The Governance Framework
Under Mandatory Testing Certification of Telecommunication Equipment (MTCTE) regulations, OEMs and importers must comply with Telecommunication Engineering Center (TEC) standards to sell, import, or use telecom equipment in India.
In accordance with MTCTE, the National Centre for Communication Security (NCCS) oversees the establishment of security requirements for the security certification of all telecommunication equipment. According to the mandate, NCCS is responsible for three major activities:
- Development of the Indian Telecom Security Assurance Requirements (ITSARs) for every telecommunication equipment.
- Designation of third-party Telecom Security Test Laboratories (TSTL) for carrying out the security testing of telecom equipment in accordance with the ITSAR requirements.
- Evaluation and certification of telecom equipment against the ITSARs.
What is ITSAR?
Indian Telecom Security Assurance Requirements (ITSAR) is a set of security guidelines and standards established by the NCCS. ITSAR ensures the security and integrity of telecom networks in India, and it applies to all telecom service providers in India, as well as any entity that wishes to import telecom infrastructure into the country. ITSAR covers various areas, including network security, data privacy, and lawful interception, to ensure a secure and reliable telecom infrastructure in India.
Why ITSAR compliance is essential?
Complying with the ITSAR security requirements is imperative for the following reasons:
- Compliance is a vital aspect of upholding the security and reliability of telecom networks in India. It serves as a protective measure against cyber attacks, data breaches, and other security risks. This is especially crucial in light of the increasing reliance on telecom networks for critical services such as banking, healthcare, transportation, and more.
- ITSAR promotes trust and confidence in India’s telecom sector by ensuring adherence to strict security standards and guidelines, attracting investment, and spurring innovation.
- ITSAR is an important tool for the Indian government in its efforts to combat terrorism and other forms of criminal activity.
- Compliance with ITSAR is also a great tool for business growth opportunities. Companies offering telecom equipment that is certified to comply with the ITSAR requirements will gain an advantage in a competitive market to secure contracts with Indian public and private organizations.
What are the ITSAR requirements?
ITSARs are drafted in accordance with international standards including 3GPP, ETSI EN 303 645, OSWASP 10, CWE Top 25, and NIST SP 800-115. ITSARs broadly cover the following technical and security requirements.
- Access and Authorization
- Authentication Attribute Management
- Software Security
- System Secure Execution Environment
- User Audit
- Data Protection
- Network Services
- Attack Prevention Mechanisms
- Vulnerability Testing Requirements
- Operating Systems
- Web Servers
- Cryptography and Other Security Requirements
The complete list of the approved and draft requirements is available on the ITSAR page. Companies can download the publications from the Downloads section.
What is the ITSAR Certification Process?
The security testing against ITSAR is carried out by the designated Telecom Security Test Laboratories (TSTL). On a high level, the certification procedure is as follows:
- Applicants wishing to get their equipment certified must register on MTCTE.
- After successful evaluation of the application, the applicant chooses a designated TSTL for the security testing of their equipment against the applicable ITSAR.
- TSTL conducts the required testing under the supervision of a validator.
- Upon completion of the testing, test reports are submitted by the TSTL to NCCS. These reports will be evaluated for security certification.
- Upon successful evaluation, NCCS issues the security certificate.
| 1. | Applicants Register on MTCTE |
| 2. | Applicant chooses TSTL |
| 3. | TSTL conducts required testing |
| 4. | NCCS issues security certificate |
| 5. | TSTL submits test report to NCCS |
How Fortra Can Help You
Do you sell, import, or operate telecommunications equipment in India or are you planning to?
Fortra’s portfolio offers solutions to help you prepare for and streamline the ITSAR certification process.
- BeSTORM’s DAST is a security tool that provides security checking during application development for mass manufacturing products with wireless connectivity. What sets BeSTORM apart is its “future-proof” approach to security checking. It employs a Black Box Fuzzing function that mimics the same unguided, ruleless cyber attacks used by criminals. This testing method is considered “future-proof” because it can find unknown weaknesses without guidance, in addition to testing for known vulnerabilities.
- Core Impact’s Port Scanning is part of the Rapid Pen Testing suite. Designated ports in a system are authorized to have external access. In the event of a port scanning activity, it is mandatory to log relevant parameters such as date/time, source IP, and destination port address. Core Impact’s Port Scanning tool tests and verifies these activities.
- Frontline Vulnerability Scanning meets the need for continual vulnerability scanning and management. Its core functionality is to maintain a library of found vulnerabilities, prioritize them based on their threat level, and keep a remediation plan and status. According to the regulation, it is necessary to log the vulnerabilities found in the library and report on remediation efforts. By prioritizing vulnerabilities and maintaining a remediation plan, Frontline VM ensures that the most critical vulnerabilities are addressed first and the organization’s security posture is improved.