The Nepal Telecommunications Authority has sought suggestions for the amendment of the Cyber Security Regulations, 2077. On Wednesday, it published information requesting feedback, advice, and recommendations for the amendment of the regulations.
Any issues or subjects related to the telecommunications service providers that require amendments in the regulations, as published in the 12-page draft, have been given 30 days for the submission of feedback, advice, and recommendations by the authority.
The Cyber Security Regulations, 2077, were introduced by utilizing the authority of Section 62 of the Telecommunications Act, 2053. After making cybersecurity a sensitive subject, the authority has focused on these regulations aimed at telecommunications service providers.
The mentioned regulations encompass 11 topics, including the requirement for service providers to have their security policy in line with general security standards and practices, updating such policies annually, specifying the usage of social media in the office, etc.
Furthermore, provisions related to the security of passwords, adopting internationally recognized security systems for service providers, disabling default logins in any application, creating awareness among users about cybersecurity, incorporating provisions in security standards and practices for vulnerable security measures, and implementing the Core System Security by using an updated firewall are also included in the regulations.
Additionally, provisions for DDoS Detection Systems on pre-existing infrastructure/network security, using a virtual private network while accessing systems from external locations, etc., are present.
The regulations also include provisions for OTTP (Time Time Password) for application security. The regulations further highlight data security and privacy, information security audits, incident response, the establishment of an internal security operation center, cyber security awareness and capacity development, etc.
Under the Information Security Audit, the service providers are required to conduct internal security audits every three months. Furthermore every six months the companies are mandated to submit a security audit report to the authority.
Besides, internal security service providers have also been asked to conduct external security audits. Under this, the authority or the government can perform an information security audit at their discretion.
The regulations also make provisions for cloud services including the adoption of cloud-related security measures. Additionally, it requires the establishment of a separate team for cybersecurity within service providers. The authority is also mentioned to have its own separate Cyber Response Team in the regulations.
Discussion about this post