PTA devises Cyber Security Framework, outlines obligations of auditors and licensees

Pakistan Telecommunication Authority (PTA) has come up with a ‘Cyber Security Framework’ that is based on the Critical Telecom Data and Infrastructure Security Regulation (CTDISR). It also clearly outlines the obligations of auditors and PTA licensees.

The National Cyber Security Framework drafted for the telecom sector has three main targets and maturity levels depending on the complexity of controls.

National Cyber Security Framework

The three compliance targets added to the framework are given as follows:

• Control Level 1: basic security requirements and controls
• Control Level 2: advanced security requirements and controls in addition to the existing CL1 requirements
• Control Level 3: Requirements and security controls focused on continuous monitoring and process improvements to requirements in CL2 and CL2. This will help to achieve compliance with higher levels, compliance with all preceding levels is necessary

After the introduction of the CTDISR 2020, PTA has ordered licensees to have a third-party review of the measures from approved auditors and submit the report to the authority.

Responsibility of Licensees

The licensees have the following obligations.

• The right to appeal to the Authority within 14 days of issuance of the final report, if they don’t agree with the findings of the final report. The appeal will be transferred through the office of DG CVD. Under the case of review, no new evidence will be accepted.
• Ensure that the relevant departments implement the Action Plan.
• Document the recommendations and findings and present them to the top management.
• Protection of Audit Records and relevant evidence for compliance with regulatory requirements.
• Top management to supervise the implementation of the action plan and ensure compliance.
• Implement the Internal Audit Process to verify compliance against observations.
• Licensees should provide evidence asked by PTA within three days during an audit. PTA could grant additional time due to constraints.
• Upon receiving the preliminary Audit report from PTA, licensees should revert along with the necessary evidence of remediation of the findings within a timeframe of seven days. PTA will issue a final report to the licensee in light of the evidence.
• The licensee has to submit PTA’s final CTDISR Audit to the CEO. The CEO will place the same report before the Board of Directors and then revert to PTA with action items and timelines to comply with the observations in the report.

Under the framework, a maturity model has been devised, and the controls have been classified on the basis of their criticality. The framework is a big step towards improving the security landscape of the telecom industry and will allow organizations to manage and reduce cybersecurity risk.

Auditors responsibility

• In case the auditor finds a suitable compensating control that has been implemented to mitigate the risk, it may be marked as partially compliant
• Evidence should be substantial when conducting investigations
• Maintain confidentiality and privacy of information received during the audit, unless the authority needs disclosure
• Protect Audit Records from unauthorized access and modification
• Maintain high standards of conduct and character when performing audits

What are your views on this? Share in the comments bar below.