The Department of Telecommunication (‘DoT’) has, by way of notification dated September 26, 2018, issued instructions to all licensees in relation to the minimum requirements for security policy of DoT licensees. These requirements are applicable for telecom networks and systems holding customer’s data including the endpoints through which such infrastructure and information is accessible.
The security policy at the minimum must include provisions in relation to, inter alia: (i) responsibility of the management; (ii) designation of chief security officer(s) for network security and information security; (iii) implementation of security risk management system; (iv) periodic evaluation of the information security performance and effectiveness of the security management; (v) provision of periodic training and awareness programs; (vi) ensuring adequate storage, protection and availability of the security policy, recruitment process, and employee’s record including permanent and local addresses and their pre-employment references, etc. The notification clarifies that the licensees should have further provisions, in addition to the minimum requirements set out in the notification, as a part of their security policy to enhance security as deemed fit, since network security is the responsibility of the licensees. The licensees have been given a period of one year to fully implement these requirements. Further, these guidelines are subject to review after every two years or on need basis.