FAQs On Designation of Telecom Security Testing Laboratories
A. General
1. What is NCCS?
NCCS (National Centre for Communication Security) is a subordinate office of DoT (Department of Telecommunications) that is vested with the responsibility of developing Security standards/requirements and activities associated with the security testing such as Telecom Security Testing Lab recognition and certification of Telecom equipment.
2. Who is the Certification Body (CB)?
Security Certification Division of NCCS is the Certification Body (CB).
3. Who is designating authority (DA)?
Security Lab Recognition (SLR) Division of NCCS with the authority to designate, monitor, suspend or withdraw designation of TSTLs to conduct conformity assessment activities within its jurisdiction is the Designating authority (DA).
4. What is ITSAR?
ITSAR means Indian Telecom Security Assurance Requirements which is a list of Security Requirements that a Telecom equipment or a group of Telecom equipment must comply with. ITSAR is published by Security Assurance Standards (SAS) Division of NCCS for a Telecom equipment or a group of Telecom equipment.
5. Do one telecom equipment have only one applicable ITSAR?
Not necessarily. One telecom equipment can have one or more than one applicable ITSARs to comply with.
6. Where can I get the ITSAR(s) applicable for Telecom equipment for which the designation is being sought and other scheme related documents?
The latest version of ITSAR(s) applicable for Telecom equipment and other scheme related documents are available for free in download section of NCCS portal
7. Can the designated TSTL participate both online and offline for testing and certification of Telecom equipment? (can the designated TSTL part of online process of certification of telecom equipment)
After designation TSTL shall participate strictly through online for certification process of telecom equipment prescribed by DoT only.
B. Application package
8. What is an application package?
Application package is the duly filled application form as given in Doc.No. NCCS/SLR/02 “Application form for Designation of TSTL” along with the following documents:
a. Proof of Legal Identity
b. Address proof
c. Certificate of Accreditation in accordance with latest version of ISO/IEC 17025 for the discipline - Software and IT system covering Application Security Testing (OWASP, CWE 25), Vulnerability Analysis & Non- destructive Penetration Testing (CIS; NIST SP 800-115.) from any recognised Indian accreditation body like NABL.
d. Organizational Structure and Staffing Chart of the TSTL
e. Laboratory Layout
f. Details of capability and technical competence for testing each stipulated ITSAR requirement for the Telecom equipment for which designation is sought.
g. Copy of test reports of security testing of a sample Telecom equipment carried out by the TSTL against ITSAR requirements.
h. One copy of the Quality Manual meeting all the designation requirements contained in the document No NCCS/SLR/03 “Designation Requirements of TSTL”
i. Audited financial statements
j. Non-refundable fee
9. Which documents are accepted as Address proof?
The following are accepted as Address proof:
a. Certificate/Documentary evidence from Registrar of Firms.
b. Certificate/Documentary evidence from Directorate of Industries.
c. Certificate/Documentary evidence from Industries Centre.
d. Certificate/Documentary evidence from Municipal/Local Corporation (like water bill, electricity bill, landline bill not older than three months).
e. Certificate/Documentary evidence from Central Insecticides Board or Drug Controller.
f. Certificates/documentary evidence from Pollution Control Board or any such Competent Authority indicating premises of the applicant lab will be accepted for the purpose of authentication of premises.
10. Which documents are accepted as legal identity proof?
The following are accepted as legal identity proof:
a. Registration Certificate with Service Tax Authorities.
b. Registration Certificate with Registrar of Societies.
c. Certificate of Registration by Company Registrar.
d. Memorandum of Article in case Applicant lab is a Limited Company.
e. Partnership Deed in case the applicant lab is under Partnership
f. Certificate from a Chartered Accountant (CA) establishing the proprietorship of the laboratory business entity in case of proprietorship lab
g. Affidavit on Non-Judicial Stamp Paper of Rs.100/- by Proprietor that he is the sole Proprietor duly attested by Notary Public will be accepted for the purpose of establishing legal identity of the lab
h. Registration issued by Ministry of Labor
i. Registration issued by Corporate Affair
j. Plot/premises allotment letter issued by any govt. body or industrial authority etc.
k. Income TAX PAN card
11. Can the TSTL apply both online and offline for designation?
TSTL can apply offline for designation till the online platform for TSTL designation is made ready.
