On 21-11-2024, the Ministry of Communications notified the Telecommunications (Telecom Cyber Security) Rules, 2024 introducing stringent security measures and increased accountability for telecom entities. The provisions came into force on 21-11-2024.
Key Points:
-
The Central Government (‘CG’) agency authorized by Central Government can seek for traffic other data from a telecommunication entity on the Central Government portal for protecting and ensuring telecom cyber security.
-
CG can also direct the telecommunication entity to establish necessary infrastructure and equipment for collection from designated points to enable its processing and storage.
-
Obligations relating to telecom cyber security:
-
It should not be endangered by any person;
-
No one should send messages which can adversely affect it;
-
There should not be misuse of telecommunication equipment/ telecommunication identifier/ telecommunication network/ telecommunication services;
-
Telecommunication should ensure compliance with directions and standards issued by the CG.
-
Every telecommunication entity will have to furnish a detailed report relating to action taken on the portal.
-
-
Measures to be taken by every telecommunication entity:
-
Adopt a telecom cyber security policy and inform CG about it;
-
Identify and reduce the risks of security incidents and ensure timely responses;
-
Take appropriate action for addressing security incidents, and mitigate their impact;
-
Conduct periodic telecom cyber security audits of its network to assess resilience to Threats on telecom cyber security;
-
Report security incidents to the CG;
-
Establish facilities such as Security Operations Centre.
-
-
Reporting of Security Incidents:
-
Telecommunication entity within 6 hours of becoming aware of a security incident affecting its telecommunication network/ services;
-
Telecommunication entity within 24 hours of becoming aware of a security incident should furnish the following information:
-
number of users affected by the security incident;
-
duration of the security incident;
-
geographical area affected by the security incident;
-
extent to which the functioning of the telecommunication network/ service is affected;
-
remedial measures taken or proposed to be taken.
-
-
The CG can ask the affected telecommunication entity to provide information needed to access the telecommunication network/ services including the telecom cyber security policy and carry out a security audit.
-