The National Cyber Security Framework for the telecom industry has established three standards for compliance and maturities dependent on the level of complexity of the security controls.
Pakistan Telecommunication Authority (PTA) has created the “Cyber Security Framework” which is based upon the Critical Telecom Data and Infrastructure Security Regulation (CTDISR) and specifies the obligations of auditors and licensees of PTA.
Pakistan Telecommunication Authority (PTA or the Authority) issued the Statutory Notification on 8 September 2019, with reference S.R.O. 1226(I)/2020. As a result of the powers granted by Clause (o) of section (2) (2) of Section 5, of the Pakistan Telecommunication (Re-organization) Act (1996) (XVII in 1996) The PTA has issued that it will be implementing the Critical Telecom Data and Infrastructure Security Regulations (CTDISR) 2020 which must be adhered for every PTA Licensees.
In the wake of the introduction of CTDISR 2020, PTA has required all licensees have an independent review of CTDISR measures from certified auditors and then submit the results before the Authority.
The framework has established three compliance goals, as follows:
- 1. Control Level (CL1) The CL1 level includes the basic safety requirements as well as controls.
- 2. Control Level (CL2) The CL2 version of the program is a security level that has advanced requirements and controls that are in addition to the requirements already in place in CL1.
- Control Level 3 (CL3): CL3 includes requirements and security controls that are more focused on continuous monitoring and continuous process improvements to controls/requirements defined in CL1 and CL2 to achieve compliance with a higher level, compliance with all preceding levels is required.
- Secure Audit Records Audit Records from unauthorized access or modification.
- Maintain independence in the professional field and adhere to the highest standard of ethics and character while conducting audits.
- The evidence should be sufficient in concluding investigations.
- Keep confidential and private the audit data, unless disclosure is mandated from the authority.
- In the event that the auditor concludes that a compensating control was implemented to adequately reduce the risk. The auditor can consider the observation to be conforming.