Based on the complexity of the controls, the National Cyber Security Framework for the telecom sector has established three compliance targets and maturity levels.
The Critical Telecom Data and Infrastructure Security Regulation (CTDISR), which sets forth the responsibilities of auditors and PTA’s licensees, has served as the foundation for the “Cyber Security Framework” developed by the Pakistan Telecommunication Authority (PTA).
On September 8, 2020, the Pakistan Telecommunication Authority (PTA), with reference to S.R.O. 1226(I)/2020, issued the Statutory Notification.
The Critical Telecom Data and Infrastructure Security Regulations (CTDISR) 2020, which must be followed by all PTA Licensees, have been announced by the PTA in the exercise of the authority granted by Clause, (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Re-organization) Act, 1996 (XVII of 1996).
Following the launch of the CTDISR 2020, the PTA has directed all licensees to request an independent audit of the CTDISR measures from authorized auditors and submit the results to the Authority.
The following are the three compliance goals that the framework has established:
- Control Level 1 (CL1): CL1 includes basic security requirements and controls.
- Control Level 2 (CL2): CL2 includes advanced security requirements and controls in addition to the existing requirements within CL1.
- Control Level 3 (CL3): CL3 includes requirements and security controls that are more focused on continuous monitoring and continuous process improvements to controls/requirements defined in CL1 and CL2 to achieve compliance with a higher level, compliance with all preceding levels is required.
Responsibility of Licensees:
- Protection and retention of Audit Records and relevant evidence for e.g compliance with regulatory requirements.
- Document the findings and recommendations and present them to the top management.
- Define and implement the Internal Audit process to verify compliance against the observations.
- Ensure that the relevant departments and functions are required to implement the Action Plan.
- Top management to oversee the implementation of the action plan and ensure compliance.
- Upon receiving the preliminary Audit report from PTA, the licensee shall revert along with necessary evidence of remediation of the findings within the timeframe of 7 days. In light of the evidence, PTA will issue a final report to the licensee.
- During the course of the audit, the licensee shall be bound to provide any evidence required by PTA within a time frame of 3 days upon initiation of the request. PTA may grant additional time subject to justifiable technical and business limitations and constraints.
- The licensee is required to submit the PTA’s Final CTDISR Audit/Compliance report to the Chief Executive Officer (CEO) who, after placing the same before the Board of Directors (If applicable), shall revert to Authority i.e. PTA with action items and timelines to comply with observations mentioned in the report.
- The Licensee will have the right to appeal to the Authority, no later than 14 days of issuance of the final report, in case the licensee does not agree with the findings of the final report. The appeal would be moved through the office of DG CVD, In case of review, no new evidence shall be accepted.
Responsibility of Auditor:
- Protect the Audit Records from unauthorized access, modification, and destruction.
- Maintain professional independence and high standards of conduct and character when performing audits.
- Evidence should be substantial when concluding investigations.
- Maintain privacy and confidentiality of the information obtained during audit, unless disclosure is required by the authority.
- In the case where the auditor finds that a suitable compensating control has been implemented to sufficiently mitigate the risk. The auditor may mark the observation as partially compliant.
When necessary, the framework includes interpretations and expectations for each security control to help auditors execute gap assessments in light of PTA’s cyber security regulations.
A maturity model that classifies the controls according to their criticality has also been developed as part of the framework.
It is important to note that when compiling the Global Cyber Security Index, the International Telecommunication Union (ITU) considers each member state’s cyber security framework (GCI).
The framework will help firms manage and lower cybersecurity risk, and it represents a substantial improvement in the telecom industry’s security environment.
To read our blog on “PTA proposes a framework for cyber security,” click here.