PTA Outlined Three Cyber security Standards for the Telecom Sector

• PTA has asked all licensees for CTDISR 2020 audits.
• PTA has a “Cyber Security Framework.”
• PTA will produce a final report based on the evidence.

Pakistan Telecommunication Authority (PTA) has established a “Cyber Security Framework” based on the Critical Telecom Data and Infrastructure Security Regulation (CTDISR) that sets auditors’ and licensees’ obligations.

The National Cyber Security Framework for the Telecom Sector established three compliance targets and maturity levels based on the complexity of the controls.

Pakistan Telecommunication Authority (PTA) issued S.R.O. 1226(I)/2020 on September 8, 2020. In exercise of Clause, (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Re-organization) Act, 1996 (XVII of 1996), the PTA has announced the Critical Telecom sector Data and Infrastructure Security Regulations (CTDISR) 2020 that all PTA Licensees must follow.

PTA has directed all licensees to have approved auditors assess CTDISR 2020 measures and provide a report.

The compliance framework has three goals:

Advertisement
• Control Level 1 (CL1) has basic security controls.
• CL2 adds advanced security standards and controls to CL1’s.
• Control Level 3 (CL3) monitors and improves CL1 and CL2 controls/requirements. All past levels must be met for a higher level.

Licensee duty:

Advertisement
• Protection and retention of audit records and regulatory proof.
•  Present upper management with results and recommendations.
• Define and implement Internal Audit to verify observations.
• Ensure departments and functions implement the Action Plan.
• Top management oversees action plan implementation and compliance.
• The licensee must respond to PTA’s preliminary audit report within 7 days with evidence of remedy. PTA will produce a final report based on the evidence.
Advertisement
• During the audit, the licensee must provide PTA with any requested evidence within 3 days. PTA may provide extra time based on technical and business restrictions.
• The licensee must send the PTA’s Final CTDISR Audit/Compliance report to the CEO, who, after presenting it to the Board of Directors (if applicable), should provide the Authority, i.e. PTA, with action items and dates to comply with the report’s observations.
• The licensee may appeal the final report’s findings to the Authority within 14 days of its release. In case of review, no new evidence is admitted.

PTA Auditor duty:

Advertisement
• Prevent illegal access, modification, and destruction of Audit Records.
• Perform audits with independence, integrity, and character.
• Investigations should have solid evidence.
• Keep audit information private unless needed by law.
• If the auditor identifies a compensatory control that adequately reduces risk. The auditor may partially comply with the observation.

The framework guides auditors in undertaking gap assessments in light of PTA’s Cyber Security Regulations, including interpretation and expectations against each security control as needed.

As part of the framework, a maturity model classifies controls by criticality. ITU considers each member’s Cyber Security Framework while generating the Global Cyber Security Index (GCI). The methodology will help firms manage and decrease cybersecurity risk in the telecom industry.