12. TSTL application for designation should be sent to which address?
Duly filled Application Package for designation may be sent to the following address: DDG (SLR), National Centre for Communication Security, Department of Telecommunications, 2nd Floor, City Exchange building, Sampangirama Nagar, Bangalore -560027
13. What is First Designation?
A TSTL seeking Designation for the first time is termed as First Designation.
14. What is Additional scope of Designation?
An already designated TSTL wanting to enhance the scope of testing for additional equipment, then it is called as Additional scope of Designation.
15. For additional scope of Designation, do the TSTL need to again submit the legal identity proof?
No, this document is to be submitted at the time of first designation and renewal only.
16. For additional scope of Designation, do the TSTL need to again submit the accreditation certificate from any recognised Indian accreditation body like NABL?
No, this document is to be submitted at the time of first designation and renewal only.
17. For additional scope of Designation, do the TSTL need to again submit the Audited financial statements?
No, Audited financial statements are to be submitted at the time of first designation and renewal only.
C. TSTL Designation scheme
18. What is TSTL Designation?
TSTL Designation means the authorisation given by Security Lab Recognition (SLR) Division of NCCS to a Telecom Security Testing Laboratory (TSTL) to undertake specified conformity assessment activities.
19. What is a Designated TSTL?
It is a Telecom Security Testing Laboratory (TSTL) designated by Designating Authority to carry out the security testing of the telecom equipment (for which it is designated) against the applicable ITSAR.
20. Who can apply for designation?
Any TSTL having competency to perform conformity assessment of Security requirements specified in ITSAR and meeting the designation requirements given in the document Doc.No. NCCS/SLR/03 “Designation Requirements of Telecom Security Testing Laboratories” may apply for designation.
21. What are the eligibility conditions for a TSTL?
Eligibility conditions for a TSTL are:
-
-
TSTL shall be a Legal entity (within jurisdiction of Indian courts)
-
TSTL shall be a Registered entity under corporate law of India
-
TSTL resides and operates within India physically
-
TSTL shall be a Financially sound enough to run the operations in India
-
TSTL shall be a Technically competent to conduct the security conformance testing against the ITSAR.
-
TSTL shall meet all the designation requirements stipulated in the document NCCS/SLR/03 (Designation Requirements for Telecom Security Testing Laboratories).
-
g. All the key staff such as CTO / CSO / CISO / TSTL SA / TSTL incharge should be Indian resident citizens
22. What is the minimum scope of Designation?
TSTL shall seek Designation for atleast one Telecom equipment for which ITSAR is available.
23. Designation is valid for how much period?
Designation shall be valid for a period of three (3) years.
24. When should the designated TSTL apply for renewal?
Application for renewal can be submitted within 180 days but not later than 60 days before the expiry of the designation validity.
25. Do the validity period of the Designation certificate for the TSTL is different for each telecom product?
No, there will be only one period of validity for a designated TSTL irrespective of the number of telecom products for which the designation is awarded
26. In case of revision of ITSAR for the designated scope, do the validity period of the designation changes?
No. The validity of the designation would remain unchanged subject to the condition that the TSTL meets the revised scope.
27. After additional scope of designation, do the validity period of the TSTL first designation change?
No, designation for the additional scope would be given only for the remaining period of the validity of the original designation. Thus, the validity of the designation remains unchanged.
28. Are the Time schedules indicated for various activities in the document NCCS/SLR/01 (Procedure For Designating Telecom Security Testing Laboratories) to be followed strictly?
These Time schedules stated are indicative only and shall not be considered as a matter of rule or right for the TSTL applicant. They shall not be binding on designating authority, as time taken in completion of various processes depends upon nature and circumstances of the case.
29. What would be the impact of revocation/suspension/expiry of accreditation given to the TSTL by any recognised Indian accreditation body like NABL on the Validity of Designation?
TSTL shall maintain 17025 accreditations given by any recognised Indian accreditation body like NABL, during the validity period of designation failing which the TSTL Designation will automatically become invalid.
30. What is the minimum storage period for the documents related to the equipment testing?
TSTL shall have a record system which shall have a retention period of at least 5 years for documents related to the equipment testing.
31. Can the TSTL advertise its designation status?
Yes, Designated TSTLs may advertise their designation status as long as the TSTL designation is valid.
32. Will there be any post-designation surveillance activities? If yes, by whom?
Yes. Designating Authority shall conduct periodic surveillance assessments and other non-routine assessments on the Designated TSTLs to ensure that standards of practices are maintained as well as to investigate complaints made against them.
