Govt. notifies Telecom Cyber Security Rules to enhance safety of telecommunication infrastructure

Telecommunication entitiy will have to inform CG within 6 hours of becoming aware of a security incident.

Ministry-of-Communications

On 21-11-2024, the Ministry of Communications notified the Telecommunications (Telecom Cyber Security) Rules, 2024 introducing stringent security measures and increased accountability for telecom entities. The provisions came into force on 21-11-2024.

Key Points:

  1. The Central Government (‘CG’) agency authorized by Central Government can seek for traffic other data from a telecommunication entity on the Central Government portal for protecting and ensuring telecom cyber security.

  2. CG can also direct the telecommunication entity to establish necessary infrastructure and equipment for collection from designated points to enable its processing and storage.

  3. Obligations relating to telecom cyber security:

    • It should not be endangered by any person;

    • No one should send messages which can adversely affect it;

    • There should not be misuse of telecommunication equipment/ telecommunication identifier/ telecommunication network/ telecommunication services;

    • Telecommunication should ensure compliance with directions and standards issued by the CG.

    • Every telecommunication entity will have to furnish a detailed report relating to action taken on the portal.

  4. Measures to be taken by every telecommunication entity:

    • Adopt a telecom cyber security policy and inform CG about it;

    • Identify and reduce the risks of security incidents and ensure timely responses;

    • Take appropriate action for addressing security incidents, and mitigate their impact;

    • Conduct periodic telecom cyber security audits of its network to assess resilience to Threats on telecom cyber security;

    • Report security incidents to the CG;

    • Establish facilities such as Security Operations Centre.

  5. Reporting of Security Incidents:

    • Telecommunication entity within 6 hours of becoming aware of a security incident affecting its telecommunication network/ services;

    • Telecommunication entity within 24 hours of becoming aware of a security incident should furnish the following information:

      • number of users affected by the security incident;

      • duration of the security incident;

      • geographical area affected by the security incident;

      • extent to which the functioning of the telecommunication network/ service is affected;

      • remedial measures taken or proposed to be taken.

    • The CG can ask the affected telecommunication entity to provide information needed to access the telecommunication network/ services including the telecom cyber security policy and carry out a security audit.

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *