Insights from PTA Cyber Security Annual Report-2022

Background:

Critical Telecom Data and Infrastructure Security Regulations (CTDISR) Regulations were issued by PTA in 2020, exercising the powers conferred to the authority by PTA Regulations Act 1996. It provided domain-specific aspirations and best practices in line with the then-forthcoming National Cyber Security Policy 2021. It enshrined the criticality of infrastructure and data being generated by the ICT sector and emphasized the need for securing the same. It made compulsory for all the license holders to undertake a holistic approach by undertaking the gap assessment and then bridging the identified gap between the existing practices and the provisioned mandatory standard. It is a detailed obligatory framework that was mandated to be implemented in letter and spirit by the license holders. It was specified to be mandatory for the license holders of any categories catering to the ICT needs of the consumer to ensure that their data and infrastructure are secured through means that are globally accepted. Provisions of the act are elaborated below to develop a picture of the scope of the guidelines.

CTDISR-2020: At A Glance:

PTA published CTDISR in 2020, which is based on?16 Security Domains?comprising?104 controls. All controls have been classified based on defined Control Levels (CL1 to CL3). CL1 is the basic level security control and CL3 is an advanced level control with continuous improvements in accordance with their degree of criticality. The major crux of the act is in PART-II containing around 90 mandatory clauses/controls categorized into 9 heads. Each scope area/head along with its basic overview is elaborated as follows.

Cybersecurity Framework.

No of Clauses/Controls:?9

The gist:?Documenting a formal cyber security framework, and process approach under a steering committee for execution and monitoring of framework.

Physical And Environmental Security.

No of Clauses/Controls:?16

The gist:?Physical aspect of security (HSE)

Monitoring.

No of Clauses/Controls:?10

Gist:?Operational Monitoring, Log Management, Change, and Incident Management.

Malware Protection.

No of Clauses/Controls:?9

The gist:?Vulnerability Management, Supply Chain Management, Anti-virus, and Malware Protection.

Data Protection.

No of Clauses/Controls:?12

The gist:?Data protection, handling, and access management.

Critical Telecom Infrastructure Management.

No of Clauses/Controls:?14

Gist:?Asset classification and management in the context of their security.

Backup.

No of Clauses/Controls:?8

The gist:?Defined Policies, Processes, and Practices for Back Up Management.

Cybersecurity Incident Management.

No of Clauses/Controls/Controls:?10

The gist:?Creation of CERT, incident response process defined and practiced, investigations, Knowledge repository/management.

Service and Cybersecurity Continuity Management.

No of Clauses/Controls:?3

Gist:?RPO, RTO, Business continuity, and DR.

The same act documents in?PART-III the need for continual improvement in managing the IT/IS processes through conducting not only internal audits but also audits to be conducted by independent external audit bodies. Furthermore,?PTA will conduct validation audits to ensure the quality of the audit and to access the cyber security capabilities of the licensee?as specified, and the licensee is mandated to assist the authority through the execution of all needed provisions of the act.

Insights from Cyber Security Annual report-2022:

The report was published to reflect the overall Cyber Security Index (CSI) of the Pakistan Telecom Sector. It included several cyber security initiatives to assess the cyber security readiness and resilience of telecom operators. The said report highlighted levels of compliance, strong and weak areas, and the overall ranking of its operators in accordance with CTDISR Domains. The audit-validation activity covered the audit of 15 major licensees, In the light of PTA’s validation audit,?Pakistan Mobile Communications Limited (PMCL) — Jazz has secured the highest percentage of compliance in Cat-I, followed by Telenor Pakistan as runner-up. Whereas for Cat-II,?Redtone has secured the highest compliance score, followed by Multinet.?The audit comprised a ten-step process in which PTA’s revalidation audit was the most critical as it accessed the reports of the external audit firm along with doing a two-way interactive session with individual licensees keeping the audit objectives in mind.

The CTDISR audit documented the controls within this process that address the following?audit objectives.

1. Duties related to Information Technology and Information Security Function(s) process are segregated.
2. Controls are in place to support valid, accurate and timely processing of activities related to Information Technology / Information Security in accordance with the CTDISR.

The audit approach?was bidirectional and aimed at seeking continual improvement. It involved?interviews of key personnel involved, a?walkthrough of current practices, a?review of design and effectiveness of control, and finally?seeking feedback to further improve the framework/regulation.

Report rating takes place in accordance with criteria mentioned in the CTDISR report, and licensees are categorized in any of the four categories based on their evaluation in the validation audit.

1. Unsatisfactory.
2. Needs Significant Improvement
3. Needs Minor Improvement. (PTCL Group with the score: 87.98)
4. Satisfactory.

The validation Audit resulted in the following rankings of ICT service providers that were categorized into two broad categories of CAT-I and CAT-II.

Takeaways for IA Teams across Industry:

PTCL Group is ranked 4th out of the 6 CAT-I CMO/ISP license holders.?It has a cumulative score of 87.98, whereas Jazz 96.63 is ranked the best in the category. The compliance score on its own might not be bad but when analyzed in the context of competitors it is a matter of concern and has an impact on the market standing of the brand PTCL. People are well aware of the importance of being safe and secure in cyberspace. Their data is an asset that the service provider must protect at all costs and utilize in a manner that is not compromising the privacy of their PII. Since no detailed analysis of the individual licensee and their relative performance against each of the 16 security domains is provided, we cannot say for certain what weak areas were found during the validation audit of PTCL Group.?But one takeaway that we can take is to focus on the 3 least performing security domains as highlighted in the audit and have added focus on the controls of these domains in our future internal audits. We can have an added focus on validating these controls in the ITGC TOR of our internal audits. Details are as follows.

1. Backup

• Backup copies of data, relevant software and system images related to critical data and CTI, shall be taken, and tested regularly and upon any significant change by the licensee.
• The backup shall be stored by the licensee at a remote site located at a suitable distance from the primary site.
• A copy of backups must be disconnected from computers and networks and should be placed in a non-rewritable and non-erasable manner.
• Backup arrangements should cover all system information, applications, and data necessary for recovery to ensure business and service continuity.
• Appropriate retention timeframe for critical data shall be defined ? keeping in view the relevant regulatory requirements.
• Encryption shall be applied to safeguard backup data from unauthorized access
• A backup policy shall be formulated and enforced to ensure compliance.
• Full recovery of backups must be tested at least once annually and upon a fundamental infrastructure change.

2. Monitoring.

• Automated network monitoring systems shall be put in place by the licensee to detect unauthorized/malicious users, connections, devices, and software with preventive action.
• Authority may issue guidelines/specifications for deployment, operations, management, and access to information/logs of said Monitoring Systems.
• CTI shall be monitored to identify and prevent eavesdropping’, unauthorized access, and cyber threats.
• Licensee shall ensure that event logs for user activities, exceptions, faults, and cybersecurity incidents are produced, stored and regularly reviewed to identify and mitigate security threats and incidents.
• Event logs should include the following when relevant:

1. User IDs
2. Successful and rejected system access attempts
3. System activities.
4. Use of system utilities and applications
5. Records of any transactions executed by users
6. Data files accessed and kind of access
7. Timestamp and details of key events
8. Identity of device
9. Location
10. Records of successful and rejected data and other resource access attempts
11. System configuration changes
12. Network addresses and protocols
13. Alarms raised by the access control system
14. Activation and de-activation of protection systems such as Anti-Virus and Intrusion detection systems

• Logging facilities and log information shall be protected by the licensee against tampering and unauthorized access.
• Logs from multiple sensors and sources shall be aggregated and Correlated by the licensee to understand attack targets and methods
• System administrators should not have permission to erase or deactivate logs of their own activities and controls should be in place to audit their activities
• Clock synchronization shall be performed to ensure that clocks within an organization are synchronized to a single reference time.
• Vulnerability scans shall, be carried out by the licensee to perform countermeasures against vulnerabilities.

3. Malware Protection

• Critical telecom infrastructure shall be protected against malware by the licensee.
• Automated malware protection shall be applied by the licensee to identify and eliminate malicious software activity.
• A policy shall, be formulated and enforced by the licensee to prohibit the use of unlicensed and unauthorized software.
• A vulnerability management plan shall be developed and implemented by the licensee
• or systems and software being used by the licensee, and exploitation of related technical vulnerabilities shall be avoided by obtaining their information in a timely fashion and taking appropriate measures to address associated risks.
• A formal policy shall be formulated and enforced by the licensee to protect against risks associated with data and software obtained from external networks or any other medium.
• Employees shall be made aware through training and awareness sessions by the licensee to safeguard against malware distributed using the internet.
• Procedures and responsibilities shall be defined by the licensee to deal with malware protection on CTI as well as carrying out required training.
• An appropriate business continuity plan should be prepared by the licensee for recovering from malware attacks including necessary data/software backup and recovery arrangements.

In addition to these three domains classified as weak links Data Protection and Critical Telecom Infrastructure Management, domains can also be focused upon and their control be made part of our internal audit exercises.

Similarly, we need to highlight the positive findings in which internal auditors as instigators of change and compliance have a role to play.?The domains with which licensees were found to be completely or largely compliant must be highlighted as follows.

1. Service and CS Continuity Management.
2. Consumer Education and Awareness.
3. CS Incident Management.
4. Cybersecurity reviews.
5. Physical and environmental security.
6. Reporting requirements.
7. CS Framework.

Furthermore, PTA in its report highlighted the long-term plans and continual improvement aspect of its work which will ensure cyber readiness and application of global best practices in day to day working of telcos. They undertake regular VAPT activity and as per the report, the CS risk score has gradually improved to 7.92 as a result of the 7th iteration i.e., VAPT activity. They are fully involved in the practical execution of the framework and have not left the things to be done to the service providers alone.?Creation of CERT,?developing criteria for the selection of audit firms, and?surprise visits are a few of the activities?that PTA is undertaking to develop an ecosystem of cyber compliance within the telecom sector.

Reference:

• https://www.pta.gov.pk/assets/media/critical_telecom_data_reg_20112020.pdf
• https://moitt.gov.pk/SiteImage/Misc/files/National%20Cyber%20Security%20Policy%202021%20Final.pdf
• cyber_security_annual_report_PTA.pdf