Example: air traffic controller

2021 No. ELECTRONIC COMMUNICATIONS

This document contains draft Regulations setting out security measures to be taken by providers of public ELECTRONIC COMMUNICATIONS networks and services. It has been made available by the Department of Digital, Culture, Media and Sport to illustrate how the powers in the Telecommunications ( security ) Bill (as introduced to Parliament) may be used, and to support early engagement with providers. STATUTORY INSTRUMENTS. 2021 No. ELECTRONIC COMMUNICATIONS . The ELECTRONIC COMMUNICATIONS ( security Measures). Regulations 2021. Made - - - - **. Laid before Parliament **. Coming into force - - **. CONTENTS. 1. Citation and commencement 2. Interpretation 3. Network architecture 4.

communications service, means the extent of the overall security risk to the network or service as determined by an assessment under regulation 9(2)(c); “sensitive data”, in relation to a public electronic communications network or a public electronic

Tags:

  Security, Communication

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of 2021 No. ELECTRONIC COMMUNICATIONS

1 This document contains draft Regulations setting out security measures to be taken by providers of public ELECTRONIC COMMUNICATIONS networks and services. It has been made available by the Department of Digital, Culture, Media and Sport to illustrate how the powers in the Telecommunications ( security ) Bill (as introduced to Parliament) may be used, and to support early engagement with providers. STATUTORY INSTRUMENTS. 2021 No. ELECTRONIC COMMUNICATIONS . The ELECTRONIC COMMUNICATIONS ( security Measures). Regulations 2021. Made - - - - **. Laid before Parliament **. Coming into force - - **. CONTENTS. 1. Citation and commencement 2. Interpretation 3. Network architecture 4.

2 Protection of data and network functions 5. Monitoring and audit 6. Supply chain 7. Prevention of security compromise and management of security permissions 8. Remediation and recovery 9. Governance and accountability 10. Competency 11. Testing 12. Assistance The Secretary of State, in exercise of the powers conferred by section 105B and 105D of the COMMUNICATIONS Act 2003(a), makes the following Regulations. Citation and commencement 1. These Regulations may be cited as the ELECTRONIC COMMUNICATIONS ( security Measures). Regulations 2021 and come into force on [date]. Interpretation 2. In these Regulations . the Act means the COMMUNICATIONS Act 2003;. (a) 2003 : section 105B is inserted by section 1 of the Telecommunications ( security ) Act 2021 (c.)

3 *); section 105D is inserted by section 2 of that Act. This document contains draft Regulations setting out security measures to be taken by providers of public ELECTRONIC COMMUNICATIONS networks and services. It has been made available by the Department of Digital, Culture, Media and Sport to illustrate how the powers in the Telecommunications ( security ) Bill (as introduced to Parliament) may be used, and to support early engagement with providers. content , in relation to a signal, means any element of the signal, or any data attached to or logically associated with the signal, which reveals anything of what might reasonably be considered to be the meaning (if any) of the communication , but.

4 (a) any meaning arising from the fact of the signal or from any data relating to the transmission of the signal is to be disregarded, and (b) anything which is systems data as defined by section 263(4) of the Investigatory Powers Act 2016(a) is not content;. external signal , in relation to a public ELECTRONIC COMMUNICATIONS network, means any signal transmitted by or to the network;. network provider means a person who provides a public ELECTRONIC COMMUNICATIONS network;. privileged access , in relation to a public ELECTRONIC COMMUNICATIONS network or a public ELECTRONIC COMMUNICATIONS service, means direct access to security critical functions of the network or service (and includes any access capable of making material changes to security critical functions).

5 security critical function , in relation to a public ELECTRONIC COMMUNICATIONS network or a public ELECTRONIC COMMUNICATIONS service, means any function of the network or service whose operation is likely to have a material impact on the proper functioning of the entire network or service or a material part of it, including its structure, separation, confidentiality, integrity or availability; and includes any function of the network or service whose operation is likely to have a material impact on the proper functioning of a security critical function;. security permission , in relation to a public ELECTRONIC COMMUNICATIONS network or a public ELECTRONIC COMMUNICATIONS service, means a permission given to a person in relation to the network or service that would increase the person's opportunity to cause a security compromise to occur in relation to the network or service.

6 security risk , in relation to a public ELECTRONIC COMMUNICATIONS network or a public ELECTRONIC COMMUNICATIONS service, means the extent of the overall security risk to the network or service as determined by an assessment under regulation 9(2)(c);. sensitive data , in relation to a public ELECTRONIC COMMUNICATIONS network or a public ELECTRONIC COMMUNICATIONS service, means . (a) data which defines, controls or materially contributes to a security critical function, (b) data which is the content of a signal, or (c) other data which would produce or enable a material security compromise if it were to be compromised;. service provider means a person who provides a public ELECTRONIC COMMUNICATIONS service.

7 Signal has the same meaning as in section 32 of the Act. Network architecture 3. (1) A network provider must . (a) except in relation to an existing part of the public ELECTRONIC COMMUNICATIONS network, design, construct and maintain the network in a manner which appropriately reduces the risks of security compromises, (b) in relation to an existing part of the public ELECTRONIC COMMUNICATIONS network, redesign and reconstruct that part, so far as is appropriate and proportionate, in a manner which appropriately reduces those risks, and (c) maintain the public ELECTRONIC COMMUNICATIONS network in a manner which appropriately reduces those risks. (a) 2016 c. 25.

8 2. This document contains draft Regulations setting out security measures to be taken by providers of public ELECTRONIC COMMUNICATIONS networks and services. It has been made available by the Department of Digital, Culture, Media and Sport to illustrate how the powers in the Telecommunications ( security ) Bill (as introduced to Parliament) may be used, and to support early engagement with providers. (2) For the purposes of paragraph (1), any part of a public ELECTRONIC COMMUNICATIONS network is an existing part if it was brought into operation before the coming into force of these Regulations. (3) The duty in paragraph (1) includes in particular a duty . (a) to identify, record and reduce the risks of security compromises to which the entire network and each particular function, or type of function, of the network may be exposed, taking into account.

9 (i) whether the function contains sensitive data, (ii) whether the function is a security critical function, (iii) the physical location of the function or data related to the function, (iv) the exposure of the function to external signals, and (v) any other relevant factor, (b) to identify and record the extent to which the network is exposed to external signals, (c) to ensure appropriate network separation of each part of the network, particularly between security critical functions and other functions of the network, and between equipment and software used for separate security critical functions, (d) to design, construct and maintain the network to ensure that security critical functions are located in an appropriate place and appropriately protected, (e) to take appropriate measures in the procurement, configuration, management and testing of equipment to ensure the security of the equipment and functions carried out on the equipment, and (f) to ensure that the network provider is able to assess risks to, and where necessary maintain the operation of, a public ELECTRONIC COMMUNICATIONS network located in the United Kingdom, without reliance on persons, equipment or stored data located outside the United Kingdom.

10 (4) In paragraph (3)(c), network separation , in relation to a public ELECTRONIC COMMUNICATIONS network, means the separation of particular data transmitted by means of the network from other data transmitted by means of the network . (a) as a result of the physical properties of the network (physical separation), or (b) as a result of the use in relation to those data of functions that are different from those used in relation to other data (logical separation). Protection of data and network functions 4. (1) A network provider must use technical means . (a) to protect any data stored by ELECTRONIC means in a manner which is proportionate to the sensitivity of the data, and (b) to protect functions of the public ELECTRONIC COMMUNICATIONS network in a manner which is proportionate to the sensitivity of each function.


Related search queries