  • Revocation of access rights.
  • Disciplinary action up to and including termination.
  • Legal action if violations result in regulatory breaches or data compromise.

19. Contact

For reporting incidents or questions about this policy:
📧 [email protected]
🌐 https://www.connexcs.com/security