Page 120 - SAMENA Trends - September-October 2020
P. 120

REGULATORY & POLICY UPDATES  SAMENA TRENDS




                                                                                                          Nepal



        Ministry of Education, Science, and Technology has announced that   •  Data Security/Privacy
        it will provide free internet to students from Ashoj, 2077. Ministry   •  Information System (IS) audit
        has also started making necessary arrangements for free internet   •  Cloud Security
        to students and schools to facilitate e-learning/online classes.   •  CERT/Incident Response
        Since the COVID-19 situation has made e-learning a mandatory   •  Security Operation Center (SOC)
        obligation to everyone, it has made receiving alternative education   •  Cybersecurity awareness and capacity building
        and joining classes difficult for a lot of students. This is because   According to the Bylaw, the company shall specify the handling
        not everyone can afford the internet in every part of the country.   of social media/official emails in the office by their employees.
        So, to ease the situation, the Ministry of Education, Science and   Similarly, there is a policy for a password that the service provider
        Technology  announced  to provide free internet to the students   shall enforce in the organization. The service provider shall also
        for the operation of the academic  session. It  is  provisioned  in   manage the privileges in a user account with the admin access
        the  “Student  Learning  Facilitation  Guideline”  that  was  passed   for authorized individuals only. The service providers also need
        on 19 Bhadra by the ministerial decision. This also includes free   to make the password change  for admin and users in ninety
        downloads of educational material from the Ministry sites (like   days.  They  should also  adopt an  internationally recognized
        Shikayi Chautari, Curriculum center, DoE) and provide free internet   security system, the default login given in any application should
        to the students to assist the e-learning process. Moreover, the   be blocked. They  also need  to spread public  awareness  about
        guideline also clearly mentions the role of the Ministry to provide   Cybersecurity among the users. The bylaw also binds the service
        free or subsidized data packages to schools and students. The   providers to only use the commercially licensed operating system
        data package would be from Nepal Telecom and other internet   and applications in their computers, laptops and mobile devices.
        service providers for educational purposes only. As known, the   Similarly, there is a provision to implement a DDoS (Distinguishing
        Ministry of Education has instructed the federal, state, and local   Distributed Denial of Service) detection system for the security
        level bodies and stakeholders for the mandatory implementation   of the network. The providers shall use a secured virtual private
        of  this  directive  from  Ashoj  1,  2077.  The  information  on  the   network (VPN) with IPSec or SSL while accessing the system from
        implementation of the directive issued by the Ministry states that   remote places. The server provider shall use an updated firewall
        the government at all three levels should implement the directive   for the security of the core system. Similarly, there is a provision for
        in order to achieve an alternative way of learning in this COVID-19   OTP (One Time Password) for mobile-based application security.
        pandemic.  These  e-learning  achievements  are  specified  in  the   The  sharing  of data has also become  stringent  such  that the
        National Curriculum Draft to create a favorable environment for   service providers have to sign NDA (Non-Disclosure Agreement)
        students to learn online. (September 12, 2020) nepalitelecom.com  with employees, vendors, third parties to copy, distribute, and sell
                                                               data without consent. Similarly, the service provider shall set up
        Nepal    Telecommunications   Authority  (NTA),   the  a separate security unit within their organization, with 24X7 alert,
        Telecommunication regulatory body of Nepal, has implemented   monitoring  and  implement  all  preventive  measures.  Likewise,
        Cyber  Security  Bylaw  2077  (2020)  recently.  It  is  a  mandatory   there shall be an incident response team to coordinate with the
        Cybersecurity  regulation for Telcos and  ISPs  to  implement   NTA  task  force to  handle the attacks  and minimize loss.  The
        security standards and best practices in a systematic way. About   Telecommunication service providers should mandatorily conduct
        a month ago, NTA directed the telcos, ISPs to mandatorily conduct   a  security audit of information  systems every three months.
        security audit  regularly.  Now,  all  licensed  telecommunication   The service providers are required to  conduct  internal security
        service providers operating in Nepal need to fulfil the clauses of   audits as well as external security audits. Moreover, the auditing
        the Cyber Security Regulation 2077. As Cybersecurity has become   needs to be conducted by the security auditors as specified by
        increasingly sensitive in recent times, the authorities have come   the authorities or the government. The  regulation  stipulates
        up with regulations targeting telecom service providers. Not long   that telecom service providers shall submit such security audit
        ago, the Nepal Telecom server got hacked, sprouting fear of data   reports to the authority every six months. They shall also perform
        hack and data  breach among us.  Similarly, Vianet, one of the   penetration  testing and vulnerability  assessment in 3  months
        popular ISP in Nepal had to suffer from the customer data leak.   and  rectify  the  problems  identified.  The  auditor  shall  perform
        So considering  the weak  Cybersecurity  system  of  the telecom   the audit according to the criteria prescribed in the regulations
        service providers in Nepal, NTA framed the Cybersecurity Bylaw   for areas  like  a  web application,  network architecture, wireless
        2077. NTA Board passed the Bylaw with a meeting held last Friday.  communication etc. Please find the details of the Cyber Security
        The Bylaw is a 12-page long list of rules that covers the following   bylaw 2020. Director of the Nepal Telecommunication Authority,
        topics:                                                Vijay Kumar Roy, said that the Bylaw is put forward after a long
        •  General Security Standards and Practices,           discussion and preparation with all stakeholders. So he opines
        •  Infrastructure/Network Security                     that the service providers shall follow the regulations  strictly.
        •  Core System Security                                According to him, it will help to strengthen the Cybersecurity of
        •  Application Security                                all the service providers. To strengthen the Cybersecurity of the

                                                                                                    120   SEP-OCT 2020
   115   116   117   118   119   120   121   122   123   124   125