Contact sales
Contact sales

TSA CoP Security Requirements

(as per TSA CoP December 2022)

Introduction

1. This TSA CoP Security Requirements reflects the security obligations imposed on public electronic communication network and services providers by the Telecommunications (Security) Act 2021 (“TSA”) and the Electronic Communications (Security Measures) Regulations 2022 (“ECSM Regulations” or “Regulations”), and the guidance set out in the Telecommunications Security Code of Practice (“TSA CoP”) issued in December 2022 by the Department for Digital, Culture, Media and Sport (now the Department for Science, Innovation and Technology).

2. As an electronic communications services provider Gamma is subject to the TSA and the ECSM Regulations and it is required to ensure that its suppliers of relevant equipment and services are contractually bound to comply with certain rights and obligations listed in the TSA CoP in relation to such equipment and services. Therefore, this TSA CoP Security Requirements is incorporated into and forms part of the agreement between Gamma and the supplier (“Supplier”) for the provision by the Supplier of the relevant equipment and services (“Agreement”).

3. The rights and obligations are set out in the following attached Schedules:

3.1. Schedule 1 – Security Measures

3.2. Schedule 2 – Audit and Incident Management

3.3. Schedule 4 – Exit Management

4. The rights and obligations set out in the Schedules shall only apply in connection with and to the extent the Supplier is providing to Gamma electronic communications equipment or services and in relation to electronic communications equipment and services which the Supplier may procure from third parties in connection with its provision of electronic communication services to Gamma. For the avoidance of doubt, in the event the Supplier only provides electronic communications equipment to Gamma it shall be subject only to the rights and obligations set out in Schedule 1 in connection with such equipment.

5. The rights and obligations in Schedule 1 shall be effective from 31 March 2025.

6. Defined terms used herein and not otherwise defined shall have the meaning set out in the Agreement and the TSA CoP.

Schedule 1 – Security Measures

(as per TSA CoP December 2022)

Measure Number Description Relevant Regulations
M10.01 The Supplier shall maintain records of third party suppliers’ details, including their third parties and the major components which are used in the provision of goods/services/facilities for the Supplier. 7(1) 7(4)(a)(i)
M10.02 The Supplier shall clearly express the security needs placed on third party suppliers. These shall be defined and agreed in contracts. 7(1) 7(4)(a),(b) 9(1) 9(2)(c)(ii),(iv),(vi)
M10.03 There shall be a clear and documented shared-responsibility model between the Supplier and third party suppliers. 7(1) 7(4)(a) 9(1) 9(2)(c)(ii),(iv),(vi)
M10.04 The Supplier’s incident management process and that of their third party suppliers shall provide mutual support in the resolution of incidents. 7(4)(a)(i),(iv) 9(1) 9(2)(c)(ii),(iv),(vi)
M10.08 The Supplier shall avoid transferring control of their network and user data to third parties, except where necessary. Any such transfer of control should be limited to the necessary and defined purpose. Where a data transfer is necessary, it shall be through a defined process 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b) 15
M10.09 Where network or user data leaves the Supplier’s control, the Supplier shall contractually require and verify that the data is properly protected as a consequence. This shall include assessing the third party supplier’s controls to ensure Supplier’s data is only visible or accessible to appropriate employees and from appropriate locations 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b)
M10.10 When sharing user or network data, the Supplier and its suppliers shall use an encrypted and authenticated channel. 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii),(iii) 7(4)(b) 15
M10.11 The Supplier shall contractually oblige third party suppliers to notify the Supplier within 48 hours of becoming aware of any security incidents that may have caused or contributed to the occurrence of a security compromise, or where they identify an increased risk of such a compromise occurring. This includes, but is not limited to, incidents in the Supplier’s development network or its corporate network 7(4)(a)(i),(iv) 9(1) 9(2)(c)(i) 15
M10.12 The Supplier shall contractually require third party suppliers to support the Supplier in investigations of incidents that cause or contribute to the occurrence of a security compromise in relation to Gamma, or of an increased risk of such a compromise occurring. 7(4)(a),(iv) 9(1) 9(2)(c) (i),(ii),(iii),(iv),(v),(vi) 15
M10.13 The Supplier shall require any third party suppliers to find and report on the root cause of any security incident that could result in a security compromise in the UK within 30 days, and rectify any security failings found. 7(4)(a)(iv) 9(1) 9(2)(c) (i),(ii),(iv),(v),(vi) 9(4) 9(5) 15
M10.14 Where third party suppliers cannot quickly resolve security failings, the Supplier shall work with the third party supplier to ensure the issue is mitigated until resolved. 7(4)(a)(iv) 9(1) 9(2)(c)(ii),(iv),(v) 15
M10.15 Where third party suppliers do not resolve security failings within a reasonable timeframe, the Supplier shall have a break clause with the third party supplier to allow exit from the contract without penalty. 7(4)(c)
M10.16 The Supplier shall contractually require third party suppliers to support, as far as appropriate, any security audits, assessments or testing required by the Supplier in relation to the security of the Supplier’s own network, including those necessary to evaluate the security requirements in this Schedule. 7(1) 7(4)(a)(i),(iii),(iv) 14(1)
M10.17 The Supplier shall flow down appropriate security measures to any third party administrator. The Supplier shall ensure that any third party administrator applies controls that are at least as rigorous as the Supplier when the third party administrator has access to the Supplier’s network or service or to sensitive data. 7(3)(a) 7(3)(b) 7(4)(a)(i),(ii)
M10.18 The Supplier shall retain the right to determine permissions of the accounts used to access its network by third party administrators. 7(1) 7(4)(a)(ii),(iii) 7(4)(b)
M10.21 The Supplier shall have the contractual right to control the members of third party administrator personnel who are involved in the provision of the third party administrator services, including to require the third party administrator to ensure that any member of personnel no longer has access to the network. 7(1) 7(4)(a)(i),(iii) 7(4)(b) 8(4) 8(5)(d),(e) 8(6)(a),(b)
M10.24 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements technical controls to prevent one provider or their network from adversely affecting any other provider or their network. 4(1) 4(2) 7(1) 7(4)(a)(i),(ii) 7(4)(b) 9(2)(c)(iii),(v)
M10.25 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements logical separation within the third party administrator network to segregate customer data and networks. 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b)
M10.26 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements separation between third party administrator management environments used for different provider networks. 4(1)(a),(b) 4(2)(a),(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b)
M10.27 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and enforce and/or ensure the third party administrator implements and enforces security enforcing functions at the boundary between the third party administrator network and the Gamma network or the Supplier network. 4(1)(a),(b) 4(2)(a),(b) 4(4)(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b)
M10.28 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements technical controls to limit the potential for users or systems to negatively impact more than one provider. 4(1)(a),(b) 4(2)(a),(b) 4(4)(b) 7(1) 7(4)(a)(i),(ii) 7(4)(b)
M10.29 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements logically-independent privileged access workstations per provider. 4(4)(a) 7(1) 7(4)(a)(i),(ii) 7(4)(b)
M10.30 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, implement and/or ensure the third party administrator implements independent administrative domains and accounts per provider. 7(1) 7(4)(a)(i),(ii)
M10.33 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, monitor and audit and/or ensure the third party administrator monitors and audits the activities of the third party administrator’s staff when accessing the Gamma network. 6(1) 6(2)(a),(b) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v)
M10.34 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, provide all logs relating to the security of the its or the third party administrator’s network to the extent that such logs relate to access into the Gamma network. 6(1) 6(2)(a),(b) 6(3)(a) 7(4)(a)(iii),(iv) 8(5)(d)(i),(ii) 9(1) 9(2)(c)(iv),(v)
M10.35 The Supplier shall, when acting as a third party administrator or using the services of a third party administrator, ensure that its networks or the networks of the third party administrator that could impact Gamma undergo the same level of testing as Gamma applies to themselves (as advised by Gamma from time to time). 7(4)(a)(i),(iii) 14(1) 14(2)
M10.36 The Supplier shall contractually require network equipment suppliers to share with them a ‘security declaration’ on how they produce secure equipment and ensure they maintain the equipment’s security throughout its lifetime. Any such declaration should cover all aspects described within the Vendor Security Assessment (VSA) (see Annex B of the TSA CoP), and the Supplier should encourage its suppliers to publish a response to the VSA. 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b)
M10.37 As part of the security declaration, any differences in process across product lines shall be recorded by the Supplier or the relevant equipment manufacturer. 3(3)(a),(b) 3(3)(e) 7(4)(a)(i),(iii),(iv) 7(4)(b)
M10.38 The Supplier shall ensure that the network equipment supplier’s security declaration is signed-off at an appropriate governance level by the Supplier or the relevant equipment manufacturer. 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b)
M10.39 Where the Supplier or the relevant equipment manufacturer claims to have obtained any internationally recognised security assessments or certifications of their equipment (such as Common Criteria or NESAS), the Supplier shall share with Gamma the full findings that evidence this assessment or certificate. 3(3)(a),(b),(e) 7(4)(a)(i),(iii),(iv) 7(4)(b)
M10.40 The Supplier shall, and shall ensure that the relevant equipment manufacturer shall, adhere to a standard no lower than the security declaration. 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c)
M10.41 The Supplier shall supply up-to-date guidance on how the equipment should be securely deployed. 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii)
M10.42 The Supplier shall support all equipment and all software and hardware subcomponents for the length of the Agreement. The Supplier shall notify Gamma of the date from which the equipment (or its subcomponents) will not be supported (end of support or EOS) at least three (3) years before the EOS date. 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii)
M10.43 The Supplier shall provide details (product and version) of major third party components and dependencies in any equipment, including open source components and the period and level of support. 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 13(2)(d)(i),(ii)
M10.44 Where relevant to the Supplier’s or Gamma’s particular usage of equipment, the Supplier shall require third party suppliers to remediate all security issues that pose a security risk to Gamma’s network or service discovered within their products within a reasonable time of being notified, providing regular updates on progress in the interim. This shall include all products impacted by the vulnerability, not only the product for which the vulnerability was reported. 3(3)(a),(b) 3(4) 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c) 12(a) 12(c)(i),(ii) 15(1) 15(4)
M10.46 The Supplier shall ensure that its contracts with third party suppliers allow details of security issues to be shared as appropriate to support the identification and reduction of the risks of security compromises occurring in relation to the public electronic communications network or public electronic communications service as a result of things done or omitted by such third party suppliers. 7(1) 7(3)(a),(b) 7(4)(a)(i),(iv) 7(4)(c)
M10.47 The Supplier shall deliver critical security patches for network equipment separately to feature releases, to maximise the speed at which the patch can be deployed. 3(3)(a),(b) 3(4) 7(1) 7(4)(a)(i) 7(4)(c) 12(a) 12(c)(i),(ii)

