A2.8 We think it is important for everyone interested in an issue to see the views of others during a consultation. We would usually publish all the responses we have received on our website. In our statement, we will give reasons for our decisions and will give an account of how the views of those concerned helped shape those decisions.
Annex 3
3 Consultation response cover sheet
A3.1 In the interests of transparency and good regulatory practice, we will publish all consultation responses in full on our website, www.ofcom.org.uk.
A3.2 We have produced a coversheet for responses (see below) and would be very grateful if you could send one with your response (this is incorporated into the online web form if you respond in this way). This will speed up our processing of responses, and help to maintain confidentiality where appropriate.
A3.3 The quality of consultation can be enhanced by publishing responses before the consultation period closes. In particular, this can help those individuals and organisations with limited resources or familiarity with the issues to respond in a more informed way. Therefore Ofcom would encourage respondents to complete their coversheet in a way that allows Ofcom to publish their responses upon receipt, rather than waiting until the consultation period has ended.
A3.4 We strongly prefer to receive responses via the online web form which incorporates the coversheet. If you are responding via email, post or fax you can download an electronic copy of this coversheet in Word or RTF format from the ‘Consultations’
section of our website at www.ofcom.org.uk/consult/.
A3.5 Please put any parts of your response you consider should be kept confidential in a separate annex to your response and include your reasons why this part of your response should not be published. This can include information such as your personal background and experience. If you want your name, address, other contact details, or job title to remain confidential, please provide them in your cover sheet only, so that we don’t have to edit your response.
Cover sheet for response to an Ofcom consultation
BASIC DETAILS
Consultation title:
To (Ofcom contact):
Name of respondent:
Representing (self or organisation/s):
Address (if not received by email):
CONFIDENTIALITY
Please tick below what part of your response you consider is confidential, giving your reasons why
Nothing Name/contact details/job title
Whole response Organisation
Part of the response If there is no separate annex, which parts?
If you want part of your response, your name or your organisation not to be published, can Ofcom still publish a reference to the contents of your response (including, for any
confidential parts, a general summary that does not disclose the specific information or enable you to be identified)?
DECLARATION
I confirm that the correspondence supplied with this cover sheet is a formal consultation response that Ofcom can publish. However, in supplying this response, I understand that Ofcom may need to publish all responses, including those which are marked as confidential, in order to meet legal obligations. If I have sent my response by email, Ofcom can disregard any standard e-mail text about not disclosing email contents and attachments.
Ofcom seeks to publish responses on receipt. If your response is non-confidential (in whole or in part), and you would prefer us to
publish your response only once the consultation has ended, please tick here.
Name Signed (if hard copy)
Annex 4
4 Calls for Inputs questions
A4.1 This section presents the specific questions that Ofcom seeks responses to in relation to this issue.
Question 1 – What are your views on emerging and potential future security and availability risks and whether they should be addressed in the revised guidance?
Question 2 – In relation to the obligations to manage general security risks, how should our guidance be revised to reflect issues such as ENISA’s Guidelines on security controls, supply chain management, the use of 3rd party data centres and applicability to smaller CPs?
Question 3 – How best can risks to end users be considered by CPs and appropriate security information be made available?
Question 4 – Should Ofcom consider additional guidance in relation to network availability and the provision of related consumer information?
Question 5 – Would it be useful to clarify our expectations around reporting in the case of wholesale and “over the top” arrangements, and the need for CPs to maintain sufficient fault monitoring?
Question 6 – What are your views on the appropriate thresholds for reporting incidents affecting consumers of smaller CPs, mobile networks, data services and services suffering partial failures?
Question 7 – What are your views on revising the current process for reporting significant incidents?
Annex 5
5 Communications Act 2003 Wording
Security of public electronic communications networks and services Requirement to protect security of networks and services
105A.—(1) Network providers and service providers must take technical and
organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services.
(2) Measures under subsection (1) must, in particular, include measures to prevent or minimise the impact of security incidents on end-users.
(3) Measures under subsection (1) taken by a network provider must also include measures to prevent or minimise the impact of security incidents on interconnection of public electronic communications networks.
(4) A network provider must also take all appropriate steps to protect, so far as possible, the availability of the provider’s public electronic communications network.
(5) In this section and sections 105B and 105C—
“network provider” means a provider of a public electronic communications network, and
“service provider” means a provider of a public electronic communications service.
Requirement to notify OFCOM of security breach
105B.—(1) A network provider must notify OFCOM—
(a) of a breach of security which has a significant impact on the operation of a public electronic communications network, and
(b) of a reduction in the availability of a public electronic communications network which has a significant impact on the network.
(2) A service provider must notify OFCOM of a breach of security which has a significant impact on the operation of a public electronic communications service.
(3) If OFCOM receive a notification under this section, they must, where they think it appropriate, notify—
(a) the regulatory authorities in other member States, and
(b) the European Network and Information Security Agency (“ENISA”).
(4) OFCOM may also inform the public of a notification under this section, or require the network provider or service provider to inform the public, if OFCOM think that it is in the public interest to do so.
(5) OFCOM must prepare an annual report summarising all notifications received by them under this section, and any action taken in response to a notification.
(6) A copy of the annual report must be sent to the European Commission and to ENISA.
Requirement to submit to audit
105C.—(1) OFCOM may carry out, or arrange for another person to carry out, an audit of the measures taken by a network provider or a service provider under section 105A.
(2) A network provider or a service provider must – (a) co-operate with an audit under subsection (1), and (b) pay the costs of the audit.
Enforcement of obligations under sections 105A to 105C
105D.—(1) Sections 96A to 96C, 98 to 100, 102 and 103 apply in relation to a
contravention of a requirement under sections 105A to 105C as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.
(2) The obligation of a person to comply with the requirements of section 105A to 105C is a duty owed to every person who may be affected by a contravention of a requirement, and -
(a) section 104 applies in relation to that duty as it applies in relation to the duty set out in subsection (1) of that section, and
(b) section 104(4) applies in relation to proceedings brought by virtue of this section as it applies in relation to proceedings by virtue of section 104(1)(a).
(2) The amount of a penalty imposed under sections 96A to 96C, as applied by this section, is to be such amount not exceeding £2 million as OFCOM determine to be—
(a) appropriate; and
(b) proportionate to the contravention in respect of which it is imposed.
135 Information required for purposes of Chapter 1 functions
(3) The information that may be required by OFCOM under subsection (1) includes, in particular, information that they require for any one or more of the following purposes-- (ie) assessing the security of a public electronic communications network or a public electronic communications service;
(if) assessing the availability of a public electronic communications network 137 Restrictions on imposing information requirements
(2A) OFCOM are not to require the provision of information for a purpose specified in section 135(3)(ie) or (if) unless—
(a) the requirement is imposed for the purpose of investigating a matter about which OFCOM have received a complaint;
(b) the requirement is imposed for the purposes of an investigation that OFCOM have decided to carry out into whether or not an obligation under section 105A has been complied with; or
(c) OFCOM have reason to suspect that an obligation under section 105A has been or is being contravened