Telecom Security Audit
The Department of Telecommunications (DoT) has directed telecom companies to undertake an “information security audit” of their networks and submit the report to the department.
What is an information security audit for telecom networks?
- As the name suggests, an information security audit is a step-by-step assessment of the complete network infrastructure which checks for the equipment installed and the latest upgrades done in order to prevent any data leakages.
- The auditors also check the data storage and security policies of the company and check whether all sections of the company adhere to the norms set by the company itself.
- Apart from that, some auditing agencies also launch a controlled bug into the network of the company to check for vulnerabilities, and see what all systems are being impacted.
- The objective of the audit is also to check for ‘backdoor’ and ‘trapdoor’ vulnerabilities. A ‘backdoor’ or a ‘trap door’ is a bug installed in the telecom hardware which allows companies to listen in or collect data being shared on the network.
Need of the audit
- One of the main reasons for the DoT asking telecom companies to get this external audit done by an agency empanelled with the Indian Computer Emergency Response Team (Cert-IN) is to check for any ‘backdoor’ or ‘trapdoor’ bugs installed on their networks.
- While it has not specifically mentioned threat from any company, DoT officials did hint that this audit was necessary since there were reports from other parts of the world of such bugs being installed in telecom networks.
- The audit is likely to increase the scrutiny on Chinese vendors Huawei Telecommunication Company and ZTE, which have been alleged to spy for the Chinese government. For example, in January 2020, the US had released a report in which it had said that Huawei had inserted ‘backdoors’ in telecom networks it had helped build in mobile phone networks in the US and across the world.
Who will do the audit?
- In its guidelines, the DoT is likely to suggest to the companies that the external audit should be done only by an agency empanelled with Cert-IN.
- This means that the audit will no longer remain a commercial compliance norm for the company, but will also look into the national security aspects of the telecom network.
- Though such internal and external audits are done by companies every three or four years, it will be the first time that the audit will be done by an agency specified by the DoT.
- The report of the audit is likely to help DoT put in a concrete plan to bar Chinese vendors from the Indian telecom market space if any problems are found.