Any breach by the Supplier of this Schedule 1 shall be deemed a material breach of the Agreement.

Schedule 2 – Audit and Incident Management

 

Records and Right of Audit

1. The Supplier shall keep and maintain for seven (7) years (or as long a period as may be agreed between the Supplier and Gamma), full and accurate records of the security of the services provided by the Supplier.

2. The Supplier shall:

(i) keep the records referred to in above in accordance with good industry practice and all relevant laws; and

(ii) afford Gamma or any auditor appointed by Gamma access to the records referred to above at the Supplier’s premises and/or provide copies of the same and co-operate with Gamma or any such auditor, as may be reasonably required by Gamma or such auditor from time to time in order that Gamma and/or the auditor may carry out an inspection for the following purposes to:

(a) verify the Supplier’s compliance with security and data protection legislation and Schedule 1;

(b) identify or investigate any breach or threatened breach of security and in these circumstances Gamma shall have no obligation to inform the Supplier of the purpose or objective of its investigations;

(c) verify the accuracy and completeness of any security information delivered or required by the Agreement;

(d) inspect the Supplier’s ICT environment (or any part of it) and the wider service delivery environment (or any part of it);

(e) review any security records created during the design and development of the Supplier’s systems and pre-operational environment such as information relating to testing (if applicable);

(f) review the Supplier’s quality management systems (including all relevant quality plans (if applicable) and any quality manuals and procedures to the extent related to security requirements;

(g) review the Supplier’s compliance with any relevant security standards; and/or

(h) review the integrity, confidentiality and security of Gamma’s data.

(iii) assist Gamma in the completion by Gamma of the Vendor Security Assessment referred to in Annex B of the TSA CoP.

3. Gamma shall use reasonable endeavours to ensure that the conduct of each audit does not unreasonably disrupt the Supplier or delay the provision of the Supplier’s services save insofar as the Supplier accepts and acknowledges that control over the conduct of audits carried out by any auditor is outside of the control of Gamma.

4. Subject to the Supplier’s rights in respect of confidential information, the Supplier shall on demand provide Gamma and/or any auditor:

(i) all reasonable information requested by Gamma within the scope of the audit;

(ii) reasonable access to sites controlled by the Supplier and to any Supplier equipment used in the provision of the Services; and

(iii) access to the Supplier’s personnel.

