PTA Introduces Critical Telecom Data and Infrastructure Security Regulations 2020

The Pakistan Telecommunication Authority (PTA) has notified “Critical Telecom Data and Infrastructure Security Regulations, 2020” aimed at ensuring the security of critical data and infrastructure related to the telecom sector.

Critical data and infrastructure will be identified and designated by the PTA’s licensee for ensuring cybersecurity. Automated network monitoring systems will be put in place by the licensee to detect unauthorised/malicious users, connections, devices, and software with preventive action. Authority may issue guidelines/specifications for deployment, operations, management and access to information/logs of said Monitoring Systems.
The CTI will be monitored to identify and prevent eavesdropping, unauthorised access, and cyber threats. The PTA has made the regulations in exercise of the powers conferred by Clause (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Reorganization) Act, 1996 (XVII of 1996).

Regulations will apply to all the PTA licensees for the security of critical telecom data and critical telecom infrastructure related to the telecom sector, in accordance with the procedures specified in these regulations.
According to the regulations, the licensee will constitute a steering committee comprising high-level representation from key operational areas to govern and ensure implementation of cybersecurity initiatives.

Keeping in view the requirements of these regulations, necessary policies will be defined, approved and communicated by the licensee to its employees, and other stakeholders such as partners, contractors, and any other entity having an interface with its telecom data/infrastructure to ensure compliance of these regulations.

The policies mentioned will be regularly reviewed by the licensee at planned intervals or upon any significant change/event. Roles and responsibilities for cybersecurity will be clearly defined and allocated by the licensee. Licensee shall maintain appropriate contact with relevant stakeholders to ensure cybersecurity.
Employees and contractors will be contractually bound by the licensee to relevant cyber security requirements with a formal and communicated disciplinary process in place for compliance. To ensure proper implementation of security measures, employees including relevant contractors/partners will be made aware by the licensee of the security policies, and requirements through awareness sessions, education, and trainings.

Where applicable, the licensee will also provide cyber security awareness to its customers/subscribers for safeguarding against security threats and incidents. Physical security for secure areas should be designed and implemented by the licensee. Security perimeters will be defined by the licensee for secure areas.

Physical access to assets at secure areas will be managed and protected by the licensee. Only authorised personnel will be provided access to secure areas. Licensee will ensure that access points where unauthorised persons can enter secure area are be controlled, and if possible isolated from Critical Telecom Infrastructure (CTI).

Telecom