AGL 38.31 Decreased By ▼ -0.25 (-0.65%)
AIRLINK 213.00 Increased By ▲ 5.23 (2.52%)
BOP 10.19 Increased By ▲ 0.13 (1.29%)
CNERGY 6.84 Decreased By ▼ -0.24 (-3.39%)
DCL 9.93 Decreased By ▼ -0.06 (-0.6%)
DFML 40.56 Decreased By ▼ -0.58 (-1.41%)
DGKC 102.75 Decreased By ▼ -0.71 (-0.69%)
FCCL 36.40 Increased By ▲ 0.05 (0.14%)
FFBL 91.50 Decreased By ▼ -0.09 (-0.1%)
FFL 14.23 Decreased By ▼ -0.37 (-2.53%)
HUBC 137.50 Decreased By ▼ -1.93 (-1.38%)
HUMNL 14.15 Increased By ▲ 0.05 (0.35%)
KEL 5.86 Decreased By ▼ -0.11 (-1.84%)
KOSM 7.30 Decreased By ▼ -0.56 (-7.12%)
MLCF 47.35 Increased By ▲ 0.07 (0.15%)
NBP 66.38 Decreased By ▼ -7.38 (-10.01%)
OGDC 220.75 Decreased By ▼ -1.91 (-0.86%)
PAEL 37.80 Decreased By ▼ -0.31 (-0.81%)
PIBTL 9.13 Decreased By ▼ -0.14 (-1.51%)
PPL 204.99 Decreased By ▼ -0.86 (-0.42%)
PRL 39.50 Decreased By ▼ -0.35 (-0.88%)
PTC 26.35 Decreased By ▼ -0.27 (-1.01%)
SEARL 107.51 Decreased By ▼ -2.73 (-2.48%)
TELE 9.28 Increased By ▲ 0.05 (0.54%)
TOMCL 38.26 Increased By ▲ 0.05 (0.13%)
TPLP 13.70 Decreased By ▼ -0.07 (-0.51%)
TREET 26.25 Decreased By ▼ -0.20 (-0.76%)
TRG 60.00 Decreased By ▼ -0.54 (-0.89%)
UNITY 33.70 Decreased By ▼ -0.44 (-1.29%)
WTL 1.78 Decreased By ▼ -0.10 (-5.32%)
BR100 12,244 Decreased By -55.2 (-0.45%)
BR30 38,515 Decreased By -362 (-0.93%)
KSE100 113,583 Decreased By -1277.9 (-1.11%)
KSE30 35,753 Decreased By -443.2 (-1.22%)

ISLAMABAD: The Pakistan Telecommunication Authority (PTA) has notified "Critical Telecom Data and Infrastructure Security Regulations, 2020" aimed at ensuing the security of critical data and infrastructure related to the telecom sector.

Critical data and infrastructure will be identified and designated by the PTA's licensee for ensuring cyber security. Automated network monitoring systems will be put in place by the licensee to detect unauthorised/malicious users, connections, devices, and software with preventive action. Authority may issue guidelines/specifications for deployment, operations, management and access to information/logs of said Monitoring Systems.

The CTI will be monitored to identify and prevent eavesdropping, unauthorised access, and cyber threats. The PTA has made the regulations in exercise of the powers conferred by Clause (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Reorganization) Act, 1996 (XVII of 1996).

Regulations will apply to all the PTA licensees for the security of critical telecom data and critical telecom infrastructure related to telecom sector, in accordance with the procedures specified in these regulations.

According to the regulations, licensee will constitute a steering committee comprising high-level representation from key operational areas to govern and ensure implementation of cyber security initiatives.

Keeping in view the requirements of these regulations, necessary policies will be defined, approved and communicated by the licensee to its employees, and other stakeholders such as partners, contractors, and any other entity having interface with its telecom data/infrastructure to ensure compliance of these regulations.

The policies mentioned will be regularly reviewed by the licensee at planned intervals or upon any significant change/event. Roles and responsibilities for cyber security will be clearly defined and allocated by the licensee. Licensee shall maintain appropriate contact with relevant stakeholders to ensure cyber security.

Employees and contractors will be contractually bound by the licensee to relevant cyber security requirements with a formal and communicated disciplinary process in place for compliance. To ensure proper implementation of security measures, employees including relevant contractors/partners will be made aware by the licensee of the security policies, and requirements through awareness sessions, education, and trainings.

Where applicable, the licensee will also provide cyber security awareness to its customers/subscribers for safeguarding against security threats and incidents. Physical security for secure areas should be designed and implemented by the licensee. Security perimeters will be defined by the licensee for secure areas.

Physical access to assets at secure areas will be managed and protected by the licensee. Only authorised personnel will be provided access to secure areas. Licensee will ensure that access points where unauthorised persons can enter secure area are be controlled, and if possible isolated from Critical Telecom Infrastructure (CTI).

Physical log book or electronic audit trail will be maintained and monitored by the licensee for personnel accessing secure areas. The physical environment of secure areas will have monitoring/surveillance by the licensee to prevent and respond against a cyber security incident.

Procedures for working in secure areas will be designed and implemented to safeguard against cyber security incidents. Physical protection against natural disasters, hazards, malicious attack or accidents will be designed and applied by the licensee for secure areas.

Secure areas should be protected from power failures and other disruptions caused by failures in supporting utilities. Power and telecommunication cabling for the CTI should be protected from interception, interference or damage.

Maintenance for equipment at secure areas will be correctly carried out by the licensee for its availability and integrity. Appropriate protection will be applied by the licensee at secure areas for unattended equipment to safeguard against unauthorised access.

Assets pertaining to the CTI should not be taken off-site without proper authorisation. Appropriate security will be applied by the licensee to off-site CTI assets taking account risks outside the licensee's premises. Clear desk policy for papers and removable storage media and clear screen policy for critical data processing facilities will be adopted by the licensee.

Licensee will ensure that event logs for user activities, exceptions, faults, and cyber security incidents are produced, stored and regularly reviewed to identify and mitigate security threats and incidents. Critical telecom infrastructure will be protected against malware by the licensee.

Automated malware protection will be applied by the licensee to identify and eliminate malicious software activity. A policy will be formulated and enforced by the licensee to prohibit the use of unlicensed and unauthorised software. A vulnerability management plan will be developed and implemented by the licensee.

For systems and software being used by the licensee, exploitation of related technical vulnerabilities will be avoided by obtaining their information in a timely fashion and taking appropriate measures to address associated risks.

A formal policy will be formulated and enforced by the licensee to protect against risks associated with data and software obtained from external networks or any other medium.

Appropriate business continuity plan should be prepared by the licensee for recovering from malware attacks including necessary data/software backup and recovery arrangements. Privacy will be ensured for critical telecom data stored by the licensee and it shall only be used for the purpose for which it was obtained from customers/users.

Data will be protected from unauthorised disclosure, modification, loss and destruction. Licensed data retention timeframes will be observed and where required clarity shall be sought from the authority for retention timeframe of any data for which a retention timeframe is not mentioned in the license.

Licensee should only use vendor-supported software versions for systems and applications that store critical data. A Computer Emergency Response Team (CERT) will be established by the licensee to ensure a quick, effective and orderly response to cyber security incidents.

CERT should be capable of planning, detection, initiation, response, recovery and post-incident analysis having well-defined functions and communicated processes in place, which should be tested periodically.

Licensee will establish processes for collecting, analysing and responding to cyber threat intelligence information collected from internal and external sources. The licensee will share threat feeds with the PTA.

Copyright Business Recorder, 2020

Comments

Comments are closed.