5. The Supplier and Gamma agree that they shall each bear their own respective costs and expenses incurred in respect of compliance with their obligations hereunder, unless the audit reveals a default by the Supplier in which case the Supplier shall reimburse Gamma for Gamma’s reasonable costs incurred in relation to the audit.

6. In connection with any security certifications the Supplier may have, the Supplier shall promptly notify Gamma in the event the Supplier fails to recertify for such certifications or changes the scope of such certifications to a material extent.

7. The Supplier shall share with Gamma a ‘security declaration’ on how it (or the relevant equipment manufacturer) produce secure equipment and ensure they maintain the equipment’s security throughout its lifetime. Any such declaration should cover all aspects described within the Vendor Security Assessment (“VSA”) (see Annex B of the TSA CoP), and the Supplier or the equipment manufacturer is encouraged to publish a response to the VSA.

 

Security Incident

8. The Supplier shall promptly and without delay, and in any event within 48 hours of becoming aware, alert and inform Gamma of any security incident affecting Gamma (including, but not limited to, any unauthorised or unlawful processing, loss of, damage to or destruction of Gamma’s data, a security compromise or where it identifies an increased risk of such a compromise occurring) suffered by the Supplier or by any agents, sub-contractors, affiliates or third parties to which Gamma’s data has been transferred or which may have access to Gamma’s systems and provide all necessary co-operation and assistance (within the timescales required by Gamma) to enable Gamma to comply with its obligations under any applicable laws and to reduce the impact of the incident on its business operations and reputation. The Supplier shall not inform any third party of the security breach affecting Gamma without first obtaining Gamma’s prior written consent, except when law or regulation requires it.

9. The Supplier shall support Gamma in investigations of incidents that cause or contribute to the occurrence of a security compromise in relation to Gamma, or of an increased risk of such a compromise occurring.

10. The Supplier shall find and report on the root cause of any security incident that could result in a security compromise in the UK within 30 days, and rectify any security failings found. Where the Supplier cannot quickly resolve security failings, the Supplier shall work with Gamma to ensure the issue is mitigated until resolved.

11. Where an equipment security issue discovered within the Supplier’s products provided to Gamma poses a security risk to Gamma’s network or service, the Supplier shall remediate such security issue within a reasonable time of being notified, providing regular updates on progress in the interim. This shall include all products impacted by the vulnerability, not only the product for which the vulnerability was reported.

12. In the event the Supplier fails to resolve security failings within a reasonable timeframe Gamma shall be entitled to terminate the affected Services and/or the Agreement without penalty.

Security Assessments and Penetration Testing

13. Supplier shall carry out penetration testing of its systems at the Supplier’s costs at least once a year.

14. In addition to the rights of audit set out above, Gamma may at any time on reasonable notice to the Supplier review the Supplier’s previous security assessments and penetration tests of its systems and, following such a review, Gamma may, at its cost, carry out its own penetration tests of the Supplier’s systems taking into account the Supplier’s reasonable security requirements in doing so and Supplier shall assist Gamma with such penetration tests to the extent reasonably required by Gamma.

Third Party Administrator

15. When the Supplier acts as a third party administrator, Gamma shall have the right to control the members of the Supplier personnel who are involved in the provision of the third party administrator services, including to require the Supplier to ensure that any member of personnel no longer has access to the network.

General

16. Any breach by the Supplier of this Schedule 2 shall be deemed a material breach of the Agreement

Schedule 3 – Exit Management

Upon termination of the Agreement, Gamma shall be entitled to require Supplier, and in that event Supplier shall be obliged, to continue providing equipment and/or services for a transition period of up to twelve (12) months (the “Exit Assistance Period”) by serving as much notice upon Supplier as is reasonably practicable. During the Exit Assistance Period, all terms of this Agreement will continue to apply, including the relevant fees/charges, and Supplier shall assist Gamma and/or any replacement supplier to the extent reasonably required to facilitate the smooth migration of the provision of the equipment and/or services to Gamma and/or the replacement supplier (“Exit Assistance”). Gamma may terminate the Exit Assistance Period at any time on no less than 30 days’ written notice to Supplier. To the extent the Exit Assistance requires Supplier to incur in costs or employ resources beyond those incurred or employed by Supplier in the normal course of providing the equipment and/or services, Supplier may charge for such additional costs and resources on a time and material basis.