|
|
|
Power of Commission to serve security measures directions
|
| |
14. (1) A provider shall, on the request of the Commission, provide the Commission with the information needed to assess the security of the provider’s networks and services, including documented security policies.
|
|
| |
(2) The Commission may serve a direction (referred to in this Part as a “security measures direction”) on a provider—
|
|
| |
(a) to remedy a security incident,
|
|
| |
(b) to prevent a security incident from occurring when a significant threat has been identified, or
|
|
| |
(c) to ensure that the provider is in compliance with this Part.
|
|
| |
(3) Without prejudice to the generality of subsection (2), a security measures direction may require a provider to do one or more of the following:
|
|
| |
(a) to implement specified measures within specified time limits to remedy a security incident or prevent one from occurring when a significant threat has been identified;
|
|
| |
(b) where the Commission has reasonable grounds to believe that a provider is failing, or has failed, to act in accordance with this Part, regulations under this Part or security measures guidelines, to provide a statement to the Commission indicating what measures the provider has taken to comply with the relevant regulations or guidelines and, where the provider has failed to act in accordance with regulations or guidelines, explaining the reasons for such failure;
|
|
| |
(c) to provide information needed to assess the security of their networks and services, including documented security policies;
|
|
| |
(d) to submit to a security audit by the Commission or a qualified independent person nominated by the Commission and make the results of any security audit not carried out by the Commission available to the Commission;
|
|
| |
(e) to bear the costs of an audit under paragraph (d).
|
|
| |
(f) to implement specified measures within specified time limits in order to remedy any deficiencies identified during an assessment referred to in paragraph (c) or a security audit referred to in paragraph (d).
|
|
| |
(4) A direction under subsection (2) takes effect—
|
|
| |
(a) immediately upon its service, where the Commission considers, and states in the direction, that it is necessary that the direction take effect immediately to prevent a serious imminent risk to the security of networks and services, the health or safety of persons or to property, and
|
|
| |
(b) in any other case upon the expiration of the period allowed for representations to be made under subsection (5).
|
|
| |
(5) A provider that is the subject of a security measures direction may make written representations to the Commission in respect of the direction within the period of 14 days beginning on the date on which the direction is served on the provider and the Commission shall consider any representations made to it during that period and affirm (with or without modification) or withdraw the direction.
|
|
| |
(6) Where a direction is affirmed under subsection (5) the Commission shall notify the provider concerned.
|
|
| |
(7) A provider that fails to comply with a security measures direction commits an offence and is liable on summary conviction to a class A fine.
|
