Nepal Telecommunications Authority (NTA), the Telecommunication regulatory body of Nepal, has implemented Cyber Security Bylaw 2077 (2020) recently. It is a mandatory cybersecurity regulation for Telcos and ISPs to implement security standards and best practices in a systematic way.
About a month ago, NTA directed the telcos, ISPs to mandatorily conduct security audit regularly. Now, all licensed telecommunication service providers operating in Nepal need to fulfil the clauses of the Cyber Security Regulation 2077.
As cybersecurity has become increasingly sensitive in recent times, the authorities have come up with regulations targeting telecom service providers. Not long ago, the Nepal Telecom server got hacked, sprouting fear of data hack and data breach among us. Similarly, Vianet, one of the popular ISP in Nepal had to suffer from the customer data leak. So considering the weak cybersecurity system of the telecom service providers in Nepal, NTA framed the Cybersecurity Bylaw 2077. NTA Board passed the Bylaw with a meeting held last Friday.
The Bylaw is a 12-page long list of rules that covers the following topics:
- General Security Standards and Practices,
- Infrastructure/Network Security
- Core System Security
- Application Security
- Data Security/Privacy
- Information System (IS) audit
- Cloud Security
- CERT/Incident Response
- Security Operation Center (SOC)
- Cybersecurity awareness and capacity building
According to the Bylaw, the company shall specify the handling of social media/official emails in the office by their employees. Similarly, there is a policy for a password, that the service provider shall enforce in the organization. The service provider shall also manage the privileges in a user account with the admin access for authorized individuals only. The service providers also need to make the password change for admin and users in ninety days.
They should also adopt an internationally recognized security system, the default login given in any application should be blocked. They also need to spread public awareness about cybersecurity among the users.
The bylaw also binds the service providers to only use the commercially licensed operating system and applications in their computers, laptops and mobile devices.
Similarly, there is a provision to implement a DDoS (Distinguishing Distributed Denial of Service) detection system for the security of the network. The providers shall use a secured virtual private network (VPN) with IPSec or SSL while accessing the system from remote places. The server provider shall use an updated firewall for the security of the core system. Similarly, there is a provision for OTP (One Time Password) for mobile-based application security.
The sharing of data has also become stringent such that the service providers have to sign NDA (Non-Disclosure Agreement) with employees, vendors, third parties to copy, distribute, sell data without consent.
Similarly, the service provider shall set up a separate security unit within their organization, with 24X7 alert, monitoring and implement all preventive measures. Likewise, there shall be an incident response team to coordinate with the NTA task force to handle the attacks and minimize loss.
The Telecommunication service providers should mandatorily conduct a security audit of information systems every three months. The service providers are required to conduct internal security audits as well as external security audits. Moreover, the auditing needs to be conducted by the security auditors as specified by the authorities or the government.
The regulation stipulates that telecom service providers shall submit such security audit reports to the authority every six months.
They shall also perform penetration testing and vulnerability assessment in 3 months and rectify the problems identified.
The auditor shall perform the audit according to the criteria prescribed in the regulations for areas like a web application, network architecture, wireless communication etc. Please find the details of the Cyber Security bylaw 2020.
Director of the Nepal Telecommunication Authority, Vijay Kumar Roy, said that the Bylaw is put forward after a long discussion and preparation with all stakeholders. So he opines that the service providers shall follow the regulations strictly. According to him, it will help to strengthen the Cybersecurity of all the service providers.
To strengthen the cybersecurity of the service providers, NTA has enforced Cyber Security By-law 2077. It mentions a list of rules that the Telecom service providers should strictly follow and prepare a security audit report to submit it to the authority for analysis. As the Cyber Security Bylaw 2020 is based on international standards, we can expect it to reduce the risk of cybercrimes.
The authority will make sure that the license holders (Basic Telephony/Landline, Mobile service, Network service, Internet service) implement the rules mandatorily. Incompetence in implementing any rule mentioned in the Bylaw will be liable of consequence. As known, NTA will analyze the bylaw continuously and make a revision if required, so that no one needs to compromise on their cybersecurity.