How Vulnerability Management Helps With ITSAR Compliance


Indian Telecom Security Assurance Requirements (ITSAR) is a set of security guidelines and standards established by the Indian governmental agency, NCCS. ITSAR ensures the security and integrity of telecom networks in India, and applies to all telecom service providers within India, as well as any company that wishes to import telecom infrastructure into the country. ITSAR covers various areas, including network security, data privacy, and lawful interception, to ensure a secure and reliable telecom infrastructure in India.  

The complete list of requirements are available on the ITSAR page and a downloadable version of the publications is available. 

Why ITSAR Compliance is Essential 

  • Regulations uphold the security and reliability of telecom networks in India. It’s a protective security measure against cyberattacks, data breaches, and other security risks. India’s expanding reliance on telecom networks for critical services such as banking, healthcare, transportation, and more make compliance a crucial step for infrastructure building. 
  • ITSAR instills trust and confidence in India's telecom sector by setting strong security standards and guidelines, attracting investment, and spurring innovation. 
  • ITSAR is an important tool for the Indian government in its efforts to combat terrorism and other forms of criminal activity. 
  • Compliance with ITSARs promotes business growth opportunities. Companies offering telecom equipment that is certified to comply with the ITSAR requirements will have an advantage in a competitive market to secure contracts with Indian public and private organizations. 

Vulnerability Management and ITSAR 

The right vulnerability management solution, along with other security testing such as dynamic application security testing, black box fuzzing, and pen testing port scanning, can help you prepare for ITSAR compliance and help the process go more smoothly.  However, legacy VM tools aren’t enough for ITSAR compliance standards. You need to choose a modern, risk-based vulnerability management platform that has the functionality  necessary to identify and prioritize your high-risk weaknesses for mitigation. 

Three specific mandates in ITSAR reference vulnerability management

Requirement 11.3:  The manufacturer implements vulnerability management associated with their IoT product.  Aspects of VM include: 

  • Receiving vulnerability reports 
  • Plans for recording and responding to reported vulnerabilities 
  • Methods of disclosing reported vulnerabilities 
  • Receiving notifications from suppliers and third-party vendors about the status of known insecurities 

Requirement Section 12:  Requires the entirety of what vulnerability management can provide in a security solution. VM solutions should include these following options: 

  • System logging and monitoring 
  • Anomaly detection alerts based on IP address, user, time stamping per application usage 
  • Application must be VM scanner supported or have a built-in VM ID solution with reporting capabilities 
  • Secure code to restrict potential adversary corruption 
  • Identify third-party and open-source software within the application to mitigate exterior public risks 
  • Admins use VM to diagnose and patch software vulnerabilities 
  • Device operating systems reviewed for known vulnerabilities, especially in cryptography, before each update and after each release. 
  • Implement a complete pen testing strategy 

Requirement 20.12:  Keep and maintain an auditable library of found vulnerabilities that can be reported on through the application/device’s lifecycle. 

How Fortra Can Help You 

Using a vulnerability management solution like Fortra VM can help streamline your qualification for ITSAR compliance.  

  • Fortra Vulnerability Management meets the need for continual vulnerability scanning and management. Its main purpose is to identify vulnerabilities and prioritize them based on the risk posed to your infrastructure, while recommending remediation steps and reporting on status. According to the ITSAR regulation, it is necessary to log the vulnerabilities in a “found vulnerability library” and report on remediation efforts. By prioritizing vulnerabilities and maintaining a remediation plan, Fortra VM ensures that the most critical vulnerabilities are addressed first and the organization's security posture is improved. 
  • BeSTORM’s DAST is a security tool that provides security checking during application development for mass manufacturing products with wireless connectivity. What sets BeSTORM apart is its "future-proof" approach to security checking. It employs a Black Box Fuzzing function that mimics the same unguided, ruleless cyber-attacks used by criminals. This testing method is considered "future-proof" because it can find unknown weaknesses without guidance, in addition to testing for known vulnerabilities.
  • Core Impact’s Port Scanning is part of the Rapid Pen Testing suite. Designated ports in a system are authorized to have external access. In the event of a port scanning activity, it is mandatory to log relevant parameters such as date/time, source IP, and destination port address.  Core Impact’s Port Scanning tool tests and verifies these activities.