The Computer Emergency Response Team Rules have been promulgated under the sections 51 and 49 of the PECA.In light of the continuous attacks of spyware on government websites and the hacking of the same, the Government of Pakistan promulgated the said Rules for the creation of computer emergency response teams at the national, provincial and sectoral levels to respond to such threats to protect government data and that of private citizens being handled by the Government.
Salient features of the rules and their impact on companies and individuals are discussed below:
ESTABLISHMENT OF CERTS
Types of CERTs are to be formed under section 3 of the Rules.
-
- National Level: The Central Entity along with its National Computer Emergency Response Team (ICERT) and National Security Operation Center (NSOC).
- Sectoral Level: Sectoral Regulator (s)l CERTs (including but not limited to Defense, Telecom, Banking, Finance, Power, and Public sector).
- Organizational Level: Enterprises, entities, and individual users.
RELEVANCE WITH DATA PROTECTION
Rule 8 (3) of the CERT Rules provide that Sectoral CERT is a sector specific CERT responsible for responding to threats against or attacks on critical information, data, information systems, or infrastructure, or widespread attacks on information systems in its relevant sector.
SERVICES OF CERTs
Rule 12 of the CERT rules provide that the CERTs shall provide the following services to its constituents:
-
- CERTS shall disseminate security announcements regarding potential cyber attacks.
- Provide technology updates to its constituents
- CERTs shall conduct periodic audits and assessments of the security and information systems of constituents from time to time
- The CERT shall assist constituents in upgrading their security for information systems
- Provide security consulting on its own or upon request
- Upgrade and update software and hardware of constituents
Constituents are defined as a group of users falling with the jurisdiction of a CERT.
COMPLIANCE WITH DIRECTIVES OF CERTS
Rule 26 (1) provides that the DG National CERT is to designate an officer who on behalf of the Sectoral CERTs shall require compliance from functional entities. Functional Entities are defined as an organization with specific goals and objectives, led by an autonomous body and affiliated, registered, accredited or recognized by the respective regulatory authority.
The above is a very vague and broad definition. In the same vein on compliance Rule 26 (2) continues by providing that any non-compliance by a service provider, body corporate data centers and intermediaries and individuals will be shared with the concerned officer so appointed by the DG National CERT.
There is no definition for body corporate and entirely no description on what sort of compliance is required to be made. The rule over laps between functional entity and other entities such service providers and body corporates.