33. Is there a provision for the TSTL to appeal against the decision of DA on designation?
Yes, any representation against the decisions pertaining to TSTL Designation may be preferred with Sr.DDG, NCCS (Scheme controller) within a period of 15 days.
D. TSTL Designation requirements
34. In which discipline the accreditation certificate for the TSTL is required from any recognised Indian accreditation body like NABL?
Accreditation by any recognised Indian accreditation Body like NABL shall be in accordance with latest version of ISO/IEC 17025 for the discipline - Software and IT system covering Application Security Testing (OWASP, CWE 25), Vulnerability Analysis & Non-destructive Penetration Testing (CIS; NIST SP 800-115.).
35. Who verifies Scheme specific requirements for performing conformity assessment of Telecom equipment against ITSAR requirements? NABL or NCCS?
Scheme specific requirements for performing conformity assessment of Telecom equipment against ITSAR requirements will be verified/assessed by NCCS as a part of the TSTL designation process.
36. Can the TSTL team or individual who is involved in the development of the Telecom equipment be engaged to conduct the same equipment evaluation?
No
37. Whether providing the Consultancy services by TSTL to OEM is allowed?
Designation Requirements for Telecom Security Testing Laboratories prohibits such consultancy services.
38. Can the TSTL team or individual who is involved in any kind of consultancy service to the client be engaged to conduct the evaluation of the equipment offered by the same client?
No
39. Can the TSTL conduct the security evaluation and testing activities remotely from its the evaluation and testing facility present outside India?
No – TSTLs must have their evaluation and testing facilities permanently in India and conduct ITSAR conformity security testing business strictly in INDIA ONLY.
40. Can TSTL conduct Security evaluation at the developer site/ location other than its own premises?
Yes, but only in exceptional circumstances and with the prior approval from Certification Body. It is permitted only if the developer site/ location in India.
41. What are all the security tools and equipment that the TSTL should have at their test facility to carryout the evaluation of the equipment against the applicable ITSAR(s)?
TSTL must have an adequate knowledge on the tools and equipment that are required to carryout the security testing of the telecom equipment for which designation is being sought. However, a broad list of the tools required to carryout the security testing against applicable ITSAR(s), if any given on NCCS portal may be used by the TSTL for reference.
42. Can the TSTL engage contract personnel to carry out the evaluation activities?
Yes, but with certain obligations on such contracts.
43. Can TSTL subcontract the evaluation activity including testing in part or full to any other agency for which TSTL is designated?
No.
44. Can the client approach the designated TSTL directly and offer the equipment for security testing against ITSAR?
No. In case the client contacts the TSTL directly, TSTL shall direct them to MTCTE portal.
45. What is Proficiency Testing?
The proficiency testing means the ability of TSTL for conducting evaluation of one product against all the applicable ITSAR(s) i.e. the full testing of a sample product against all the security requirements of all the ITSAR(s) applicable for the equipment for which the designation is being sought. This test report is to be submitted by the TSTL to DA along with the application and this testing has to be demonstrated by the TSTL to the DA.
Sample format of this test report (for one security requirement is) for reference is available for free in download section of NCCS portal.
46. What are the Sample Copy of test reports that are to be submitted along with the application?
These are the full detailed test report of a sample product evaluated prior to the designation, by the TSTL against all the security requirements of all the ITSAR(s) applicable for the equipment for which the designation is being sought.
This is a documentary evidence about the technical capabilities and competence of the TSTL to conduct the evaluation of the equipment against the applicable ITSAR(s) , for which the designation is being sought.
E. TSTL Designation Fee
47. How much is the fee for TSTL designation?
Non-refundable fee of Rs. 2,00,000/- is payable for first Telecom equipment.
Further, for designation beyond one Telecom equipment, an additional fee of Rs. 50,000/- is payable per additional Telecom equipment.
48. How much is the renewal fee for TSTL designation?
The fee for renewal shall be Rs. 25,000/- for each Telecom equipment for which scope of Designation is to be renewed.
49. Will the fee paid be refunded in the event of cancellation of Application by the applicant?
No, Fee paid is nonrefundable.
50. Is the Fee specified per ITSAR or per equipment?
Fee specified is per Telecom equipment.
Disclaimer
In case of any variation between what has been produced in these FAQs and that contained in the NCCS documents/other relevant Acts/Rules/Regulations/Policy Statements etc., of the department, the latter shall only prevail.