Home / Ringside View  / Decoding the Cyber Security Bylaw 2077

Decoding the Cyber Security Bylaw 2077

Much before the onset of the global pandemic, managements faced challenges with the ever changing and dynamic digital environment.

Today, all information and communication are in the digital space. Be it communicating with employees, suppliers, customers, tax authorities, etc or recording of production and accounting numbers, bank payments, etc. Despite the lurking danger to the sector and the constant digital war, cyber risk management and reporting has been grossly understated and managed. Hackers are waiting to unlock security systems put in place by governments, companies, homes and internet service providers.

Cybercrime is expected to cost the world about USD 6 trillion in 2021 alone. Cybercrime cost includes deletion, damage, unauthorised edits to data, loss of funds, impact on productivity, intellectual property theft, theft of personal communication, brand damages, lack of trust, financial data, embezzlement/ frauds, disruption of normal business services, etc.
Cyber threats lie in wait everywhere both internal and external, and it can be intentional or un-intentional.

In this age of work from home, governments and management in all sectors have enhanced the understanding of the risks.

Need of the hour for Telco’s and ISPs

Fortunately, some leading government sectors in Nepal are pioneering the change, and regulators are creating and asserting the need for privacy, stronger controls, protection of sensitive data. one example is the Nepal Telecommunication Authority (NTA) that issued Cyber Security Bylaws 2077 under the Telecommunication Act 2053. The bylaws have been framed for implementation of cyber security standards and best practices to protect Information Communication Technology (ICT) against malicious attacks and threats; and build trust and confidence of users towards the ICT partner, technology and services in use.

As per the bylaws, organisations need to ensure adequate security, policies, controls around various factors associated with cyber security like data, network, application, endpoint, mobile, identity and access, disaster recovery, etc. Speaking to stakeholders required to comply with the bylaws, we realised that there was a need for clarity on the level of compliance needed by the bylaws.
There are few critical and commonly benchmarked standards across the globe like COSO, COBIT, IS 27001, NIST standards, etc. These standards set the ground and tone for any cyber security implementation, review and compliance.

Based on our conversation with NTA, we realised that their objective from an information security audit is to arrive at a sense of comfort that the Telcos and ISPs do not have any gross vulnerabilities that can be exploited and that there is no potential access to sensitive data.

As we deep dived into the bylaws to understand the intent and things that companies should consider, we came up with this list. Please note that this is not a 100% list, only an indication.

Cyber Security Bylaws

Bylaw states Decoding the bylaws
 

General Security Standards and Practices

Intent

Purpose of the security policies and standard is to protect the information, asset and people. Set the rules of expectation from each stakeholder.

What to consider?

–        Assess the risk

–        Identify the threat

–        Evaluate the current maturity of the security framework

–        Tone on the top

–        If policy and framework is in line with the risk appetite of the organisation

 

Infrastructure/Network Security

Intent

How and has the network infrastructure been protected by both preventive and detective measures.

What to consider?

–        Network devices in line with the organisational needs

–        Adequate network segregations

–        Hardening of the network devices

–        Integrity of hardware and software

 

Core System Security

Intent

Protection and monitoring of all network notes both outside and inside the network. Adequate extra layer of security to the organisation.

What to consider?

–        Tools in question

–        DMZ set up

–        Rules and configurations

–        Change process

–        Incident management

 

Application Security

Intent

Adequate security measures in place at the application level to prevent data or code within any software/ app in the organisation can be stolen or create a backdoor.

What to consider?

–        SDLC protocols followed

–        Changes to the software/ application post release

–        Development cost and operational performance

–        Applicable laws and regulations

–        Backdoor monitoring

 

Data Security/Privacy

Intent

Data protection and proper handling of sensitive data. Ensuring necessary confidentially for time sensitive data like financial, intellectual property, etc.

What to consider?

–        Data classification based on its nature

–        Encryption protocols

–        Information sharing

–        Traceability tools for sensitive data being shared

 

Cloud Security

Intent

Today most data and software are stored on the cloud. Ensure that system is not penetrable and sensitive data is secured.

What to consider?

–        Assessment of stakeholder’s competency and conflict of duties

–        Policy and compliance framework

–        Security configurations

–        Implementation of framework

–        Identify and user controls

–        Intrusion testing

 

CERT/Incident Response

Intent

Awareness and preparedness in case any incident arises.

What to consider?

–        Assessment of stakeholder’s competency and conflict of duties

–        Completeness and classification of incident

–        Identification, tracking, assessment and impact of any incident.

–        Policy and procedure on how to address incident

 

Security Operations Centre

Intent

To ensure that all key security events are assessed, identified and tracked. Awareness and action taken for identified threats and vulnerability, if exploited.

What to consider?

–        Risk assessment of all key security events

–        Controls to assess the threats and malwares

–        Assessment of stakeholder’s competency and conflict of duties

–        Audit of the intrusions

–        Assessment of control effectiveness

–        Escalation framework

–        Future action plan

 

Cyber Security Awareness & Capacity Building

Intent

The intent of the bylaw is to ensure that all employees are aware of what is sensitive information, importance of ensuring and complying to security requirements.

What to consider?

–        Employee awareness assessment

–        Training programs – quality, frequency, attendance, effectiveness

–        Review of capability building programs rolled out

–        Outreach and awareness activities, basis of assessment

–        Impact assessment of the activities

–        Tracking and escalation of non-compliance

The bylaws have been defined by NTA benchmarks for both the service provider and the auditor. The checklist should not be considered verbatim for the purpose of audit compliance. The overall intent of the government body is to protect the user of service and provider of service from any malicious attacks and threats and build confidence in the technology and service.

Keeping the overall intent in mind, companies should assess the overall maturity of their cyber security framework and address any vulnerabilities and threats they find in the process.

Tulsi Khemka is a CA with 18+ years of experience in the space of risk, systems and security having worked with corporates in India, Nepal, US and UK.

Review overview
NO COMMENTS

POST A COMMENT