The National Cyber Security Framework for the telecom sector has set three compliance targets and maturity levels based on the complexity of the controls.
Pakistan Telecommunication Authority (PTA) has formulated a “Cyber Security Framework” which is based on the Critical Telecom Data and Infrastructure Security Regulation (CTDISR) and defines the obligation for auditors and PTA’s licensees.
Pakistan Telecommunication Authority (PTA or the Authority) issued the Statutory Notification on September 8, 2020, having reference S.R.O. 1226(I)/2020. In exercise of the powers conferred by Clause, (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Re-organization) Act, 1996 (XVII of 1996), the PTA has announced the Critical Telecom Data and Infrastructure Security Regulations (CTDISR) 2020 that need to be complied with by all PTA Licensees.
After the introduction of the CTDISR 2020, PTA has instructed all licensees to have a third-party review of the CTDISR measures from approved auditors and submit the report to the Authority.
The framework has set three compliance targets which are given below:
- Control Level 1 (CL1): CL1 includes basic security requirements and controls.
- Control Level 2 (CL2): CL2 includes advanced security requirements and controls in addition to the existing requirements within CL1.
- Control Level 3 (CL3): CL3 includes requirements and security controls that are more focused on continuous monitoring and continuous process improvements to controls/requirements defined in CL1 and CL2 to achieve compliance with a higher level, compliance with all preceding levels is required.
Responsibility of Licensees:
- Protection and retention of Audit Records and relevant evidence for e.g compliance with regulatory requirements.
- Document the findings and recommendations and present them to the top management.
- Define and implement the Internal Audit process to verify compliance against the observations.
- Ensure that the relevant departments and functions are required to implement the Action Plan.
- Top management to oversee the implementation of the action plan and ensure compliance.
- Upon receiving the preliminary Audit report from PTA, the licensee shall revert along with necessary evidence of remediation of the findings within the timeframe of 7 days. In light of the evidence, PTA will issue a final report to the licensee.
- During the course of the audit, the licensee shall be bound to provide any evidence required by PTA within a time frame of 3 days upon initiation of the request. PTA may grant additional time subject to justifiable technical and business limitations and constraints.
- The licensee is required to submit the PTA’s Final CTDISR Audit/Compliance report to the Chief Executive Officer (CEO) who, after placing the same before the Board of Directors (If applicable), shall revert to Authority i.e. PTA with action items and timelines to comply with observations mentioned in the report.
- The Licensee will have the right to appeal to the Authority, no later than 14 days of issuance of the final report, in case the licensee does not agree with the findings of the final report. The appeal would be moved through the office of DG CVD, In case of review, no new evidence shall be accepted.
Responsibility of Auditor:
- Protect the Audit Records from unauthorized access, modification, and destruction.
- Maintain professional independence and high standards of conduct and character when performing audits.
- Evidence should be substantial when concluding investigations.
- Maintain privacy and confidentiality of the information obtained during audit, unless disclosure is required by the authority.
- In the case where the auditor finds that a suitable compensating control has been implemented to sufficiently mitigate the risk. The auditor may mark the observation as partially compliant.
The framework provides guidance to the auditors for performing gap assessment in the light of PTA’s Cyber Security Regulations including interpretation and expectations against each security control where necessary.
As part of the framework, a maturity model has also been devised, whereby the controls have been classified on the basis of their criticality. It is pertinent to highlight that International Telecommunication Union (ITU) gives significance to the Cyber Security Framework of each member state while calculating the Global Cyber Security Index (GCI). The framework is a significant step towards improving the security landscape of the telecom industry and will enable organizations to better manage and reduce cybersecurity risk.