The Pakistan Telecommunication Authority (PTA) has notified “Critical Telecom Data and Infrastructure Security Regulations, 2020” aimed at ensuring the security of critical data and infrastructure related to the telecom sector.
Critical data and infrastructure will be identified and designated by the PTA’s licensee for ensuring cybersecurity. Automated network monitoring systems will be put in place by the licensee to detect unauthorised/malicious users, connections, devices, and software with preventive action. Authority may issue guidelines/specifications for deployment, operations, management and access to information/logs of said Monitoring Systems.
PTA Notified Critical Telecom Data and Infrastructure Security Regulations
The CTI will be monitored to identify and prevent eavesdropping, unauthorised access, and cyber threats. The PTA has made the regulations in exercise of the powers conferred by Clause (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Reorganization) Act, 1996 (XVII of 1996).
Regulations will apply to all the PTA licensees for the security of critical telecom data and critical telecom infrastructure related to the telecom sector, in accordance with the procedures specified in these regulations.
According to the regulations, the licensee will constitute a steering committee comprising high-level representation from key operational areas to govern and ensure implementation of cybersecurity initiatives.
Keeping in view the requirements of these regulations, necessary policies will be defined, approved and communicated by the licensee to its employees, and other stakeholders such as partners, contractors, and any other entity having an interface with its telecom data/infrastructure to ensure compliance of these regulations.
The policies mentioned will be regularly reviewed by the licensee at planned intervals or upon any significant change/event. Roles and responsibilities for cybersecurity will be clearly defined and allocated by the licensee. Licensee shall maintain appropriate contact with relevant stakeholders to ensure cybersecurity.
Employees and contractors will be contractually bound by the licensee to relevant cyber security requirements with a formal and communicated disciplinary process in place for compliance. To ensure proper implementation of security measures, employees including relevant contractors/partners will be made aware by the licensee of the security policies, and requirements through awareness sessions, education, and trainings.
Where applicable, the licensee will also provide cyber security awareness to its customers/subscribers for safeguarding against security threats and incidents. Physical security for secure areas should be designed and implemented by the licensee. Security perimeters will be defined by the licensee for secure areas.
Physical access to assets at secure areas will be managed and protected by the licensee. Only authorised personnel will be provided access to secure areas. Licensee will ensure that access points where unauthorised persons can enter secure area are be controlled, and if possible isolated from Critical Telecom Infrastructure (CTI).
Physical log book or electronic audit trail will be maintained and monitored by the licensee for personnel accessing secure areas. The physical environment of secure areas will have monitoring/surveillance by the licensee to prevent and respond against a cyber security incident.
Procedures for working in secure areas will be designed and implemented to safeguard against cyber security incidents. Physical protection against natural disasters, hazards, malicious attack or accidents will be designed and applied by the licensee for secure areas.
Secure areas should be protected from power failures and other disruptions caused by failures in supporting utilities. Power and telecommunication cabling for the CTI should be protected from interception, interference or damage.
Maintenance for equipment at secure areas will be correctly carried out by the licensee for its availability and integrity. Appropriate protection will be applied by the licensee at secure areas for unattended equipment to safeguard against unauthorised access.
Assets pertaining to the CTI should not be taken off-site without proper authorisation. Appropriate security will be applied by the licensee to off-site CTI assets taking account risks outside the licensee’s premises. Clear desk policy for papers and removable storage media and clear screen policy for critical data processing facilities will be adopted by the licensee.
Licensee will ensure that event logs for user activities, exceptions, faults, and cyber security incidents are produced, stored and regularly reviewed to identify and mitigate security threats and incidents. Critical telecom infrastructure will be protected against malware by the licensee.
Automated malware protection will be applied by the licensee to identify and eliminate malicious software activity. A policy will be formulated and enforced by the licensee to prohibit the use of unlicensed and unauthorised software. A vulnerability management plan will be developed and implemented by the licensee.
For systems and software being used by the licensee, exploitation of related technical vulnerabilities will be avoided by obtaining their information in a timely fashion and taking appropriate measures to address associated risks.
A formal policy will be formulated and enforced by the licensee to protect against risks associated with data and software obtained from external networks or any other medium.
Appropriate business continuity plan should be prepared by the licensee for recovering from malware attacks including necessary data/software backup and recovery arrangements. Privacy will be ensured for critical telecom data stored by the licensee and it shall only be used for the purpose for which it was obtained from customers/users.
Data will be protected from unauthorised disclosure, modification, loss and destruction. Licensed data retention timeframes will be observed and where required clarity shall be sought from the authority for retention timeframe of any data for which a retention timeframe is not mentioned in the license.
Licensee should only use vendor-supported software versions for systems and applications that store critical data. A Computer Emergency Response Team (CERT) will be established by the licensee to ensure a quick, effective and orderly response to cyber security incidents.
CERT should be capable of planning, detection, initiation, response, recovery and post-incident analysis having well-defined functions and communicated processes in place, which should be tested periodically.
Licensee will establish processes for collecting, analysing and responding to cyber threat intelligence information collected from internal and external sources. The licensee will share threat feeds with the PTA.