The Critical Telecom Data and Infrastructure Security Regulation (CTDISR) says that the Pakistan Telecommunication Authority (PTA) has made “Cyber Security Goals” that explain what auditors and PTA licensees are responsible for.
The Statutory Notification is sending out to PTA on September 8, 2020. The reference number for this document is S.R.O. 1226. (I). The PTA made an announcement under Section 5 of Pakistan’s Telecommunication (Re-organization) Act 1996 (XVII of 1996). Which gives it the power to tell all PTA Licensees to follow the CTDISR 2020 rules.
After the CTDISR 2020 criterion is first put into place. The PTA asked all licensees to have eligible auditors do a third-party review of the CTDISR measures and also send the report to the Authority.
PTA to make sure that the Cyber Security Goals are used, there are three goals:
- Control Level 1 (CL1) is the first level of security protection. It has the most important controls and standards.
- Control Level 2 (CL2) adds to the requirements and controls of Control Level 1 (CL1) with more criteria and controls.
- It’s important to remember that in order to be compliant with a higher level. You have to be compliant with all lower levels.
Responsibilities of Licensing Entities:
- storing and storing audit records and other important paperwork, such as proof of following regulations.
- The company’s top management is giving a written copy of the findings and suggestions.
The third step is to make and also use an internal audit system to make sure the observations are correct.
- Make sure that the list of people involved has all the departments and also functions that need to work on the Action Plan.
- The top management should keep an eye on how the action plan is carried out and make sure it is carried out and followed.
- The licensee has seven days to reply to PTA’s preliminary audit report and demonstrate proof of fixes. Based on the evidence, PTA will send the licensee a final report.
- Licensees have three days to submit audit proof to PTA. Because of technical and business limitations, the PTA may need to give you more time.
- If the PTA’s Final CTDISR Audit/Compliance Report is sent to the Chief Executive Officer (CEO), that person will send it back to the Authority, which is the PTA, with action items and timelines to follow the report’s suggestions after it has been brought before the Board of Directors (if applicable).
- If the licensee doesn’t agree with the final report’s conclusions, he or she has 14 days after the report comes out to appeal to the Authority.
- There is no more evidence to consider. DG CVD is in charge of handling this case.
The job of the auditor:
- You should keep the Audit Records out of the hands of anyone who also does not agree to see, alter, or dispose of them.
- When doing audits, it’s important to keep your job separate from your personal life and to act in a professional way.
- When an investigation is over, there should be a lot of evidence.
In order for an audit’s findings to stay secure, they must make in writing authority.
- The auditor has put in place good compensatory control to limit the risk as much as possible.
- The auditor may mark the observation as being partly correct.
The PTA’s Cyber Security Regulations give auditors a way to do gap assessments, including how to interpret each security measure and what to expect from it.
Read more: Twitter goes down for no clear reason
A maturity model is part of the framework, and it sorts the controls into groups based on how important they are. Keep in mind that the ITU’s Global Cyber Security Index takes each country’s Cyber Security Framework into account (GCI). Thanks to this method, also organizations can now better manage cybersecurity risk and reduce it.