In light of growing concerns over cybersecurity and evolving technology and operational practices, Ofcom (the independent regulator and competition authority for the UK communications industries) is seeking views on whether its existing guidance on network security should be revised. Interested parties have until 21 February 2014 to respond. Depending on the responses received, Ofcom intends to publish updated guidance during 2014.
The main topics and questions in the consultation are:
- Security and resilience vulnerabilities in the UK’s telecoms networks. What are your views on emerging and potential future security and availability risks and whether they should be addressed in the revised guidance? (Ofcom commissioned and has published alongside this consultation a report from Detica on these issues.)
- Management of general security risks. In relation to the obligations to manage general security risks, how should the guidance be revised to reflect issues such as ENISA’s Guidelines on security controls, supply chain management, the use of 3rd party data centres and applicability to smaller communication providers (“CPs”)?
- Protecting end users. How best can risks to end users be considered by CPs and appropriate security information be made available?
- Protecting network availability. Should Ofcom consider additional guidance in relation to network availability and the provision of related consumer information?
- Incident reporting. There are three questions here:
- Would it be useful to clarify Ofcom’s expectations around reporting in the case of wholesale and “over the top” arrangements, and the need for CPs to maintain sufficient fault monitoring?
- What are your views on the appropriate thresholds for reporting incidents affecting customers of smaller CPs, mobile networks, data services and services suffering partial failures?
- What are your views on revising the current process for reporting significant incidents?
The full consultation document is available here.