India's Department of Telecom (DoT) has amended rules on imported telecom gear, requiring operators to have the equipment independently vetted.
The new rules compel trunk operators and ILD to use international accredited network audit agencies to perform tests on network gear, according to documents dated August but published to the DoT's site on Tuesday.
These tests include network forensics, hardening, penetration tests and risk assessment. Equipment must be vetted on purchase, then at least once within the first year of purchase and every two years thereafter. Auditors may be chosen from a list of approved firms to be kept by the DoT.
The initial security rules had made operators “completely and totally responsible for security of their networks,” including the security audits.
Audit will at first be limited to core equipment, including routers, switches, firewall and VoIP gear.
Operators will still be the ones held financially accountable for any breach - the amended rules spell out a penalty of 500 million rupees ($11.1m) per purchase order, as well as 100% of the value of the supply contract.
Operators will be required to set up test labs on their own premises, monitor all network intrusions and frauds and report them to the DoT or the national computer security group CERT-IN.