The Pakistan Telecommunication Authority (PTA) has notified the ‘Critical Telecom Data and Infrastructure Security Regulations, 2020’ aimed at ensuring the security of critical data and infrastructure related to the telecom sector.
Critical data and infrastructure will be identified and designated by the PTA’s licensee to ensure cybersecurity. Automated network monitoring systems will be installed by the licensee to detect unauthorized or malicious users, connections, devices, and software with preventive actions.
The PTA may also issue guidelines or specifications for deployment, operations, management, and access to information and logs of the monitoring systems.
The Critical Telecom Infrastructure (CTI) will be monitored to identify and prevent eavesdropping, unauthorized access, and cyber threats.
The PTA has devised the regulations to exercise its powers conferred via Clause (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Reorganization) Act, 1996 (XVII of 1996).
Regulations will apply to all the PTA licensees for the security of critical telecom data and critical telecom infrastructure in accordance with the procedures specified in these regulations.
According to the regulations, the licensees will constitute a steering committee comprising high-level representation from key operational areas to govern and ensure the implementation of cybersecurity initiatives.
Keeping in view the requirements of these regulations, necessary policies will be defined, approved, and communicated by the licensee to its employees and other stakeholders like partners, contractors, and any other entities that have an interface with its telecom data or infrastructure to ensure compliance with these regulations.
The policies mentioned will be regularly reviewed by the licensee at planned intervals or upon any significant change or event. The roles and responsibilities for cybersecurity will be clearly defined and allocated by the licensee who will also maintain appropriate contact with relevant stakeholders to ensure cybersecurity.
Employees and contractors will be contractually bound by the licensee to relevant cybersecurity requirements with a formal and communicated disciplinary process for compliance. To ensure the proper implementation of security measures, employees and relevant contractors or partners will be informed by the licensee of the security policies and requirements through awareness sessions, education, and training.
Where applicable, the licensee will also inform its customers or subscribers of cybersecurity to safeguard them against security threats and incidents. Furthermore, physical security for secure areas should be designed and implemented by the licensee, including the definition of the security perimeters for secure areas.
The physical access to assets at secure areas will be managed and protected by the licensee, and only authorized personnel will be provided access to secure areas. The licensee will ensure that access points where unauthorized persons can enter a secure area are be controlled, and if possible, isolated from the CTI.
A physical log book or electronic audit trail will be maintained and monitored by the licensee for the person accessing the secure areas. The physical environment of the secure areas will be monitored or surveilled by the licensee to prevent and respond to a cybersecurity incident.
Procedures for working in secure areas will be designed and implemented to safeguard against cybersecurity incidents. Physical protection against natural disasters, hazards, malicious attacks, or accidents will be designed and applied by the licensee for the secure areas.
The secure areas should be protected from power failures and other disruptions caused by failures in the supporting utilities. Power and telecommunication cabling for the CTI should be protected from interception, interference, and damage.
The maintenance of the equipment at the secure areas will be properly carried out by the licensee for its availability and integrity. Appropriate protection will be provided by the licensee at the secure areas for unattended equipment to safeguard it against unauthorized access.
Assets pertaining to the CTI should not be taken off-site without proper authorization, and appropriate security measures will be provided by the licensee to off-site CTI assets while taking into account the risks outside the licensee’s premises. A clear desk policy for papers and removable storage media and a clear screen policy for critical data processing facilities will be adopted by the licensee.
The licensee will ensure that the event logs for users’ activities, exceptions, faults, and cybersecurity incidents are produced, stored, and regularly reviewed to identify and mitigate security threats and incidents. The CTI will also be protected against malware by the licensee.
Automated malware protection will be provided by the licensee to identify and eliminate malicious software activity. A policy will be formulated and enforced by the licensee to prohibit the use of unlicensed and unauthorized software, along with the development and implementation of a vulnerability management plan.
For the systems and software being used by the licensee, the exploitation of related technical vulnerabilities will be avoided by obtaining their information on time and by taking appropriate measures to address the associated risks.
A formal policy will be formulated and enforced by the licensee to protect against risks that are associated with the data and software obtained from external networks or other media.
The licensee should also prepare an appropriate business continuity plan for recovery from malware attacks, including necessary data or software backup and recovery arrangements. Privacy will be ensured for the critical telecom data stored by the licensee, and it will only be used for the purpose for which it was obtained from customers.
Data will be protected from unauthorized disclosure, modification, loss, and destruction. Licensed data retention timeframes will be observed, and where required, clarity will be sought from the authority for the retention timeframe of any data for which a retention timeframe is not mentioned in the license.
The licensee should only use vendor-supported software versions for systems and applications that store critical data. A Computer Emergency Response Team (CERT) will be established by the licensee to ensure a quick, effective, and orderly response to cybersecurity incidents.
The CERT should be capable of planning, detection, initiation, response, recovery, and post-incident analysis while having well-defined functions and communicated processes in place that should be tested periodically.
The licensee will establish processes for collecting, analyzing, and responding to cyber threat intelligence information collected from internal and external sources, and will share the threat feeds with the PTA.